[BreachExchange] Why Federal Agencies Need a Ransomware Strategy

Audrey McNeil audrey at riskbasedsecurity.com
Tue Nov 15 19:53:12 EST 2016


http://www.datacenterjournal.com/federal-agencies-need-ransomware-strategy/

If government cybersecurity executives are not taking the threat of
ransomware extremely seriously, they should be. Although this type of
security threat is not new, it’s increasingly common, and it may be one of
the most damaging methods of extorting money from unsuspecting or
unprepared individuals in the digital age.

Ransomware is a type of malicious software that installs covertly on a
target user’s computer, encrypts the user’s files and then demands a ransom
payment from the individual or organization to restore those files.
More-advanced malware can encrypt users’ files and mounted file systems on
network shares, rendering them inaccessible, and likewise demand a ransom
payment to decrypt the files.

What’s particularly interesting about ransomware is that it affects
personal as well as business environments, and it serves in both
opportunistic and targeted attack campaigns. It’s therefore truly a unique
hybrid.

Threats to Agencies

Government agencies are particularly vulnerable to these types of attacks
because they maintain and have access to lots of personal information about
individuals. Personally identifiable information (PII) can be worth a lot
of money in the criminal market, and the fact that agencies hold this data
can be a strong motivator for ransomware attacks.

If an agency possesses such data about thousands of individuals, an
attacker could assume there will be a high profit associated with that
information. In addition, agencies commonly have sprawling IT
infrastructures with dated technology, as well as a lack of security
expertise.

According to a document from the U.S. Department of Homeland Security (DHS)
from late 2015, the agency’s National Cybersecurity and Communications
Integration Center had received reports of 321 ransomware-related incidents
affecting 29 federal agency networks since June 2015.

Certainly, the problem of ransomware has garnered the attention of
government entities. For example, the U.S. Federal Trade Commission (FTC)
recently held a workshop dedicated to this topic. As the agency noted,
“With alarming frequency, ransomware hackers are sneaking into consumer and
business computers, encrypting files containing photos, documents and other
important data, and then demanding a ransom in exchange for the key needed
to decrypt the files.”

Sometimes these hackers pose as representatives of the FBI or other
law-enforcement agencies, the FTC said. They claim the ransom is a fine for
viewing illegal material and that failure to pay the fine will result in
criminal prosecution. Individuals and organizations, including government
agencies, are falling prey to these schemes, according to the FTC.

In March 2016, the U.S. and Canadian governments issued a joint alert about
ransomware infections. The DHS and the Canadian Cyber Incident Response
Center (CCIRC) noted that in early 2016, destructive ransomware variants
such as Locky and Samas were infecting computers belonging to individuals
and businesses, including health-care facilities worldwide.

As the agencies noted, “Paying the ransom does not guarantee the encrypted
files will be released; it only guarantees that the malicious actors
receive the victim’s money, and in some cases, their banking information.
In addition, decrypting files does not mean the malware infection itself
has been removed.”

Combating Ransomware Attacks

Fortunately, federal agencies can take steps to address the growing
ransomware challenge.

One of the easiest things they can do is make sure all sensitive data is
protected. In general, data is far more important than the physical
condition of the system that stores the data. To ease recovery from a
ransomware attack, agency IT and security executives must know where the
sensitive data resides and who can access it. They also need to know about
any out-of-the-ordinary usage activity, such as excessive reads or changes
associated with particular data.

Another important tactic is to conduct frequent data backups and frequent
testing of these backups. Client desktop and laptop devices and data center
servers can be easily recovered with properly tested backup and restore
processes. Untested backups will likely fail when a system restore tries to
return a system to its operational state after a shutdown.

If a system backup can be restored to an operational state and the data
stored on that system is unchanged or recoverable, the agency need not be
concerned when a ransomware attack occurs. Having a solid response strategy
in place is much more important than trying to block every variety of
ransomware to prevent attacks from happening in the first place.

Agencies should deploy security tools that are designed to defend against
ransomware attacks. These tools can quickly identify and assess a
ransomware attack, determine what systems are affected and develop a plan
of action to respond and recover.

As for whether an organization should pay or not pay a ransomware fee,
there really is no easy answer. If at some point the impact of the attack
to the agency and its clients—in terms of value—meets the amount of ransom
demanded, it might make sense for the organization to simply pay the ransom
and move on.

But it’s worth noting that paying the ransom might help validate the
actions of the attacker and encourage future ransomware attacks. In
addition, agencies have no guarantees that the attacker will even release
files or provide the ability to release the files after receiving the
ransom.

So, clearly, risk is associated both with paying and not paying ransomware
demands.

Ransomware is potentially one of the most damaging security threats federal
agencies are facing today. It gives attackers the ability to extort money
from government employees and organizations that are generally unprepared
for such incidents.

The more end users in the public sector can identify and understand
ransomware attacks, the better agencies can prepare themselves to defend
against them. The key to preventing or minimizing the impact of ransomware
is “data awareness”: knowing where the most vital, sensitive data resides,
how it’s protected and who has access to it. Data awareness can help
agencies prevent access, identify threats and respond effectively.

By learning as much as possible about what’s in their data and how it’s
being used, government agencies can defend against ransomware attacks and
make recovery from these incidents a simple process.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161115/b25fd745/attachment.html>


More information about the BreachExchange mailing list