FBI Warns of ‘Targeted’ Ransomware Attacks Against U.S. Businesses
While the overall frequency of attacks has been declining since early 2018, authorities warn that successful infections are doing more damage than ever. Attackers are using new methods to disrupt high-profile organizations, and they’re demanding higher ransom payments.
To help businesses protect themselves against attacks, the FBI has issued several critical guidelines that we outline below, including the need to maintain a “robust system of backups.”
2019 FBI Alert: Ransomware Attacks Against U.S. Businesses
This isn’t the first time that the U.S. Federal Bureau of Investigation has warned businesses about the dangers of ransomware.
In September 2016, the agency released a statement about the emerging threat, which was still relatively unknown in the business world. This was prior to the global attacks of WannaCry and NotPetya in 2017, which affected thousands of systems around the globe.
At the time, the FBI statement warned that attackers were changing ransoms based on the number of hosts or servers infected.
Officials wrote: “This recent technique of targeting host servers and systems could translate into victims paying more to get their decryption keys, a prolonged recovery time, and the possibility that victims will not obtain full decryption of their files.”
Three years later, businesses are more aware of the threat, but the threat has become more challenging. Last week’s FBI statement said, “Ransomware attacks are becoming more targeted, sophisticated, and costly,” and despite a slowdown in frequency, “the losses from ransomware attacks have increased significantly.”
A $95 Million Example
You don’t have to look far to find proof of the FBI’s warnings.
Just last month, one of the world’s largest hearing aid manufacturers was sidelined by a ransomware attack that is on track to cost the company $95 million.
Demant, based in Denmark, hasn’t revealed many specifics, but the company confirmed that its entire IT infrastructure was severely impacted. A full month after the infection, the company has still not fully recovered. The attack has affected nearly all of its operations, from production to order fulfillment. The company expects to spend roughly $7 million rebuilding its infrastructure, while the remaining $88 million would come from lost sales.
It’s the same story at other large companies that have been hit over the last few years. Attacks on companies like Merck, FedEx, Maersk, and Norsk Hydro have resulted in losses of $70 million to $300 million each.
How is ransomware so destructive?
Ransomware is a form of malware that encrypts your files and demands that you pay a ransom to restore the data back to normal. By effectively locking you out of your data, an infection can break applications and render computers unusable.
But it’s not just the loss of data that costs organizations so much money. The deepest losses stem from the impact on operations:
- Inability for workers to perform their jobs
- Lost productivity and wages
- Lost revenue from inability to take orders or fulfill them
- Interruption in manufacturing or production processes
- Breakdown in communication with clients, customers and employees, due to loss of email
- Long-term revenue losses due to damaged reputation
How is all that damage possible?
Consider a typical scenario in which an infection takes root. First, an employee loses access to files. Then, an entire department is locked out. Soon, the entire company is affected. Nobody can access email. Critical applications can’t be opened. Everything comes to a screeching halt.
Experts calculate that the downtime caused by ransomware can cost businesses between $10,000 to $5 million per minute, depending on the size of the company. So if organizations can’t quickly resolve the issue, they face a long and very expensive recovery.
How do infections happen?
Before we dig into methods for preventing an attack, it’s important to understand how and where ransomware infections begin.
The new FBI ransomware statement identifies three primary ways that hackers use to compromise your systems:
- Email phishing: Hackers send emails containing malicious links or file attachments that infect a user’s computer with ransomware when clicked. Hackers have traditionally blasted out these emails in bulk with the hopes of infecting as many computers as possible. The difference now is that attackers are increasingly targeting their emails to specific industries and organizations. Additionally, sometimes the email accounts themselves are compromised and used to send out the malware-laced messages, making them even more deceptive.
- Remote Desktop Protocol (RDP) vulnerabilities: Used securely, RDP is a useful tool that lets users control another computer over the Internet. But when it’s not configured correctly, it can create a window for hackers to gain access. Attackers often use brute-force methods to “guess” a user’s weak credentials, or they purchase compromised credentials that are listed for sale on the dark web.
- Software vulnerabilities: Outdated and unpatched applications are especially vulnerable to being compromised. Attackers exploit weaknesses in widely used software (as well as vulnerable in-house developed applications) to gain control of a user’s system.
Once a computer or server is infected, the ransomware is typically designed to spread outward, infecting as many machines on the network as it can. When pharmaceutical giant Merck was hit by NotPetya ransomware in 2017, all of its offices across the United States were affected.
FBI Recommendations for Prevention
The FBI has issued several critical recommendations to help businesses reduce the risk of an infection and maintain continuity if an attack does occur.
- Deploy a robust data backup system: Data backups ensure that you can quickly restore data back to its state before the infection occurred. This effectively restores the encrypted data, while also removing the malware.
- Back up data frequently: Having a recent backup is essential. Otherwise, you could lose a lot of valuable data by rolling back to an old recovery point.
- Regularly verify backups: Check backups for integrity to ensure they can be restored without issue. BC/DR solutions from providers like Datto feature automated verification that test the backups around the cloud to ensure they’re viable.
- Keep backups offline: Make sure backups are not directly connected to the machines and networks that are being backed up. For example, the FBI recommends physically storing backups offline.
- Train employees on web/email security: Reduce the risk of employees falling prey to phishing attacks by training them how to identify suspicious messages. All staff should be made aware of the risks of ransomware and should be educated on safe practices for email and web.
- Patch and update everything: Eliminate vulnerabilities by patching all operating systems, applications and device firmware. Enable automatic updates or use a centralized patch management system.
- Use anti-malware solutions: Deploy a business-grade anti-malware solution that can block known strains of ransomware. Enable “active” protection as well as scheduled scans and automatic updates.
- Require user interaction when applications communicate with websites: If any applications need to communicate with external applications (particularly those that aren’t categorized by the network proxy of firewall), require user interaction, such as entering a password.
- Disable macro scripts from Office files sent by email: Disabling macros and using an Office Viewer tool to preview files like PDFs and Word docs (before they’re fully opened) can help to ensure that any hidden malware is not executed.
- Implement software restriction policies: Set controls over how and where programs can be executed. For example, prevent applications from being executed in common ransomware locations, “such as temporary folders supporting popular internet browsers, and compression/decompression programs, including those located in the AppData/LocalAppData folder.”
- Secure your RDP: If your organization uses Remote Desktop Protocol, make sure it can’t be compromised. Close unused RDP ports, apply two-factor authentication, and log all RDP login attempts to spot suspicious activity.
- Implement application whitelisting. Only permit systems to execute applications that are known and approved by the organization’s security policy.
- Implement the principle of least privilege: Prevent infections from spreading further by restricting users to only the files and directories they require for their job function. Restrict write-access on files and folders in which users only require read-access.
- Separate data by organizational value: Don’t keep all your eggs in one basket. Highly sensitive data, for example, should be stored on separate servers, in different locations and with more advanced security controls than the company’s less critical data.
- Isolate affected devices: If an infection is apparent, promptly remove it from the network to prevent it from spreading and power down until it can be diagnosed/cleaned at a later time.
What about paying the ransom?
The FBI has consistently advised businesses against complying with any ransom demands, for a few important reasons:
- Paying the ransom doesn’t guarantee the hackers will decrypt your data. As the FBI’s ransomware statement warns, “In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.”
- Paying the ransom supports the ransomware market, making it lucrative for hackers. This only leads to more ransomware attacks.
That said, when facing especially dire circumstances, some organizations may have no choice but to pay the ransom in the hope that they regain the data they need to function.
Regardless of which route an organization takes, the FBI urges victims to report every ransomware attack, so that criminals can be tracked and held accountable under U.S. law.
Get more information
For more information on how you can protect your critical data from ransomware and other threats, request a free demo of BC/DR solutions from Datto. Contact our business continuity experts at (646) 395-1170 or email success@invenioIT.com