The tech support call came in at 7 a.m. on a summer morning in 2021. All the icons on the caller’s desktop had gone blank, he said. Nothing worked.
On the other end of the line, John Abercrombie knew immediately what had gone wrong. The director of tech support for a small commercial construction firm in Northern California instructed
the caller to unplug his computer immediately. A minute later, Abercrombie got another call from a branch office with the
“At that point I’m like, ‘We’re so screwed,’” he remembers now.
Abercrombie called to wake a technician who lived closer to company headquarters: “I don’t care if you’re in your PJs—get down there and start unplugging things!” he said.
By then, more than a hundred of the company’s servers and desktops had been infected with malware. The ransomware attack had not only locked up the company’s data, but it had also encrypted operating system files, rendering machines inoperable. And Abercrombie’s misery was only just beginning.
The next call he made was to his cyber insurance company, which recommended a lawyer. That attorney, in turn, engaged an incident response team that could help him clean up the mess, one machine
at a time.
It took about a week to get the company up and running again, in part because the attackers had been lurking inside the network for an unknown period of time and had manually deleted some of its online backups. In total, Abercrombie worked 15-hour days for a month to rebuild systems from scratch and bring the company back to normal.
In the end, his insurance company paid the ransom—an amount in the low six figures—and the company was able to decrypt the files the hackers had returned.
John Abercrombie is not the man’s real name. Some details of the attack have been changed to protect the identity of his company, lest it become a target for more attacks. But his story is common. More than 3,700 companies reported a ransomware attack to the FBI in 2021, according to a recent Senate Homeland Security and Governmental Affairs Committee report. That figure is almost certainly a significant undercount of actual attacks.
Ransomware remains a clear and present danger to small businesses and global enterprises alike. And if business leaders don’t have a detailed plan for responding to it, they could be in a world of hurt. Here’s what leaders need to do to activate their plan if they ever face an attack.
A familiar true-crime malware story
From Campbell Soup to Colonial Pipeline and from mom-and-pop shops to entire governments—no organization is immune from ransomware attacks. It’s a problem that has plagued organizations and individuals for decades.
At that point I’m like, ‘We’re
The first known instance of a ransomware attack occurred back in 1989. Malware known as the AIDS Trojan was delivered via an infected floppy disk and displayed a note demanding payment of between $189 and $378.
The problem is vastly bigger today. Verizon’s 2022 Data Breach Investigations Report found an alarming rise in increasingly sophisticated ransomware breaches. The 13% jump in attacks in 2021 was the greatest increase in five years. Organizations have paid out nearly $1.3 billion in cryptocurrencies to ransomware gangs since 2020, according to an Endpoint analysis of data from blockchain specialist Chainalysis. That’s about four times the total amount paid from 2016 to 2020.
In 2021, intelligence services, criminal gangs, and “hacktivists” in Russia were the recipients of as much as 74% of ransomware payouts from Western companies, or about $400 million worth of cryptocurrencies, reports Chainalysis. A June study from Microsoft found that Russia has targeted 128 organizations in 42 countries outside Ukraine since the war began, including governments, think tanks, humanitarian organizations, IT vendors, and critical infrastructure companies. Russian targeting has been successful 29% of the time. At least a quarter of these successful intrusions have stolen data.
The most effective response to attacks like these hasn’t changed much since ransomware first emerged. If you maintain up-to-date offline backups, you can wipe the infected machines, restore the data, and go on with your workday. You might lose a few hours’ worth of data, but that’s still better than paying a ransom, which may or may not result in your receiving the keys to decrypt the stolen data.
“Once your network has been compromised, having good offline backups is the best thing you can hope for,” notes Josh Bryant, senior director of technical account management for Tanium.
No easy fix to today’s ransomware epidemic
So why is ransomware still such an enormous problem?
One reason is that many organizations don’t do a good enough job of creating backups, notes Mike Meikle, a longtime security consultant who estimates he spends about 20% of his time addressing ransomware issues. In particular, organizations fail to adequately test to make sure their backups are reliable and contain all the most critical and up-to-date data needed for a business to recover.
The other big reason is that the ransomware industry has gotten more sophisticated. The rise of ransomware-as-a-service (RaaS) makes it easier for less-skilled adversaries to launch attacks. Why spend time and money developing your own malware when you can just rent someone else’s? Many attackers work with initial access brokers—other hackers who gain access to networks and sell those back doors to the gangs, making the job even easier.
The gangs have recently become more selective in their targets, focusing more on deep-pocketed organizations than small businesses. The average ransomware payout increased from around $25,000 in 2019 to nearly $120,000 in 2021, according to Chainalysis. Attackers are spending more time lurking inside a company’s network—moving laterally, probing for vulnerabilities, and exfiltrating sensitive data.
They’ve also adopted a secondary business model: extortion. According to cyber-risk management firm Kroll, nearly eight out of 10 ransomware attacks in the first half of 2021 included a threat to release the stolen data on the public internet.
The most common attack vectors, however, have remained much the same over the years: software vulnerabilities that are left unpatched and human beings who are tricked into surrendering their access credentials or launching malicious code.
“Preventing that initial entry is extremely challenging,” says Bryant of Tanium. “No matter how many technical controls you put in place, attackers can still trick you into getting entry into your environment. And once they’re inside, they can live off the land and move laterally.”
What to do after a ransomware attack
If you’re unlucky enough to be infected with malware, the first call you need to make is to your legal department, Bryant says. They, in turn, can engage directly with your cyber insurance company and your incident response team.
Once hackers are inside, they can live off the land and move laterally.
In the event of a lawsuit, any actions taken by the IR team would be protected from disclosure under attorney-client privilege. Attorneys would also be involved in reporting the incident to legal authorities, such as the federal Cybersecurity and Infrastructure Security Agency (CISA) or the FBI’s Internet Crime Complaint Center (IC3).
More important, you need to activate a recovery plan for the entire organization—one that you already know how to implement. Having regular tabletop exercises or simulations where all important stakeholders participate can go a long way toward ensuring a full recovery after a hack, Bryant adds.
After discovering an intrusion, you’ll need to determine how the attackers got in and where they went from there. Did your alerting system miss something? Do you have the right controls around employee access privileges? Limiting an adversary’s ability to move will eliminate the vast majority of ransomware threats, says Bryant. If attackers can’t move laterally through your network, they’re more likely to move on to an easier target.
Whether you end up paying a ransom depends on the situation, he says. It’s a decision that needs to balance risks and benefits, and is usually the responsibility of the legal and executive sides. Bryant recommends asking questions such as: What’s an acceptable amount of loss? Can we live with going a week or a month without data if our more recent online backups are compromised?
“Even if you do choose to decrypt, it’s still advisable to have a thorough investigation to make sure the attackers haven’t left anything behind, and then wipe and reload your systems from good, reliable backups,” says Bryant.
And, of course, you want to do everything in your power to ensure that a hack doesn’t happen again.
John Abercrombie now backs up all his company’s critical servers to an on-premises appliance that replicates the backups to cloud storage using different access credentials from the rest of the network. The company has adopted new AI-based endpoint protection software and email security software, and engaged a managed detection and response (MDR) firm to manage it. It set up two-factor authentication and initiated anti-phishing training for all its employees.
The malware fire next time
The scariest part of the ransomware breach to his company, Abercrombie remembers, was the realization that there was nothing preventing it from being attacked again.
“There are lots of ransomware gangs out there,” he says. “It’s not like one’s going to say, ‘Oh, one of our competitors hit them last month, we’ll give them a pass.’ So since the incident, we’ve been hyperfocused on security.”
Abercrombie’s best advice for others? “Make a plan,” he says. “So when it happens—and it will—you’re not stuck trying to figure out what to do.”