Lessons Learned from Those Who’ve Been There – (for INFINIT a K&P client)

It’s an understatement to say ransomware attacks have increased over the past two years. In fact, they’ve skyrocketed to an all-time high, and the need for proper security and prevention has never been greater. Unfortunately, they’re not entirely preventable, no matter how much a business prepares, and many companies don’t know what to do when ransomware occurs.

NFINIT has worked with several companies that experienced this very issue over the last year, so we’d like to present an aggregated view of what a ransomware attack looks like, from the typical timeline to hidden costs. Plus, we’ve outlined a few actionable tips.

First, here are the facts.

• The number of ransomware attacks jumped 150% in 2020, and ransom amounts doubled.
• Cases have continued to climb in 2021, with a 148% increase and nearly 3 million attacks so far this year.
• The impact of COVID-19 on cybersecurity was swift and stark; the FBI announced in April 2020 that it had already seen a 300% jump in cybercrimes since the beginning of the pandemic.
• At least half of the Chief Information Security Officers (CISOs) and CIOs PwC recently surveyed said they haven’t entirely mitigated risks related to remote work, cloud adoption, or digitization – and we know that cyber criminals are taking advantage of those trends.

Never Too Safe

Nearly every company we’ve worked with through a ransomware incident felt they had taken the proper precautions by having adequate equipment, data backups, and virus scans. But being behind by even a single update can provide enough of an opening for hackers.

In one case, our client’s firewalls were one patch level behind, and that new patch level had just launched. The hackers took advantage of that vulnerability. In another instance, our customer brought in a third-party consultant that happened to have a PC that was infected, and the customer didn’t run virus-scan on that computer before syncing it with the company network. Yet another client administrator logged into an infected computer at a store, opening up the network to attack.

Even multi-million-dollar enterprises that house critical infrastructure and surely employ impressive in-house cybersecurity teams, such as Colonial Pipeline, have fallen victim recently. (Our CEO addresses this topic in an alert we issued regarding ransomware attacks in May 2021.)

Shock and Awe

In each case we’ve worked with directly, though the specific causes varied, the initial IT shock was the same. By the time an attack is identified, hackers have had a chance to pull data over to their devices and start searching for important information such as credit card numbers, social security numbers, or anything else of value, sending IT personnel into panic mode.

After that initial shock, personnel are tasked with identifying how widespread the attack is and which departments are affected. Machines are checked and the IT department starts to identify not only how far the attack has reached, but also how to start the recovery. View our day-by-day interactive Timeline of Events. 

Establish New Methods of Communications

Happening simultaneously is the new communication path. Email communication is often lost and with that typically being the primary method of communicating between team members, a new method has to be established, which most often includes phone calls and texting. Any physical locations also have to be made aware of the attack and informed that they cannot conduct business until recovery has started.

Notification

One of the first calls to make during these attacks is to the cybersecurity insurance company, which we strongly advise you to retain. It’s important to have a designated company representative who is tasked with reaching out to the company insurance rep, who then begins the process of communicating and negotiating with the attackers. (It’s typical for both insurance companies and attackers to have professional negotiators for these situations. Both are well versed in dealing with the other side and working together to arrive at a more reasonable outcome.)

While the insurance company handles the negotiation, the data center / IT partner (such as NFINIT) often manages the data backup and recovery process. NFINIT is able to bring machines online on a separate network, allowing access for a third party to do security posture checking.

Prepare for the Hidden Costs of Ransomware

There is often an added layer of surprise baked into the attacks in the form of unexpected costs. While most focus on the lump sum for the ransom, a hefty checklist of additional costs soon arises, both in the form of payouts and productivity. In fact, in all of the cases we’ve seen lately, the ransom itself ended up being relatively small when compared to the additional fees, opportunity costs, and other budget hits.

In general, ransoms are requesting funds for three major components

1. to get your data back
2. to keep hackers silent about the attack
3. to find out how you were breached.

Beyond the initial attack, the additional hard-line costs bubble up during the insurance process and requirements. The negotiator works with a pre-set deductible outlined in each contract to use as the ransom payout. From there, each company is given a checklist of third-party services and vendors for the rebuild and recovery.

Regardless of the specific situation, a company under attack is faced with the loss of productivity from their IT teams while they work on recovery. The data recovery and backup process pulls team members from other projects they might be working on for anywhere from 3 to 6 weeks. During this time, CFOs are also tied up working with the insurance company (if the company has one), which means a loss in productivity from the C-suite as well.

In addition, we can’t forget the actual interruption in business while networks and systems are locked down, and while it typically only lasts for a few days, it results in an almost invaluable loss in terms of overall profit. Not to mention costs that are more difficult to quantify but have a major lasting impact, such as loss of trust from customers.

Recovery and Results

NFINIT is able to make a difference in the outcome of these attacks within several key areas of focus. First is aiding in micro-segmentation, which helps with prevention and limiting an attack footprint. NFINIT works with clients to segment their networks in a way that provides each employee access where necessary while mitigating the fallout of future attacks. NFINIT works with clients in a consultative way to determine which machines should be segmented, which users should have access to what, and which cybersecurity rules you should establish company-wide.

Second, NFINIT plays a major role in backup and recovery. As full-time network engineers and data center technicians, the NFINIT team uses and manages the equipment every day and knows the ins and outs of customer IT environments.  Having a cloud provider not only adds resources in high-stress, all-hands-on-deck – but highly trained, expert resources. Oftentimes, IT teams managing data on-premise haven’t used certain equipment and software in months and struggle to pull the right levers on game day.

Last but most important: NFINIT leverages the team’s roots as previous software vendors, retailers, and manufacturers – the end consumers of technology – to evolve into being a trusted advisor rather than a simple vendor.

The good news is, in all recent ransomware cases we’ve helped with, our clients paid either zero ransom or a negligible amount compared to the original ask – plus, their strategically managed IT infrastructure helped to mitigate what could have been catastrophic events for those companies. Clearly, having the right players on your team can make all the difference should your company suffer from an attack.

NFINIT’s Top Quick Tips

1. Get cybersecurity insurance, today. Cybersecurity insurance is a relatively new concept, so we understand if you might question its worth. But in our experience, our clients who’ve had it have seriously minimized costs and stress levels; in the moment after you first see a ransom message on company computers, cybersecurity insurance is worth its weight in gold.
2. Work with a third-party technology partner to evaluate your data practices, today. All data should not be treated equally. In order to keep your most critical business data safe while meeting cost-savings requirements, data tiering is often necessary, and it’s a step that many enterprises are missing. Hire a third-party partner who can evaluate your data storage and practices with a fresh set of eyes, compile a best practices system in case of an attack, and be there for you should every IT director’s worst nightmare come true. We like to remind our clients that cyber-attacks are not entirely preventable. Ensuring that you can quickly and efficiently recover data, applications, and critical systems is the best way to hedge against a crippling breach.
3. Don’t assume you’re protected. We can’t emphasize this enough: every company we’ve assisted during a cyber-attack felt confident in their security practices. For this reason, our second tip, above, is critical! Check your patches. Make sure third-party consultants have passed your cybersecurity clearance before tapping into your network. And above all, bring in someone outside of the company – a fresh set of eyes – to go through your network security checklist. It might not prevent an attack altogether, but with the right partner, it will go a long way toward minimizing the effects.

To learn more about how NFINIT can help, contact us today.