There is a lot of buzz in the Charlotte area about a recent Ransomware infection of Mecklenburg County systems. Ransomware was introduced through a phishing e-mail and quickly propagated to many County servers encrypting them unless a ransom is paid. While it is high-profile on a local level, this type of event is routine for those of us dealing with Cybersecurity. For the past couple of years, we have been telling anyone who will listen that the most likely way they will be introduced to intricacies of Cybersecurity is through a ransomware infection.
The Mecklenburg County incident is particularly interesting for a few reasons. The first is that it demonstrates how quickly ransomware can make your day go from ordinary to CODE RED. There is an oft-quoted stat that it takes three minutes from click to a computer being encrypted. Three minutes, one click, and you can have an incident that has made national news and spawned press conferences. Another interesting aspect of this incident is because the County is a public entity, you are getting a glimpse into some of the incident response aspects—interaction with law enforcement, deciding whether to pay the ransom, etc. These are things that CISOs and attorneys working in this area deal with all of the time, but many times in the private sector it is done without public knowledge or scrutiny. The third point of interest is that this variant was a Ransomworm. We discussed this term last spring in an article “Why the Advent of the Ransomworm is a Really Big Deal” that was published in https://innotechtoday.com/ransomworm. Others in the industry have also used that term before, and we all agree on one thing—it is a Really Big Deal. A Ransomworm can self-propagate, and as public reports about the Mecklenburg County incident suggest, one errant click can have a tremendously disruptive effect—in this case encrypting over 40 servers dispersed throughout a network.
So what can be done? The answer: lots of things. There are two aspects to focus on—prevention and remediation. With ransomware, both are equally critical. Prevention is crucial, and the risks can certainly be mitigated through technical measures coupled with awareness and training. Nevertheless, do not believe anyone who tells you the risk of an infection can be eliminated entirely. That is simply not possible. However, what is possible is to greatly mitigate the effect of a ransomware infection. So here are the big four:
- Training and Awareness: Employees need to know not just common threat vectors but understand that one careless click can make them ground zero for grinding an organization to a halt. Then they need to be reminded of it repeatedly.
- Updates: Ransomware evolves and there are lots of technical ways to stop either an infection or the spread with malware defenses or patching exploits the ransomware uses. Solid updating procedures can mitigate both occurrence and severity of infections.
- Backups: Robust backup and restoration takes the leverage away from the perpetrators of ransomware attacks, and if yours are good enough it provides a great deal of peace of mind.
- Incident Response Planning and Testing: Do not let your first incident response test be the real thing. The events are happening all the time and are in many ways very predictable. Planning with adequate testing through exercises like table top simulations has many benefits in making response cheaper, more efficient, and more effective.
If the buildings of other organizations were occasionally being hit with a spontaneous fire outbreak, most would come up with a plan to respond to such an incident and make sure they were prepared. It is time everyone recognizes that there is no distinction between virtual and real in terms of the detriment it can have on an organization and the measures that can be taken to prepare for incidents.