Part 2: A Fictional Integrator, a Cyberattack and Next Steps

ransomware cyberattack

When we last saw our intrepid integrator, they were working through some hard choices. Their company had fallen victim to a ransomware attack. They were locked out of all of their files, and the attackers were threatening to put all of their sensitive information on the internet if they didn’t pay a hefty ransom.

What to do, what to do?

The first thing Joe (our fictional owner) did was to call their insurance company. He was pretty sure that his insurance would cover attacks like the one they’d just suffered. If that was the case, he could bring them in and they’d know how to get things sorted out.

No love.

As ransomware attacks have become more and more common, insurance coverage for them has become increasingly more expensive. Cyberattack coverage now requires its own separate insurance, usually referred to as cybersecurity insurance or cyber liability insurance. This insurance costs a pretty penny, so some businesses elect for cheaper plans. Unfortunately, these plans have limited coverage. Joe learned the hard way that he’d been paying for an insurance plan that wasn’t going to cover anything.

If you’re counting on insurance to cover you in the event of a cyberattack, please read the fine print on your coverage carefully. I am not a lawyer or an insurance agent. If you’re not sure what you’re reading, please seek out expert advice.

When speaking with your insurance agent, you should ask about what kinds of attacks are covered by your plan. What happens if an employee is blackmailed or paid to steal sensitive information? What happens if an employee falls for a phishing attack? What is the yearly maximum coverage? How high is your deductible?

When in doubt, remember this: If your plan seems a little too affordable, it’s probably the insurance equivalent of vaporware.

Joe sat down with his leadership team and began asking difficult questions about how the company should move forward. Tensions were high, and the conversation quickly devolved. How to respond to a cyberattack is a divisive subject. Many cybersecurity experts recommend not paying ransom demands — it incentivizes the hackers to keep up their attacks. Without the promise of a big payday, there’s no reason to initiate cyberattacks. But, many businesses don’t have the luxury of losing their data. And, as we learned from our last episode, many businesses have sensitive data that can be exploited if they don’t pay, furthering their liability.

After some discussion, Joe decided to bring in an outside firm to help navigate the crisis. Ransomware recovery consultants are expensive, but Joe knew that his company was in over its head. The first thing the consultants asked was, “where are your data backups?”

Backups? Joe looked over at his IT director. He shook his head. They had a patchwork of backup systems, but most of them lived on their local network and had already been encrypted by the hackers. They might be able to string together some of their more important files, but they wouldn’t have everything. It could take weeks to find all of their available files, and even then they might not know what was missing until a customer called for service work.

Backups weren’t going to save them.

The next question the consultants asked was about sensitive data. What might the hackers have downloaded for their own nefarious uses? Which clients might start feeling litigious if they got wind of the company’s predicament? Just how careful had they been with sensitive data?

Human Resources looked sheepish. All of their employees’ paperwork was stored in plain text on a company server. If the hackers did a data dump, social security numbers and banking information were likely to be included. Operations piled on … their files included several sensitive floor plans and schematics. Much of this data was covered by NDAs. Their clients and business partners were not going to be happy if any of this got released.

The hackers were demanding a seven-figure ransom. The company could pay it, but it would deplete its cash reserves. The payout was going to cripple its finances. They were now facing severe budget cuts, with the very real possibility of layoffs. But what choice did they have? Losing their data was likely to cripple the company.

The ransomware recovery consultants reached out to the hackers. They were ready to pay.

The consultants were able to negotiate a small discount for prompt payment. They handled the logistics of purchasing a crypto-currency and then transferring it to the hackers’ digital wallet. They spent the rest of the week and the entire weekend running decryption software on company files, rebuilding servers and fixing hiccups along the way. After they finished their work, they handed Joe a hefty bill and the business card of a trusted provider of outsourced IT resources.

They also created a report of recommendations for how to avoid another attack.

  1. Competent IT help. Joe’s IT director was a nice guy and a hard worker, but he was still doing things the same way he’d learned it 10 years ago. The consultants recommended a heavy dose of training. They also recommended the use of outsourced networking and security resources. Internal IT could still be an excellent resource for setting up devices, password resets, fixing software glitches, etc. But, an outside provider should be delegated the work on servers, firewalls, etc.
  2. Patch, patch, patch. Many AV companies fall victim to the “if it ain’t broke, don’t fix it” mentality. They remember how a firmware update bricked a big install and so they turn off automatic updates. The hackers were “kind” enough to tell the consultants that they’d gotten into the network through an unpatched email server. From now on, everything needed to be kept up to date in order to prevent future intrusions.
  3. Enable Multifactor Authentication (MFA) on literally everything. MFA requires the use of an authenticator device (usually an app on your phone) that is used to allow or deny logins to your systems. MFA isn’t a silver bullet, but it is a fantastic deterrent against hackers who are looking for easy access.
  4. Use strong antivirus (AV) software that is hard to disable. Joe’s company had AV software installed on its servers, but the hackers shut it off and disabled alerts. Your AV software should require authentication and MFA in order to be disabled or uninstalled.
  5. Upgrade your backup solutions! There are real-life stories of companies that were hacked, given a ransom demand, told the hackers to pound sound and then restored everything from backups. All information should be backed up in more than one format, and at least one of your backup solutions should be off-site. Back when I worked in IT (and dinosaurs roamed the earth), this meant backing up to tape drives and storing the drives somewhere safe. Nowadays, the kids use cloud services and don’t have to worry about whose turn it is to take the tapes home with them.
  6. And don’t forget to test your backups! You want to find out that something wasn’t set up correctly before there’s a problem.
  7. Use a respected Endpoint Detection and Response (EDR) solution. What the heck is an EDR? It’s a piece of software that monitors all of your devices and then alerts you if it detects a problem. A bunch of logins from Russia? That’s an alert. Someone attempting to disable all of your AV software (but they can’t, because you password protected it… right)? That’s an alert. As we learned in our last episode, our hackers spent weeks poking around Joe’s network. A modern EDR would have detected the intrusion before they had a chance to do any serious damage.

Keeping your company protected from cyberattacks takes some small measure of determination and a willingness to pay for the appropriate resources. It can be daunting to change the way you handle daily business. But, the good news is that even small changes can make a difference. In the event of a zombie apocalypse, you don’t have to be the fastest runner to survive. You just have to be faster than the slowest runners. Implement basic security protocols and would-be attackers will move on to more tempting targets.

Right now, many of the companies in our industry are the slowest runners out there. But, if we all work together to prioritize our attitudes towards security, we can make ourselves much less tempting targets.

Be well and be safe.