by Dr Sandra Bell, Sungard Availability Services head of resilience consulting (Europe)
It’s hard to read the news at the moment without ransomware being mentioned. For example, I typed “ransomware” into Google News recently and got more than 1 million hits in 0.23 seconds. Even when I limited my search to the past 24 hours it returned over 6 pages of links. Therefore, with so many experts writing things that are sufficiently interesting or important to feature as ‘news’ — why has the problem not yet been solved?
In order to try to answer this, I delved a little further into what is being classed as newsworthy with respect to ransomware. By far the most articles that my Google search unearthed referred to new and exotic threats that had the ability to exploit hitherto unknown vulnerabilities in IT systems. As a result, ransomware is a pan-organisational problem and cannot be solved by a single product or even a range of products without significant cultural change also being implemented in an organisation.
From the CEO’s perspective, effecting this cultural change depends on knowing exactly how ransomware works, who it targets and how to deal with its consequences. Here are four facts that every CEO should know about ransomware:
1. It targets your people, not your IT system
As opposed to a traditional ransom, IT systems are both the asset being held ‘prisoner’ and the vehicle to deliver a ransom note. The actual target is the IT user and, if the target is within a business, the victim is then the business.
Locking down the IT system and the data it contains will only reduce the opportunity of it being held prisoner it will not eliminate it. Also, in many cases, a ransom note only has to convince the target that something has been taken prisoner rather than actually taking it prisoner.
It is therefore not just a case of getting your workforce to abide by security rules and keep their eyes open for dodgy ransom notes (this just helps stop the data and system becoming prisoners) — but recognising your unique psychological susceptibilities and designing work practices that prevent individuals within your workforce becoming attractive targets and you a victim.
2. It works by preventing access to something your people want
Ransomware is rendered useless if the asset has no unique value. Data, unlike a person, is easily copied or cloned. Therefore, if you always have a copy (or the ability to create a copy) then there is no point in paying a ransom to have the original released. Likewise, it is now the norm to access our data through multiple devices, which means that locking one access route should have a limited impact on the target.
3. The psychological factors work best when the target is isolated
‘Locker’ and ‘Crypto,’ the two main types of ransomware, use different tactics and are successful within different populations of people. Crypto finds and encrypts valuable data and typically asks for a fee to unencrypt the files, whereas Locker typically locks the system preventing the target from using it and imposes a fine for release.
Crypto plays to time pressure, with the promise of positive results. The perpetrator demands that the victim reacts quickly – without notifying senior figures in IT administration – in order to avoid repercussions and the potentially damaging effects of being identified as responsible for the loss of data.
By contrast, Locker often works by deception. The perpetrator poses as an authority figure who has supposedly identified a misdemeanour and convinces the user to comply with their wishes by suggesting that anything they have done wrong will be used against them.
The effects of both these tactics are greatly amplified if the target either perceives themselves to be or can be physically isolated from their colleagues and their organisational support network.
When you look at the victims of ransomware they are often people with vocations (eg doctors, nurses, policemen or homeworkers). If you are in an open-plan office and a ransomware screen pops up you are very likely to point it out to your colleagues before taking action yourself. However, if you are in your home office or feel only loosely affiliated with your employer then you are more likely to take matters into your own hands.
The risk of ransomware can therefore be reduced by fostering a corporate culture that reduces the feelings of real or perceived isolation.
4. Good defence is desirable – but quick reactions and strong leadership are essential
An attack is almost always still taking place when you launch your response and recovery. This means that if you only have a single response plan, without the means to deviate from it, your opponent will quickly learn what it is and overcome it. In short you will become a victim.
Therefore, even with a solid backup strategy, and decent business continuity and disaster recovery arrangements in place, your response will be unsuccessful unless you also have the crisis Leadership skills to adapt your response in real-time and lead your organisation through the complex, unstable environment created by a large-scale ransomware attack.
There is no single solution to the ransomware problem. However, organisations that are most successful at managing the risk have departed from the tactic of protecting valuable assets from becoming ransom prisoners and take advantage of the features that data and IT systems offer. They have also recognised that much can be done to safeguard their people from becoming targets and they know that if they adopt an offensive stance, they can do much to prevent themselves becoming victims at the organisational level.