Ransomware response and recovery - How to be more resilient in the face of ransomware threats - Accenture
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Ransomware response and recovery How to be more resilient in the face of ransomware threats
Why ransomware? Today’s
According to Christopher Krebs, former Director of the
Cybersecurity and Infrastructure Security Agency (CISA), top three
“You’ve got to start with what really matters the most and
then you work out from there. So, from that perspective,
ransomware is the biggest threat.” 1
challenges
Impacts vary, but, in many cases, Security leaders must understand and
ransomware disrupts businesses for counter new ransomware challenges, #1
significant periods—or even forces them strengthen defenses across people,
to suspend operations or close. processes, and technology and
demonstrate why security is critical to the
A growing population of highly capable business strategy.
cyber extortionists is developing a new
means to counter defenses and increase In short, security leaders need to help #2
the level of disruption they can inflict, their organizations gain ransomware
constantly. Threats are widespread; they resilience—fast.
extend across industry and the public/
private sector, affecting large and small
businesses alike.
#3
2
Copyright © 2021 Accenture. All rights reserved.
What does ransomware look like?
Ransomware can create a crisis of systemic business risk and consumer trust
Typical business impacts involve: Hot topics
• Disruption to production, delivery, or The top five ransomware variants based
customer services on intrusion data derived from Accenture
Security Cyber Investigations & Forensic
• Loss of sensitive commercial data, or Response (CIFR) engagements: 2
protected information
Top five 2020 Top five first quarter 2021
• Direct costs of remediation, recovery,
or potential ransom payment 1. Maze 1. DoppelPaymer
• Costs associated with litigation, often 2. Sodinokibi 2. Sodinokibi
class-action lawsuits
3. Ryuk 3. Hades
• Legal and regulatory sanctions
4. Netwalker 4. Ryuk
• Reputational damage
5. DoppelPaymer 5. Conti
Copyright © 2021 Accenture. All rights reserved. 3
Challenge #1
Successful ransomware
extortionists are ramping
up attacks
Established ransomware operators are To plan for resilience, organizations should
upping their game as they continue to focus on the business and operational
focus on new monetization opportunities risks presented by the threat across
and see no limits to the potential profits. their unique value chain—and prioritize
planning and defense efforts accordingly.
At the same time, the barrier to entry is
low; ransomware tools and supporting The Accenture CIFR team observed a
operations are readily available through 160% year-on-year increase in ransomware
various markets and affiliate networks. events in 2020—with little signs of any
slowdown in early 2021.3
Alongside the opportunities presented
by the pandemic, the population
of extortionists is growing as new
cybercriminals are drawn to the low-risk,
high-reward operations.
4
Copyright © 2021 Accenture. All rights reserved.
Challenge #2
Ransomware operators are
constantly improving their
ability to disrupt
Cyber extortionists are incentivized to Commodification of the skills and
develop ever-more disruptive ways of services required—ranging from
working. The more disruption they can initial access brokers and intrusion
inflict, the larger the ransom they specialists to ransomware-as-a-service
can demand. models with partners and affiliates and
specialist negotiator middle-men—is
Operators keep innovating, first using enabling and rewarding the development
ransomware in a targeted way, against of new, more disruptive techniques.
key assets, then combining that with data
leak extortion. Now, there are indications In December 2020, extortionists targeted
that certain operators are increasing one of the world’s largest manufacturers,
their ability to interfere with operational claimed encryption of 1,200 servers,
technology (OT) processes and refining realized the theft of 100GB of data,
other means to pressure payment, deleted 20 to 30TB of backups and
including layering distributed denial-of- demanded a $34M ransom.4
service attacks with encryption and
data leakage. One variant has stepped up its
confrontational approach, delivering its
ransomware notes through a retailer’s
receipt printer.
5
Copyright © 2021 Accenture. All rights reserved.
Challenge #3
Business growth and service
strategies lack resilience
Downtime from ransomware is still Ransom demands are growing and
growing. According to Coveware, firms becoming more customized—with threat
experienced on average 23 days of actors assessing who is more likely to
downtime in the first quarter of 2021, up pay. If ransoms are paid, it can open
from 21 days in the fourth quarter of the door to further criminality. Also,
2020. Downtime ranged from standstill some ransomware operators have been
to minor non-availability.5 sanctioned, potentially placing a ransom-
paying victim in further legal jeopardy.
Encryption can deny access and
interrupt basic and vital resources, The Accenture CIFR team observed
including internal and customer ransom demands ranging from
communications and platforms, as well US$100,000 to US$50M in 2020.6
as operational or production systems.
Long periods of downtime can affect In August 2020, a leading foreign
tens of millions of people. The theft and exchange firm went into administration to
publication of data give attackers new lose more than 1,300 jobs. Administrators
extortion opportunities—such as the stated that a ransomware attack had
risk of regulatory sanctions if protected caused a month of disruption and at times
information is made available online. staff could not use computers to keep
track of currency trading. The breach also
disrupted online travel money services for
leading global clients.7
6
Copyright © 2021 Accenture. All rights reserved.
Ransomware is evolving
Established operators Ransomware operators New variants and enhanced Organizations feel the
extend reach and profits often move fast tactics challenge defenses pressure of payment
with new collaborations strategies and regulatory
demands
A ransomware-as-a-service model Often, operators have exfiltrated Threats are going beyond IT to new Aggressive operators are phoning
has been transformative for sensitive data and encrypted key technologies and platforms—there victims directly, sometimes
extortionists. Owners of highly assets within hours of an initial are at least seven known variants with combining denial-of-service attacks
effective and widely disseminated infection. Also, some companies are features designed to target common with encryption and publication
malware strains, formerly known as more commonly finding themselves industrial environment processes. tactics. The United States federal
“banking trojans,” are working with targeted twice in quick succession by Criminals have the resources to government has released an
intrusion specialists to infect and different actors. re-invest and innovate, regularly advisory8 reminding CISOs that by
extort the maximum number of designing new, more effective tools financing terrorism or financing
victims. and techniques to increase their banned organizations in the payment
operations’ efficacy. of a ransom, they are committing
an offense. While in Europe, GDPR
requires any potential breach to be
reported to the regulator within 72
hours—or face sanctions.
Copyright © 2021 Accenture. All rights reserved. 7
What can you do now?
Operate under the assumption that you are already breached and focus on
resilience across the end-to-end value chain
Focus on Prevent Know your Make it Prepare, prepare
the basics and protect operations personal and prepare again
Keep security hygiene up to Increase confidence through Model the threat against your CISOs cannot go it alone. Threats are agile and you
standard; maintain controls continuous validation and operations and end-to-end Collaborate and prepare should be, too. Businesses
and continue patching; ensure testing of your defenses. value chain. with Legal, Communications, don’t evaluate their profit and
visibility into and protection of senior management and loss or liquidity levels once a
crown jewel data. Train and test employees Understand how to backup external service providers, so year—security should be no
frequently. and restore critical data at everyone knows how to work different.
Implement a holistic backup speed and scale across the together during an event.
and recovery strategy with Ensure adequate visibility and business—strive for continuity Use planning and validation as
situational awareness of the coverage across the attack of operations. Conduct crisis management an opportunity to constantly
current threat landscape. surface—use tooling, controls and table-top exercises to test measure and improve
and telemetry to enhance Be clear on policies and relationships. resilience or adjust your
Ensure you have a crisis your defense posture across procedures—the response course over time.
management and incident layered prevention, detection, playbook is often the first Meet regularly with
response plan that’s in line and agile response. thing regulators and litigants authorities, incident response Pressure-test for when things
with the current pandemic- ask for after a breach. partners and outside legal go wrong.
*Attributed to Sir Winston Churchill
driven operating environment. counsel to bolster support.
Copyright © 2021 Accenture. All rights reserved. 8
So, you’ve been hit—what’s next?
“Never let a good crisis go to waste”9—after any ransomware attack,
CISOs should reflect on improvements to ease the impact of future events
1 2 3 4 5
Trace Collaborate Learn from Update risk Strengthen
the attack and report the experience mitigation plans defense posture
Use incident response, Work with legal counsel to Quantify the financial and Evaluate current inherent and Get tactical: remediate identified
forensic analysis and threat ensure statutory obligations reputational impacts and residual risk measurements vulnerabilities, update operating
intelligence to identify how are fulfilled by reporting an identify metrics and resources and work with the business systems, deploy compensating
the attack occurred and incident to the appropriate to meet the C-suite’s to identify any beyond controls, refine weak processes,
build a comprehensive authorities. Collaborate expectations for cyber acceptable levels. Apply an harden the environment
understanding of the intrusion with industry partners, resilience going forward. Talk appropriate risk mitigation (across network, endpoint,
and measured impact. This is consortiums and law to the C-suite so that business strategy that includes aspects and identity), improve cyber
critical during and after the enforcement for greater leaders can prioritize and such as controls deployment hygiene, enhance the efficacy of
incident to inform defense threat awareness. oversee the measurement or security transfer threat detection and response
posturing, comprehensive of cyber resilience, secure mechanisms. operations, address weaknesses
take-back planning in a funding for improvements in recovery processes and
domain compromise and and incorporate it into drive the necessary behavioral
safe recovery of business business resilience plans. changes required to strengthen
operations. cybersecurity defenses.
*Attributed to Sir Winston Churchill
Copyright © 2021 Accenture. All rights reserved. 9
Who’s doing what?
An organization paid ransom twice A Norwegian aluminum manufacturer
following a failure of its antivirus was forced to halt some production and
protection measures. Once attackers switch other units to manual operations
had gained entry to its systems, they set after hackers blocked its systems. Its post-
about changing existing client security
measures and controls to guarantee
response analysis showed that attackers
had been present in the network for three
“The organization didn’t realize
continued access. The organization didn’t
realize how much of its network had been
months when somebody clicked on the
wrong e-mail. The forced shutdown cost
much of its network had
compromised and how sophisticated its
attackers were.
the company US$52M.
been compromised and how
A medium-sized manufacturer was
An oil and gas company with a good
recovery plan, validated backups, and
sophisticated its attackers were.”
preparing to replace all its virus detection a strong leadership team determined
software. It was unaware that attackers not to pay a ransom. When it was hit, it
had infiltrated its network months prior could get back up and running in less
and it was monitoring the company e-mail than one week. On the other hand, for a
Web portal through a poorly protected manufacturing customer who had not
administrative account. When the been validating its backups and had a
attackers discovered a planned upgrade, piecemeal recovery process, it took six
hackers launched an attack the weekend weeks to recover from an attack.
before countermeasures were planned to
be deployed.
10
Copyright © 2021 Accenture. All rights reserved.Ransomware incident
response trends
A look back at 2020 intrusion data10
Top industries impacted: Products11 (38%) Resources12 (33%),
Healthcare and State and Local Government (17%)
Initial ransom demands ranging from US$100K to US$50M
Average operational downtime around 12 days
Data extortion was incorporated in >60% of intrusions
Dwell times range from 2.5 hours to around six months13
Primary attack vectors: 1. Phishing, 2. Remote access,
3. Software vulnerability
Copyright © 2021 Accenture. All rights reserved.
11Are you ready?
Being resilient means robust processes, training and coordination across the business value chain
Ask yourself:
What How Who
• What are the most critical • How often do you pressure- • Who are your decision-
systems and data in your test and exercise your plans? makers during a crisis?
operations?
• How quickly could you • Who is responsible for
• What plans do you have in respond to and recover from negotiating or reviewing
place? (such as business a ransomware threat? your extortion policy?
continuity, disaster
recovery) • How would you handle a full • Who handles incident
domain compromise? response?
• What is your media strategy
in the event of a crisis?
Copyright © 2021 Accenture. All rights reserved.
12Contacts References
1. Former US cyber chief calls for military to attack hackers, Financial Times, 2021,
https://www.ft.com/content/27c09769-ceb5-46dd-824f-40b684d681ae
2. Looking back to see the future: CIFR DeLorean—2021 edition, Accenture, 2021,
https://www.accenture.com/us-en/blogs/cyber-defense/cifr-delorean-2021-edition
3. Ibid
4. Foxconn electronics giant hit by ransomware, $34 million ransom, Bleeping Computer, 2020,
https://www.bleepingcomputer.com/news/security/foxconn-electronics-giant-hit-by-ransomware-
34-million-ransom/
5. Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound, Coveware, 2021,
https://www.coveware.com/blog/ransomware-attack-vectors-shift-as-new-software-vulnerability-
exploits-abound
6. Looking back to see the future: CIFR DeLorean—2021 edition, Accenture, 2021,
https://www.accenture.com/us-en/blogs/cyber-defense/cifr-delorean-2021-edition
Mark Raeburn Jacky Fox Ryan Leininger 7. Travelex falls into administration, with loss of 1,300 jobs, The Guardian, 2020,
https://www.theguardian.com/business/2020/aug/06/travelex-falls-into-administration-
Managing Director Managing Director Senior Manager
shedding-1300-jobs
Cyber Defense United Kingdom & Ireland Cyber Defense
Accenture Security Accenture Security Accenture Security 8. Department of the Treasury, 2020,
https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
9. Attributed to Sir Winston Churchill
10. CIFR observations
11. Products industries include: Automotive, Airline, Consumer Goods & Services, Hotels, Industrial
Equipment, Life Sciences, Retail
12. Resources industries include: Energy (Oil & Gas), Chemicals, Metals/Mining, Utilities
13. Dwell time is the amount of time the threat actor is active in the victim organization’s network—from
first evidence of compromise through detection (or impact)
opyright © 2021 Accenture. All rights reserved. 13Appendix
Top ransomware variants observed by Accenture Security’s CIFR team:
• Conti: First observed by cybersecurity teams in May 2020, it involves double extortion that that puts information and reputation
at risk. It not only encrypts files on the infected host but also spreads to encrypt files on different hosts, potentially compromising
the entire network.
• DoppelPaymer: A newer variant associated with the well-established Dridex Gang, whose leader was sanctioned and linked to
Russia’s Federal Security Service (FSB) by the United States Justice Department in December 2019.
• Hades: A ransomware campaign that has been ongoing since at least December 2020, Hades ransom notes share portions with
the one used by the REvil ransomware operators; there is no evidence to suggest the threat groups or operations have any overlap.
• Maze: Maze operations changed the game by being the first cartel to pioneer the double extortion approach. It reportedly shut
down in Q4 2020 (see https://techcrunch.com/2020/11/02/maze-ransomware-group-shutting-down/)
• Netwalker: Made a name for itself with a string of healthcare compromises but was interrupted by law enforcement
interdiction that occurred in January 2021. Its operations were recently disrupted by international law enforcement agencies
(see https://www.zdnet.com/article/us-and-bulgarian-authorities-dirsupt-netwalker-ransomware-operation/)
• Ryuk: Known for being prolific and aggressive. It benefits from strong working links with the effective and widely disseminated
downloader malware, TrickBot and Emotet and conducted multiple high-impact compromises against United States hospitals
in late 2020.
For more, visit Looking back to see the future: CIFR DeLorean—2021 edition
Copyright © 2021 Accenture. All rights reserved. 14About Accenture About Accenture Security
Accenture is a global professional services company with leading Accenture Security is a leading provider of end-to-end cybersecurity
capabilities in digital, cloud and security. Combining unmatched services, including advanced cyber defense, applied cybersecurity
experience and specialized skills across more than 40 industries, we solutions and managed security operations. We bring security
offer Strategy and Consulting, Interactive, Technology and Operations innovation, coupled with global scale and a worldwide delivery
services—all powered by the world’s largest network of Advanced capability through our network of Advanced Technology and Intelligent
Technology and Intelligent Operations centers. Our 537,000 people Operations centers. Helped by our team of highly skilled professionals,
deliver on the promise of technology and human ingenuity every day, we enable clients to innovate safely, build cyber resilience and grow with
serving clients in more than 120 countries. We embrace the power of confidence. Follow us @AccentureSecure on Twitter or visit us at
change to create value and shared success for our clients, people, www.accenture.com/security
shareholders, partners, and communities.
Visit us at www.accenture.com
DISCLAIMER: This document is intended for general informational purposes only and does not take into account the reader’s specific
circumstances and may not reflect the most current developments. Accenture disclaims, to the fullest extent permitted by applicable law, any
and all liability for the accuracy and completeness of the information in this presentation and for any acts or omissions made based on such
Copyright © 2021 Accenture All rights reserved. information. Accenture does not provide legal, regulatory, audit, or tax advice. Readers are responsible for obtaining such advice from their own
Accenture, its logo, and New Applied Now are trademarks of Accenture. legal counsel or other licensed professionals.
15You can also read
