Compliance Unfiltered is TCT’s tell-it-like-it is podcast, dedicated to making compliance suck less. It’s a fresh, raw, uncut alternative for anyone who needs honest, reliable, compliance expertise with a sprinkling of personality.

Show Notes: How to Prepare for a Ransomware Attack

Quick Take

On this episode of Compliance Unfiltered, Adam jumps to the rescue of potential ransomware victims by giving you a full breakdown of the present day landscape of Ransomware! What should you look for and just how bad can it get for an organization?

Adam also brings some real-life ransomware horror stories to the table, and shares some different methods that organizations can use to prepare for a ransomware attack.

All this and more on this episode of Compliance Unfiltered.

Remember to follow us on LinkedIn and Twitter!

Read Transcript

So let’s face it, managing compliance sucks. It’s complicated, it’s so hard to keep organized, and it requires a ton of expertise in order to survive the entire process. Welcome to Compliance Unfiltered, a podcast dedicated to making compliance suck less.
Now, here’s your host, Todd Coshow, with Adam Goslin.

Well, welcome in to another edition of Compliance Unfiltered. I’m Todd Coshow, alongside the cleanup hitter in your compliance lineup, Mr. Adam Gosling. How the heck are you? I’m doing good, Todd. How about yourself? Man, I can’t complain at all whatsoever, but today we’re going to talk about protecting yourself against the ever-present threat that is ransomware.

So set the present-day landscape surrounding ransomware, because it’s not the same as it used to be, where we just have to worry about the Nigerian royalty out there, right? Well, I mean, if you think about it, every year that goes by, you’re kind of getting a greater and greater risk of being subject to a ransomware attack, and really a greater risk of increased damages. The financial impacts of ransomware these days are increasing, because they’ve found new and more awesome ways to produce better and long-lasting results in their favor. So as an example, lately they’ve been doing what they call double extortion. So in double extortion, not only do the organizations pay to get their machines back, but then they pay a second ransom for any of the data that the attackers happen to have. happen to get a hold of. So as technology increases, the attackers are finding new ways to avoid detection and getting a little more innovative in the process. So just a couple of weeks ago, there was a competition where they put together a bunch of white hat hackers to have them attempt to find vulnerabilities in various systems. Yeah, I read about that. In one single day, this group was able to discover 12 different zero-day vulnerabilities that had never been previously known by the good guys, if you will. So you can just sit and imagine how many vulnerabilities are getting identified by a group of directed attackers that are attempting to find holes in vulnerabilities and systems to be able to inject ransomware. Now I know that they’re not all created equal, but just how bad is a ransomware attack? Well, the purpose of the ransomware attack is to make the target device inaccessible, you know, for the organization that got hit and yet leave it accessible for the bad guys. And to recover access, the organization, you know, usually needs to pay a hefty ransom. You know, if you’re lucky, the attackers locked you out of your printer or a single laptop or something. And so, you know, hey, worst case scenario, you go and replace the device and take the hit. But, you know, the more common scenario really is at the other end of the spectrum, where, you know, attackers are encrypting your web server. They’re, you know, locking down your file server, you know, where all of the company’s files are being held. You know, they get ahold of the database server that’s behind the web server, you know, and, you know, one of the primary conduits for running your business is now at a standstill, you know, and the worst part is that the attackers still have access to, you know, everything on the encrypted device. So, you know, any sensitive data that’s, you know, on whatever got targeted is now susceptible to exposure. So, you know, for organizations that, you know, that haven’t done their preparation in advance, they’ve got limited options. You know, most likely you’re needing to pay the ransom and possibly needing to make a public announcement that you’ve been breached. And, you know, unfortunately this particular solution, finger air quotes, you know, that’s gonna have some long-term and devastating impacts on the business.

You know, every time a current client is seeing, you know, is seeing your name in lights on Google, or worse yet, you know, when your sales folks are, you know, you know, talking to new prospects and they’re seeing your names in lights on Google, now you’re having to, you know, Explain, you know, well, why should they trust you even though you’ve kind of gotten the you know gotten the scarlet letter if you will.

Now do you have any real-world examples of ransomware out there? Yeah, unfortunately, um, you know thankful Yeah, oh my gosh. I find wood to knock on here Thankfully nobody that nobody that I’ve been directly working with but I’ve gotten a lot actually a lot of organizations that have that have kind of connected with me to you know because they’re trying to dig their way out if you will, you know, I’ve seen it, you know happen firsthand one organization had a ransomware attack it spread across, across their workplace it encrypted everything in their office like everything. It was going machine to machine to machine you know locking up another device and then moving on to the next one that type of thing and basically, it ended up dragging that company to an absolute halt for days while they were trying to figure out how to dig out of it and put everything back together again. There was another organization that got, they got ransomware in the production environment and even their code repository server got hacked, their backups that were connected to their production devices were hit. So not only did they get their primary production machines ransomware, but all of their backups that would allow them to do recovery, etc, those were dead in the water type of deal. So, they didn’t have any way to be able to recover and they were out for weeks on end.

You know, the bad part is that the financial impacts on these organizations are huge. You know, they’re paying people that can’t work, they are losing business every day, they’re shut down, they, you know, and take the bat to the face over the reputation head, you know, when they, you know, had to start explaining themselves. So, you know, all of this, you know, like we were just talking about earlier, you know, has really long-term impacts on the organization. They don’t go away, you know, just because, oh, hey, poof, we got everything, phew, we got everything fixed. You know, the reality is, is that a single ransomware attack, ultimately it can be the, you know, kind of the causal effect for an organization just going out of business.

So, what are some of the different methods for an organization to prepare for ransomware attack? Well, before we even get into that, I want to be amazingly clear. And this section is probably the most important part of this particular conversation by far. But if you are a victim of a ransomware attack, then the only thing that’s going to give you a chance is if you’re prepared. And if you haven’t done any preparation and you’ve got a ransomware attack, now you’re going to be in big trouble. So, you know, certainly I want to take a walk through, you know, some of the different steps to help an organization kind of get ready for surviving a ransomware attack.

You know, so first off, you know, thinking through various scenarios, you know, think through all of the different implications and possibilities, you know, what happens if it’s a kind of like a big what if game, you know, what, what if, you know, you’ve got remote workers and the attack is spreading across remote worker devices? You know, what if you’re going, you know, it’s going through your office and your corporate servers are getting encrypted? You know, what happens if the ransomware attackers gain access to your production environment? You know, you don’t want to have an event only then to figure out, oh, geez, we didn’t think about that. So it really forces organizations to take a different type of look at their, you know, at their environment, you know, playing that what if game, you know, identifying all of the various scenarios, assets, systems in not only your own, but also think about, you know, what happens if, you know, one of your one of your key vendors were to be ransomware attacked and, and their systems or their services are now no longer at your disposal. So it really takes kind of a different view of, hey, let’s look, look at what we’ve got here and figure it out from there. From that point in the game, getting a game plan together. Play the scenario games. And every step of the way, what’s the first thing that you’re going to do? What’s the next thing that you do? What do you do after that? As ransomware is going and hitting any of these critical arenas or critical areas. So there’s various questions that you can ask depending on what the what-if scenario is. But do you have backups of your local machines? Do you have backups of your local and cloud servers? Do you have ready access to spare devices that you could send to those remote workers? Is your backup location connected directly to your primary location? So are you running the risk that your backup’s going to get encrypted as well as the primary production systems? So and that’s really where. You know, your disaster recovery business continuity plans start to take the, you know, the center stage, you know, how often are you backing this stuff up, you know, is it valid to within a day or is it valid to within the last, you know, 15 minutes, you know, type of thing. So, you know, you’ve got what’s called a recovery point objective is, you know, kind of how recent is the data or the information on that particular, you know, backup or disaster recovery, you know, system. And then you’ve got a, you know, so your, your recovery point ideally is going to vary from business to business. It’s going to vary based on the circumstances that you’re dealing with. And you really need to go and get backups of the local remote laptops, you know, as an example to that, to that extent. Probably not. We’re a transactional database server that is constantly having change. Oftentimes from external sources, you definitely want to be a lot more real time. So you’ve also got another consideration, which is how long is it gonna take to get it back?

If you go down this path, that’s otherwise referred to as your recovery time objective or that recovery point objective often is short form to RPO and recovery time objective is often short form to RTO. So again, the amount of time that you can withstand as an organization is going to depend on the relative criticality of the systems that are in place. So you may have different sets of RPOs and RTOs depending on what the various needs of the organization are. And the third realm here is, and this is an important one, actually testing and validating that what you think is working is actually working. This is something that it’s hilarious, not hilarious reality, but it’s just, it’s laughable that you go through all of this work and all this effort and all this time to set the structure up to I’ve got my recovery point objectives, I got my recovery time objectives, put all this thought, da, da, da. But then you don’t validate to make sure that, oh, I don’t know, you could actually bring a system back. You’d be shocked how many times I’ve had organizations that never bothered to make sure that the backups were reinstatable, that their disaster recovery system would actually bring the system back online, that type of thing. So in some cases, the backups were finger air quotes, running, but they weren’t producing valid backups for some strange reasons. The backups were failing, but nobody knew about it. So, you know, it’s another critical element to go through and do testing, both thoroughly and periodically as you, you know, kind of as you go through the year, because things change, right? In any organization, they’re going to, you know, add new assets, they’re gonna remove assets, they’re gonna shift an asset from here to there, you know, etc. So you wanna have a continuous eye to making sure that as you are, you know, deploying new systems or new vendors or whatever, that you’re kind of folding those in as part of the deployment process, folding them into your backup and your disaster recovery, and then doing periodic validations through the year. You know, so many times it’s real helpful for an organization because, you know, it’s really, it’s really, it’s, it’s, it’s really, it’s, it’s, a lot of times the people that are doing this day by day, they’re just so close to it that they make assumptions and often bad assumptions. So it is helpful for organizations, get a third party in to kind of put the organization through the ringer, look over your game plans and to do some poking and prodding at what you’ve got together so you can make sure that you’ve got a good recovery plan in play.
TCT certainly can recommend a number of different service providers that we know and trust to give organizations a hand with it if that’s something that they would like assistance with.

Sure. Now, what we’ve talked about up until this point in time, Adam, has been focused on the things that you do to prevent, things that you can do to educate yourself, but let’s talk about what happens when you actually get attacked here. So what should organizations do that are attacked with ransomware? Well, even if you’re thoroughly prepared, you can still get hit with a ransomware attack. We talked earlier about zero days, etc. So you’ve done all the legwork to allow yourself to recover, but you can still get hit with a ransomware attack. So, but the chances of suffering minimal damage or minimal interruptions, if you will, are greatly improved with doing the legwork in advance. So if you do get attacked, there’s several different scenarios that could play out. You could recover everything from a backup and don’t need to pay a ransom. If it’s a limited attack and easy to recreate, you could go… in and recreate everything from scratch and don’t pay the ransom. So one of the areas where I’ve seen that as an example is let’s say that the organization has a web server that happened to get attacked. Well, they can go back to their code repository, redeploy the last good known code to a net brand new system and basically rebuild that web server and do so fairly quickly. So it just depends on what got hit and the circumstances of the organization. The last option, the least of the appealing options is that you go out and you have to end up paying the ransom and just hope that it doesn’t happen again. The options really will depend on how much how much prep that an organization has done in advance.

So anytime that you’ve got any form of a security related event, bringing in your legal counsel, someone that’s familiar with the, familiar with the IT and cybersecurity arena, that’s an important element. You don’t want, whatever. It’s a friend of the family that’s done the business contracts for the last 25 years that doesn’t have any clue about cybersecurity, probably not the one that you want to go bring in when you’re going through some type of a data breach or ransomware event. So try to make sure that you’ve done that vetting in advance, certainly is going to be a good model to follow, but having them there in lockstep with you so that they can assist with direction is going to be good. If you’ve prepared ahead of time, then the good news is that it’s not going to be the end of the world. You’re pulling out your disaster recovery business continuity plans and running through all of your various steps toward recovery. If you’ve implemented a periodic testing procedure to bring things back to life, etc, well, then the team effectively already knows the steps. They’ve already gone through them. They’ve already vetted and proved it out. Now it’s just a matter of time of going and going and executing. So that’s really where that investment comes into play. Whenever you’ve got something like a ransomware attack, part of your disaster recovery should include bringing in some type of a vetted forensics company that can help you to discover what happened, how did it happen, full impact, what data has been accessed, etc. So while you’re trying to figure out what all occurred, you’re also trying to get the business back online, get your arms around what all happened, potential ripple impacts, and doing all the due diligence to figure out security impacts for the organization, the customers, and any vendors or partners. You know, if you didn’t adequately prepare, then you need to act fast. You know, seconds are going, literally seconds are going to count. The faster that you’re bringing somebody in, the faster that you are starting to get things addressed, the faster you can stop the spread of that attack.

You know, very first steps is get a hold of legal insurance, the forensics company, you know, that can help with both discovery and recovery. You know, and what happens next will vary, depending on the organization, the situation. The forensics company can guide through the analysis and lead through the process in combination with your legal and insurance groups. But you’re gonna need guidance from security experts, legal experts, work with them to determine the right approach for recovery from the attack. Unfortunately, to get your business back, you may very well need to pay the ransom. And especially if you haven’t done the prep work in advance. But even if you’re well prepared, there’s no guarantee that you can avoid the ransom 100% of the time, but your chances certainly go away if you’re going down that path.

All right, Adam, before we get out of here, parting shots and thoughts for the folks this week. Well, here’s the problem with the ransomware. Is that a lot of people will put their head in the sand, plug their ears, la, la, la, la, la. Oh, it’ll never happen to me and all that fun stuff. But it’s not something that you can do that with. If you prepare ahead of time, you can usually mitigate the damage to the company, avoid paying the ransom and kind of keep your business alive. Back to some of the things I was saying earlier, really what it comes down to is putting all that thought into how do you go about navigating the waters, making sure that you’re keeping up with devices that you’re removing from your environment, vendors that you bring into provision services for the environment and staying up on the changes throughout time as well as testing, do those things. They’re really, really important. The worst thing on earth is when somebody’s gone in, they’ve done the hard work, which is getting to the point where they know what they need to go do, but then don’t keep up with it. Don’t keep the… people train don’t you know keep their inventory up to date and things along those lines and then planning a problem so you know be proactive stay up on it. You know certainly you know TCT you know TCT from its start has been an organization that you know that is more interested in proactively assisting organizations with improving their stance from a security and compliance perspective uh you know so certainly uh if anybody is kind of wondering you know how to get their you know how to get their program started um you know how to start heading down that path by all means reach out to the to the crew at TCT we’d be happy to happy to point you in the right direction.

Excellent news and that right there that’s the good stuff. Well, that’s all the time we have for this episode of Compliance Unfiltered. I’m Todd Coshow. And I’m Adam Goslin. Hope we help to get you fired up to make your compliance suck less.