Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture

Page created by Roger Lawson
 
CONTINUE READING
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Ransomware
response and
recovery
How to be more resilient in the face
of ransomware threats
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Why ransomware?                                                                           Today’s
          According to Christopher Krebs, former Director of the
          Cybersecurity and Infrastructure Security Agency (CISA),                                  top three
          “You’ve got to start with what really matters the most and
          then you work out from there. So, from that perspective,
          ransomware is the biggest threat.” 1
                                                                                                    challenges
          Impacts vary, but, in many cases,           Security leaders must understand and
          ransomware disrupts businesses for          counter new ransomware challenges,            #1
          significant periods—or even forces them     strengthen defenses across people,
          to suspend operations or close.             processes, and technology and
                                                      demonstrate why security is critical to the
          A growing population of highly capable      business strategy.
          cyber extortionists is developing a new
          means to counter defenses and increase      In short, security leaders need to help       #2
          the level of disruption they can inflict,   their organizations gain ransomware
          constantly. Threats are widespread; they    resilience—fast.
          extend across industry and the public/
          private sector, affecting large and small
          businesses alike.
                                                                                                    #3

                                                                                                                 2
Copyright © 2021 Accenture. All rights reserved.
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
What does ransomware look like?
          Ransomware can create a crisis of systemic business risk and consumer trust

          Typical business impacts involve:             Hot topics

          •   Disruption to production, delivery, or    The top five ransomware variants based
              customer services                         on intrusion data derived from Accenture
                                                        Security Cyber Investigations & Forensic
          •   Loss of sensitive commercial data, or     Response (CIFR) engagements: 2
              protected information
                                                        Top five 2020          Top five first quarter 2021
          •   Direct costs of remediation, recovery,
              or potential ransom payment               1. Maze                1. DoppelPaymer

          •   Costs associated with litigation, often   2. Sodinokibi          2. Sodinokibi
              class-action lawsuits
                                                        3. Ryuk                3. Hades
          •   Legal and regulatory sanctions
                                                        4. Netwalker           4. Ryuk
          •   Reputational damage
                                                        5. DoppelPaymer        5. Conti

Copyright © 2021 Accenture. All rights reserved.                                                             3
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Challenge #1

          Successful ransomware
          extortionists are ramping
          up attacks
          Established ransomware operators are          To plan for resilience, organizations should
          upping their game as they continue to         focus on the business and operational
          focus on new monetization opportunities       risks presented by the threat across
          and see no limits to the potential profits.   their unique value chain—and prioritize
                                                        planning and defense efforts accordingly.
          At the same time, the barrier to entry is
          low; ransomware tools and supporting          The Accenture CIFR team observed a
          operations are readily available through      160% year-on-year increase in ransomware
          various markets and affiliate networks.       events in 2020—with little signs of any
                                                        slowdown in early 2021.3
          Alongside the opportunities presented
          by the pandemic, the population
          of extortionists is growing as new
          cybercriminals are drawn to the low-risk,
          high-reward operations.

                                                                                                       4
Copyright © 2021 Accenture. All rights reserved.
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Challenge #2

          Ransomware operators are
          constantly improving their
          ability to disrupt
          Cyber extortionists are incentivized to       Commodification of the skills and
          develop ever-more disruptive ways of          services required—ranging from
          working. The more disruption they can         initial access brokers and intrusion
          inflict, the larger the ransom they           specialists to ransomware-as-a-service
          can demand.                                   models with partners and affiliates and
                                                        specialist negotiator middle-men—is
          Operators keep innovating, first using        enabling and rewarding the development
          ransomware in a targeted way, against         of new, more disruptive techniques.
          key assets, then combining that with data
          leak extortion. Now, there are indications    In December 2020, extortionists targeted
          that certain operators are increasing         one of the world’s largest manufacturers,
          their ability to interfere with operational   claimed encryption of 1,200 servers,
          technology (OT) processes and refining        realized the theft of 100GB of data,
          other means to pressure payment,              deleted 20 to 30TB of backups and
          including layering distributed denial-of-     demanded a $34M ransom.4
          service attacks with encryption and
          data leakage.                                 One variant has stepped up its
                                                        confrontational approach, delivering its
                                                        ransomware notes through a retailer’s
                                                        receipt printer.

                                                                                                    5
Copyright © 2021 Accenture. All rights reserved.
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Challenge #3

          Business growth and service
          strategies lack resilience
          Downtime from ransomware is still           Ransom demands are growing and
          growing. According to Coveware, firms       becoming more customized—with threat
          experienced on average 23 days of           actors assessing who is more likely to
          downtime in the first quarter of 2021, up   pay. If ransoms are paid, it can open
          from 21 days in the fourth quarter of       the door to further criminality. Also,
          2020. Downtime ranged from standstill       some ransomware operators have been
          to minor non-availability.5                 sanctioned, potentially placing a ransom-
                                                      paying victim in further legal jeopardy.
          Encryption can deny access and
          interrupt basic and vital resources,        The Accenture CIFR team observed
          including internal and customer             ransom demands ranging from
          communications and platforms, as well       US$100,000 to US$50M in 2020.6
          as operational or production systems.
          Long periods of downtime can affect         In August 2020, a leading foreign
          tens of millions of people. The theft and   exchange firm went into administration to
          publication of data give attackers new      lose more than 1,300 jobs. Administrators
          extortion opportunities—such as the         stated that a ransomware attack had
          risk of regulatory sanctions if protected   caused a month of disruption and at times
          information is made available online.       staff could not use computers to keep
                                                      track of currency trading. The breach also
                                                      disrupted online travel money services for
                                                      leading global clients.7

                                                                                                   6
Copyright © 2021 Accenture. All rights reserved.
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Ransomware is evolving

          Established operators                    Ransomware operators                    New variants and enhanced                Organizations feel the
          extend reach and profits                 often move fast                         tactics challenge defenses               pressure of payment
          with new collaborations                                                                                                   strategies and regulatory
                                                                                                                                    demands
          A ransomware-as-a-service model          Often, operators have exfiltrated       Threats are going beyond IT to new       Aggressive operators are phoning
          has been transformative for              sensitive data and encrypted key        technologies and platforms—there         victims directly, sometimes
          extortionists. Owners of highly          assets within hours of an initial       are at least seven known variants with   combining denial-of-service attacks
          effective and widely disseminated        infection. Also, some companies are     features designed to target common       with encryption and publication
          malware strains, formerly known as       more commonly finding themselves        industrial environment processes.        tactics. The United States federal
          “banking trojans,” are working with      targeted twice in quick succession by   Criminals have the resources to          government has released an
          intrusion specialists to infect and      different actors.                       re-invest and innovate, regularly        advisory8 reminding CISOs that by
          extort the maximum number of                                                     designing new, more effective tools      financing terrorism or financing
          victims.                                                                         and techniques to increase their         banned organizations in the payment
                                                                                           operations’ efficacy.                    of a ransom, they are committing
                                                                                                                                    an offense. While in Europe, GDPR
                                                                                                                                    requires any potential breach to be
                                                                                                                                    reported to the regulator within 72
                                                                                                                                    hours—or face sanctions.

Copyright © 2021 Accenture. All rights reserved.                                                                                                                          7
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
What can you do now?
          Operate under the assumption that you are already breached and focus on
          resilience across the end-to-end value chain

          Focus on                                 Prevent                          Know your                        Make it                           Prepare, prepare
          the basics                               and protect                      operations                       personal                          and prepare again

          Keep security hygiene up to              Increase confidence through      Model the threat against your    CISOs cannot go it alone.         Threats are agile and you
          standard; maintain controls              continuous validation and        operations and end-to-end        Collaborate and prepare           should be, too. Businesses
          and continue patching; ensure            testing of your defenses.        value chain.                     with Legal, Communications,       don’t evaluate their profit and
          visibility into and protection of                                                                          senior management and             loss or liquidity levels once a
          crown jewel data.                        Train and test employees         Understand how to backup         external service providers, so    year—security should be no
                                                   frequently.                      and restore critical data at     everyone knows how to work        different.
          Implement a holistic backup                                               speed and scale across the       together during an event.
          and recovery strategy with               Ensure adequate visibility and   business—strive for continuity                                     Use planning and validation as
          situational awareness of the             coverage across the attack       of operations.                   Conduct crisis management         an opportunity to constantly
          current threat landscape.                surface—use tooling, controls                                     and table-top exercises to test   measure and improve
                                                   and telemetry to enhance         Be clear on policies and         relationships.                    resilience or adjust your
          Ensure you have a crisis                 your defense posture across      procedures—the response                                            course over time.
          management and incident                  layered prevention, detection,   playbook is often the first      Meet regularly with
          response plan that’s in line             and agile response.              thing regulators and litigants   authorities, incident response    Pressure-test for when things
          with the current pandemic-                                                ask for after a breach.          partners and outside legal        go wrong.
          *Attributed to Sir Winston Churchill
          driven    operating environment.                                                                           counsel to bolster support.

Copyright © 2021 Accenture. All rights reserved.                                                                                                                                         8
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
So, you’ve been hit—what’s next?
          “Never let a good crisis go to waste”9—after any ransomware attack,
          CISOs should reflect on improvements to ease the impact of future events

          1                                        2                               3                                 4                                5
          Trace                                    Collaborate                     Learn from                        Update risk                      Strengthen
          the attack                               and report                      the experience                    mitigation plans                 defense posture
          Use incident response,                   Work with legal counsel to      Quantify the financial and        Evaluate current inherent and    Get tactical: remediate identified
          forensic analysis and threat             ensure statutory obligations    reputational impacts and          residual risk measurements       vulnerabilities, update operating
          intelligence to identify how             are fulfilled by reporting an   identify metrics and resources    and work with the business       systems, deploy compensating
          the attack occurred and                  incident to the appropriate     to meet the C-suite’s             to identify any beyond           controls, refine weak processes,
          build a comprehensive                    authorities. Collaborate        expectations for cyber            acceptable levels. Apply an      harden the environment
          understanding of the intrusion           with industry partners,         resilience going forward. Talk    appropriate risk mitigation      (across network, endpoint,
          and measured impact. This is             consortiums and law             to the C-suite so that business   strategy that includes aspects   and identity), improve cyber
          critical during and after the            enforcement for greater         leaders can prioritize and        such as controls deployment      hygiene, enhance the efficacy of
          incident to inform defense               threat awareness.               oversee the measurement           or security transfer             threat detection and response
          posturing, comprehensive                                                 of cyber resilience, secure       mechanisms.                      operations, address weaknesses
          take-back planning in a                                                  funding for improvements                                           in recovery processes and
          domain compromise and                                                    and incorporate it into                                            drive the necessary behavioral
          safe recovery of business                                                business resilience plans.                                         changes required to strengthen
          operations.                                                                                                                                 cybersecurity defenses.

          *Attributed to Sir Winston Churchill

Copyright © 2021 Accenture. All rights reserved.                                                                                                                                           9
Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
Who’s doing what?
          An organization paid ransom twice              A Norwegian aluminum manufacturer
          following a failure of its antivirus           was forced to halt some production and
          protection measures. Once attackers            switch other units to manual operations
          had gained entry to its systems, they set      after hackers blocked its systems. Its post-
          about changing existing client security
          measures and controls to guarantee
                                                         response analysis showed that attackers
                                                         had been present in the network for three
                                                                                                        “The organization didn’t realize
          continued access. The organization didn’t
          realize how much of its network had been
                                                         months when somebody clicked on the
                                                         wrong e-mail. The forced shutdown cost
                                                                                                        much of its network had
          compromised and how sophisticated its
          attackers were.
                                                         the company US$52M.
                                                                                                        been compromised and how
          A medium-sized manufacturer was
                                                         An oil and gas company with a good
                                                         recovery plan, validated backups, and
                                                                                                        sophisticated its attackers were.”
          preparing to replace all its virus detection   a strong leadership team determined
          software. It was unaware that attackers        not to pay a ransom. When it was hit, it
          had infiltrated its network months prior       could get back up and running in less
          and it was monitoring the company e-mail       than one week. On the other hand, for a
          Web portal through a poorly protected          manufacturing customer who had not
          administrative account. When the               been validating its backups and had a
          attackers discovered a planned upgrade,        piecemeal recovery process, it took six
          hackers launched an attack the weekend         weeks to recover from an attack.
          before countermeasures were planned to
          be deployed.

                                                                                                                                             10
Copyright © 2021 Accenture. All rights reserved.
Ransomware incident
                                                   response trends
                                                   A look back at 2020 intrusion data10

                                                          Top industries impacted: Products11 (38%) Resources12 (33%),
                                                          Healthcare and State and Local Government (17%)

                                                               Initial ransom demands ranging from US$100K to US$50M

                                                                  Average operational downtime around 12 days

                                                                  Data extortion was incorporated in >60% of intrusions

                                                               Dwell times range from 2.5 hours to around six months13

                                                          Primary attack vectors: 1. Phishing, 2. Remote access,
                                                          3. Software vulnerability
Copyright © 2021 Accenture. All rights reserved.
                                                                                                                          11
Are you ready?
          Being resilient means robust processes, training and coordination across the business value chain
          Ask yourself:

               What                                How                                   Who
               • What are the most critical        • How often do you pressure-           • Who are your decision-
                 systems and data in your            test and exercise your plans?          makers during a crisis?
                 operations?
                                                   • How quickly could you               • Who is responsible for
               • What plans do you have in           respond to and recover from           negotiating or reviewing
                 place? (such as business            a ransomware threat?                  your extortion policy?
                 continuity, disaster
                 recovery)                         • How would you handle a full         • Who handles incident
                                                     domain compromise?                    response?
               • What is your media strategy
                 in the event of a crisis?

Copyright © 2021 Accenture. All rights reserved.
                                                                                                                      12
Contacts                                                                                 References
                                                                                                  1. Former US cyber chief calls for military to attack hackers, Financial Times, 2021,
                                                                                                     https://www.ft.com/content/27c09769-ceb5-46dd-824f-40b684d681ae

                                                                                                  2. Looking back to see the future: CIFR DeLorean—2021 edition, Accenture, 2021,
                                                                                                     https://www.accenture.com/us-en/blogs/cyber-defense/cifr-delorean-2021-edition

                                                                                                  3. Ibid

                                                                                                  4. Foxconn electronics giant hit by ransomware, $34 million ransom, Bleeping Computer, 2020,
                                                                                                     https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-
                                                                                                     34-million-ransom/

                                                                                                  5. Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound, Coveware, 2021,
                                                                                                     https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-
                                                                                                  exploits-abound

                                                                                                  6. Looking back to see the future: CIFR DeLorean—2021 edition, Accenture, 2021,
                                                                                                     https://www.accenture.com/us-en/blogs/cyber-defense/cifr-delorean-2021-edition

         Mark Raeburn                             Jacky Fox                  Ryan Leininger       7. Travelex falls into administration, with loss of 1,300 jobs, The Guardian, 2020,
                                                                                                     https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration-
         Managing Director                        Managing Director          Senior Manager
                                                                                                     shedding-1300-jobs
         Cyber Defense                            United Kingdom & Ireland   Cyber Defense
         Accenture Security                       Accenture Security         Accenture Security   8. Department of the Treasury, 2020,
                                                                                                     https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf

                                                                                                  9. Attributed to Sir Winston Churchill

                                                                                                  10. CIFR observations

                                                                                                  11. Products industries include: Automotive, Airline, Consumer Goods & Services, Hotels, Industrial
                                                                                                      Equipment, Life Sciences, Retail

                                                                                                  12. Resources industries include: Energy (Oil & Gas), Chemicals, Metals/Mining, Utilities

                                                                                                  13. Dwell time is the amount of time the threat actor is active in the victim organization’s network—from
                                                                                                      first evidence of compromise through detection (or impact)

opyright © 2021 Accenture. All rights reserved.                                                                                                                                                         13
Appendix
          Top ransomware variants observed by Accenture Security’s CIFR team:

          •   Conti: First observed by cybersecurity teams in May 2020, it involves double extortion that that puts information and reputation
              at risk. It not only encrypts files on the infected host but also spreads to encrypt files on different hosts, potentially compromising
              the entire network.

          •   DoppelPaymer: A newer variant associated with the well-established Dridex Gang, whose leader was sanctioned and linked to
              Russia’s Federal Security Service (FSB) by the United States Justice Department in December 2019.

          •   Hades: A ransomware campaign that has been ongoing since at least December 2020, Hades ransom notes share portions with
              the one used by the REvil ransomware operators; there is no evidence to suggest the threat groups or operations have any overlap.

          •   Maze: Maze operations changed the game by being the first cartel to pioneer the double extortion approach. It reportedly shut
              down in Q4 2020 (see https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down/)

          •   Netwalker: Made a name for itself with a string of healthcare compromises but was interrupted by law enforcement
              interdiction that occurred in January 2021. Its operations were recently disrupted by international law enforcement agencies
              (see https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalker-ransomware-operation/)

          •   Ryuk: Known for being prolific and aggressive. It benefits from strong working links with the effective and widely disseminated
              downloader malware, TrickBot and Emotet and conducted multiple high-impact compromises against United States hospitals
              in late 2020.

          For more, visit Looking back to see the future: CIFR DeLorean—2021 edition

Copyright © 2021 Accenture. All rights reserved.                                                                                                        14
About Accenture                                                                                 About Accenture Security
Accenture is a global professional services company with leading                                Accenture Security is a leading provider of end-to-end cybersecurity
capabilities in digital, cloud and security. Combining unmatched                                services, including advanced cyber defense, applied cybersecurity
experience and specialized skills across more than 40 industries, we                            solutions and managed security operations. We bring security
offer Strategy and Consulting, Interactive, Technology and Operations                           innovation, coupled with global scale and a worldwide delivery
services—all powered by the world’s largest network of Advanced                                 capability through our network of Advanced Technology and Intelligent
Technology and Intelligent Operations centers. Our 537,000 people                               Operations centers. Helped by our team of highly skilled professionals,
deliver on the promise of technology and human ingenuity every day,                             we enable clients to innovate safely, build cyber resilience and grow with
serving clients in more than 120 countries. We embrace the power of                             confidence. Follow us @AccentureSecure on Twitter or visit us at
change to create value and shared success for our clients, people,                              www.accenture.com/security
shareholders, partners, and communities.
Visit us at www.accenture.com

                                                                        DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader’s specific
                                                                        circumstances and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any
                                                                        and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such
Copyright © 2021 Accenture All rights reserved.                         information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own
Accenture, its logo, and New Applied Now are trademarks of Accenture.   legal counsel or other licensed professionals.
                                                                                                                                                                                                                            15
You can also read