10 ‘Horrifying’ Ransomware Trends And Best Prevention Methods: CISO

“Threat actors have gotten much more sophisticated and much more aggressive in their demands. Even if you hire a good negotiator to negotiate with threat actors, you‘re generally still settling for around one-third,” said Kevin McDonald, CISO and COO at Alvaka Networks.

10 Ransomware Trends And Prevention Tools To Watch

Kevin McDonald is one of the nation’s top cybersecurity experts around ransomware. A CISO and COO at Alvaka Networks with decades of cybersecurity experience, McDonald is also a member of numerous organizations including the CompTIA Cyber Security Advisory Council, the High Technology Crime Investigation Association and the US Secret Service’s Los Angeles Cyber Fraud Task Force, to name a few.

“Threat actors have gotten much more sophisticated and much more aggressive in their demands. Even if you hire a good negotiator to negotiate with threat actors, you‘re generally still settling for around one-third (of the initial ransom),” McDonald said in an interview with CRN.

From threat actors offering ransomware help desks and ransomware as-a-service, to the “laughably low” number of ransomware attacks officially being reported and how over 95 percent of ransomware attacks can be easily prevented, McDonald explains how businesses across the world should combat the war on ransomware.

CRN takes a deep dive with McDonald about how the ransomware world operates today and what every business needs to do to protect itself.

Companies ‘Just Disappear’

Ransomware can destroy a company overnight, he said. While Colonial Pipeline had the money and resources to be back up and running in a few days, many other businesses aren’t, and won’t be, that lucky.

“I‘ve had more horrifying, tearful conversations with people who’ve lost everything,” McDonald said. “Most small organizations don’t really have a chance if they get hit by one of these sophisticated actors and they can’t pay. Threat actors have gotten much more sophisticated and much more aggressive in their demands. Even if you hire a good negotiator to negotiate with threat actors, you’re generally still settling for around a third [of the initial demand].

“Nothing disgusts me more than somebody who‘s stealing what someone has spent their whole life working for and they’re taking it from them out of an opportunistic perspective,” the CISO added. “It’s just absolutely gross and I have very little tolerance for it.”

95 Percent Of Ransomware Cases Can Be Prevented

Along with using an antivirus-malware combination, McDonald lays out the steps businesses can take to protect themselves. And if they do these simple steps, there’s a good chance you’re protecting yourself from a ransomware attack.

“There are some really basic things that you can do too,” he said. “Patching your systems, managing the external access to the degree that you use best practices and using the CIS controls will prevent about 95-plus percent of the cases that we‘ve received. Then, of course, using your typical, or industrial grade, antivirus malware combination.”

“Certain brands of firewalls have problems that are not being addressed, or when they are addressed by the vendor the clients are not addressing them,” he said. “Another opportunity and another risk, by the way, for MSPs, if you‘re responsible for that, you better be updating firmware for security appliances.”

Federal Government Stepping In To Investigate A “Huge Step”

The U.S. Department of Justice is reportedly seeking to elevate investigations of ransomware attacks to a similar level as terrorism after a series of high-profile cyber breaches, including the Colonial Pipeline attack.

McDonald sees this as a “huge step” in the right direction.

“There are resources, tools, staff, money, interagency and international interagency possibilities now that would not have been possible had they not made that determination,” he said.“I think that it‘s great that the government is now paying attention to it,” said McDonald. “There’s no doubt that if they start treating it as they say they’re going to, it will have an immense impact on the number and the severity of the cases. It will by no means stop it, it’s no different than the drug war or anything else that is highly profitable until, and even if, they increase the penalties and really get more serious about processing this for what it is.”

Number Of Ransomware Attacks Reported ‘Laughably Low’

Due to a variety of reasons including bad press for a company, a smear on their branding or the fear that their customers won’t feel safe, most ransomware attacks go unreported to police, according to McDonald.

With the U.S. Department of Justice looking at elevating attacks, he hopes awareness around it will increase and, in turn, more will be reported.

“The numbers they‘re reporting are almost laughably low, because we know the vast majority of the cases that happen never reach law enforcement at all,” he said. “People are doing everything they can to avoid the disruption to their stock price, the valuations. They just want to go on and do their thing and go back to business. A lot of these are not reported and I think their numbers are kind of a joke.”

Ransomware Has The Ability To Kill

There’s no limit to how big or small a ransomware attack, and its effects, can be. Like the Colonial Pipeline hack, it can be big enough to affect the majority of the East Coast of the United States. It can shutter a small business. It even has the potential to end a life.

“If someone is killed because they have to bypass a hospital – which happened recently, a woman died because she was in an ambulance and the hospital that she was closest to was under a ransom attack. As a result, she didn‘t get help fast enough. Those people should be charged with murder. They caused that hospital to go down, they caused this person’s death. That is a severe enough issue that they should be charged with death.”

‘You Can't Really Kill Chain Cryptocurrency’

The biggest challenge, he said, is cryptocurrency.

“In the business-to-business (B2B) world, a lot of the money is recovered if you move fast enough because they can kill chain bank money. You can‘t really kill chain cryptocurrency without a lot of resource,” he said.

What he’s also seeing is threat actors breaking up and going out on their own.

“They break up for whatever reason, whether it‘s internal politics, their tools are not the greatest or there was a disagreement,” he said. “They’ll break up and stand up a new group and now you have two.”

Attacks On MSPs ‘Get Three’ Customers Instead Of One

The number of MSPs that have been hit with ransomware attacks has grown, he said, adding that if an MSP is hit, there’s a chance their customers can be hit as well. In 2019, 22 towns in Texas were hit, all at once, with ransomware that was reportedly spread using MSP tools. In late 2020, SolarWinds also fell victim after one of its tools was compromised in the SolarWinds Orion ransomware attack.

“We‘ve actually done a couple of significant rescues in the last couple of years where we’ve helped people that were providing many services recover themselves and their clients,” he said.

“From the MSP perspective just the sheer threat of ransomware, in themselves and in their customers, has been a really tough thing,” he said. “It‘s a constant conversation, it’s becoming more popular as far as the threat actors thinking, ‘Hey, great,, and if I hit somebody, I get three instead of one.’”

Crypto Leading To Ransomware As-A-Service

Threat actors have gotten so sophisticated with their work, tracking crypto exchanges and online marketplaces, that McDonald said some even offer ransomware as-a-service.

“I‘m not exaggerating when I say we’ve actually seen the help desk for these ransomware actors and it‘s better than some of the biggest companies in the world, it’s really high-quality service,” he said. “It just tells you how sophisticated they are. They actually have a number you call and they’ll help you if you’re struggling with decrypting now.

“If they take down command and control, where the decryption keys are held, while your stuff is encrypted, you‘re done,” he added. “You will not be able to decrypt because they shut down the servers that provide the interaction with the threat actor.”

Technology Was Deployed Too Quickly

When the COVID-19 pandemic hit and everything went virtual, it was a rush to get remote workforces online. Whether it was working online or virtual school or simple communications, the need to deploy IT hardware and software surged. Cybersecurity, however, was often lagging behind.

“Technology deployed for remote services quickly was a lot of what has caused some of the ransom cases that we‘ve seen,” he said. “People quickly stood up an RDS server and didn’t put it behind a gateway and VPN and no two-factor [authentication] and next thing you know you’ve got a recipe for external penetration.

“The ransomware defense, prevention and rescue [business] has just been off the hook,” he added. “We had the best quarter we ever had in nearly 40 years in business.”

Backup Is Key

Going forward, McDonald said companies should, if they haven’t already, invest in a disaster recovery and backup plan. These disaster recovery plans can literally save a company.

“One of the big opportunities is to reconsider disaster recovery, as a service provider, and put in true insider protection so that it doesn‘t matter who you are, you can’t, without a second set of permissions from someone else, delete or corrupt backups,” he said. “You can’t just come in and encrypt or overwrite or delete data.”

“If you don‘t have insider protection on your disaster plan, if you’re allowing for your domain administrative super users/kingdom building account to own everything, then when the bad guys get a hold of that, which is what happens in many of these cases, guess what they have control of? The backup,” he added. “They have access to your password management, they have access to your documentation. All they do is sit around for a bit and figure out how you operate and go delete your backup.”