In-brief: It’s time to stop the ransomware shaming. The truth is that successful ransomware infections are children with many fathers – from lax security practices to vulnerable software. Update: added comment from Dodi Glenn of PC Pitstop. PFR 2/21/2015.
Hollywood Presbyterian Medical Center in Los Angeles acknowledged this week that it ended a days-long attack that locked hospital staff out of critical systems by paying 40 BitCoin, worth approximately $17,000, to as-yet unknown and unidentified cyber criminals.
Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.
In a letter to staff on Wednesday, Allen Stefanek, the President & CEO of Presbyterian Medical Center said that the payment was made to end a 10 day long ransomware infection that had crippled many of the hospitals patient management and diagnostic systems, including its electronic medical record (or “EMR”) system.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek wrote. “In the best interest of restoring normal operations, we did this.”
The news brought swift expressions of dismay from the technology community, with not a little bit of ransomware ‘shaming’ sprinkled in.
Hospitals have not been “as diligent in combating cyber threats such as ransomware as other sectors” experts were quoted saying in this Associated Press article, with one expert saying that hospitals are “about 10 to 15 years behind the banking industry” in combatting cyber threats.”
Also typical were articles like this one, at the Bitcoin news site newsbtc.com, that made the case that paying the ransom should never be necessary. Rather: falling to ransomware was evidence of a kind of technological turpitude.
“It is no secret how ransomware attacks will only occur due to a mistake by the end user,” the article reads.
The sad truth is that ransomware victims, not their attackers, are often to first to be blamed for attacks. Victims lacked adequate endpoint protection software, failed to train their users not to click on suspicious links in e-mail or social media messages, failed to implement an effective and comprehensive data backup plan, or all three.
The same was true back in October, when this publication reported on a speech by Joseph Bonavolonta, the Assistant Special Agent in Charge of the FBI’s CYBER and Counterintelligence Program in the Bureau’s Boston office. Noting the impossibility of breaking strong encryption used by ransomware products and the difficulty of otherwise subverting the malicious software, Bonavolonta said that the Bureau often advises companies to “just to pay the ransom” if they want their data back.
The reaction online was disbelief and, in some cases, condemnation. An extensive discussion sprung from the article on the IT professional site Spiceworks that continues to this day, with most users critical of the FBI for “giving in to terrorism” (their term, not mine). Commenters were especially critical of the victimized organizations. A recent comment by a user AaronKent on February 19 sums up the opinions of many Spiceworks commenters:
if (sp) you get hit by ransom-ware, it’s your fault.
If you cannot recover from ransom-ware, it’s your fault.
pay the fine and learn from your mistake.
if you get hit a second time?
stop touching keyboards.
Is that fair? In some cases, yes. But it is my opinion that it is time for the ransomware shaming to stop.
The fact is that successful ransomware infections have many fathers. Many of the factors that contribute directly to ransomware infections are beyond the ability of organizations to control.
For example, a study by the firm BitDefender in 2015 found that drive by download installs via compromised web sites or malvertising are among the most common attack vectors for ransomware. Attackers use sophisticated exploit kits, such as Angler, to manage such campaigns: minutely profiling web site visitors to deliver the right attack for the right computer configuration – or no attack at all.
With such sophisticated targeting, in other words, ransomware victims may have done nothing more than visit the right website at the wrong time.
Any organization shaming a ransomware victim might consider whether it had been the victim of a non-crypto malware attack in the last 12 months and then consider how they would have fared if the deliverable had been the latest version of cryptolocker instead of a data stealing Trojan, botnet software or something else.
Consider also that organizations like hospitals are also under considerable pressure to comply with rules like the U.S. Federal health privacy law (HIPAA), which erect high barriers around patient data, but say nothing about endpoint protections or best practices to defeat malware.
True: there are simple steps that organizations can take to limit the spread of ransomware, even if they can’t stop infections. Regular daily (or semi-daily) back ups critical systems to air gapped or cloud based systems can make recovering from a ransomware infection as simple as restoring an earlier version of the infected system.
Dodi Glenn, the Vice President of Cyber Security at the firm PC Pitstop, and a board member of the Anti-Malware Testing Standards Organization (AMTSO) said that storage costs are so low that there is “really no excuse” for organizations to not take available of both on-network and off site (cloud based) backup for critical systems.
More important: limiting the access permissions of your users and pruning unnecessary permission grants to other, network systems and file shares can keep ransomware infections from spreading on your network.
But, in the end, a chain is only as strong as its weakest link, and even temporary lapses in an otherwise sound IT policy could spell disaster in the event of a ransomware infection.
Then there’s the matter of paying. The fact is that ransoms demanded by cyber criminals behind cryptolocker and other malware are usually modest. This isn’t because the cyber criminals don’t know they have IT departments by the short hairs. It’s because they have a business model that’s built on high volume, low value transactions. With so many victims, the path to riches is not to hold out for a giant reward, but to help them complete their transaction as quickly as possible and move on to the next mark. Some ransomware operations even offer chat based support for victims to facilitate rapid payment. That’s no accident. Recent stories such as this one suggest that the biggest obstacle to resolving infections, for victim organizations, is figuring out how to safely complete a Bitcoin transaction.
For stricken organizations, the math behind paying the ransomware is really pretty straight forward, as Presbyterian Medical’s CEO made clear in his letter. Yes: $17,000 is a lot to pay, but so is keeping an entire IT staff working overtime to try to break the ransomware. In fact: those overtime costs add up to a lot more than $17,000 – and fast.
Add to that the fact that many cyber insurance policies now reimburse clients for ransomware payouts and the logic for just paying and moving on becomes iron clad.
In short, paying to end a ransomware attack is an admission of failure, its true. But it is also an eminently sensible decision that could save your organization time and money. Its time to stop the ransomware shaming and figure out a way to stop these attacks from happening altogether.
Still, paying the ransom is hardly the end of the story for stricken organizations. Glenn of PC Pitstop notes that falling victim to a ransomware attack is a huge signal to other would-be attackers that your organization is vulnerable, with weak information security practices and internal controls. Follow on attacks are a real danger.
But anyone shaming a ransomware victim might consider whether her own network had been the victim of a non-crypto malware attack in the last 24 months, or whether a compromise might still lurk somewhere, quietly. Then consider how her own environment would have fared if the malicious deliverable had been the late model crypto ransomware like Locky instead of a data stealing Trojan, spambot or some other, more innocuous threat.
Some thoughts to chew on!