This content was published prior to the merger of equals between BKD and DHG on June 1, 2022. See all FORsights for the most up-to-date articles, webinars, and videos.
Considerations for Preventing Ransomware Attacks
EPISODE 73: Senior Consultants John Cole and Justin Lance join us on Growthcast to discuss the recent increase in ransomware attacks across the United States, what makes organizations more vulnerable to ransomware and how they can take additional cybersecurity measures for protection.
Transcript
Introduction
[00:00:09] JL: Welcome to today's edition of DHG's GrowthCast. I'm your host, John Locke. At DHG, our strength relies on our technical knowledge, our industry intelligence and our future focus. We understand business needs and are laser-focused on company goals. In this ever-changing world, DHG's GrowthCast provides insights and thought-provoking conversations on topics and trends that address growth opportunities and challenges in the current and future marketplace.
Thanks for joining us as we discuss tomorrow's needs today.
[00:00:42] ANNOUNCER: The views and concepts expressed by today's panelists are their own and not those of Dixon Hughes Goodman LLP. Always consult the advice of your legal and financial professional before taking any action.
Interview
[00:00:58] JL: Today's topic is cyber attacks and specifically ransomware. Joining us today to discuss the potential impacts of ransomware attacks on your business are two senior consultants in DHG's cyber security unit, John Cole and Justin Lance. Gentlemen, welcome to GrowthCast.
[00:01:16] JC: Thank you.
[00:01:17] JL: John, no question that we have been hearing a lot in the media about an increased number of cyber attacks, It just seems to be relentless. It's just one after another. Can you provide us an update on a few of the more recent events that have taken place?
[00:01:37] JC: Yeah, John. Thank you. Yeah. The last couple of months, there have been a series of really high-profile ransomware attacks that even people outside of the security industry and normal people are hearing about this in the news and it's affecting their everyday lives. I think that one of the most high-profile was the Colonial gas pipeline attack a couple of weeks ago over the holiday weekend, in Memorial Day. Everyone was struggling to find gas and it was affecting everyone. It was an interesting time where people who aren't really familiar with cyber security and ransomware attacks were starting to maybe ask questions because their personal lives were being affected.
I know for example, I tell my wife every now and then, there are high-profile events that happen in the news and I will explain to her. These types of events are things that are group deals with. Answering questions from clients, trying to help protect their resources and I we're doing our best to keep our clients out of the news. When your service is needed, it's necessary for every person in the country or the world, and you can't provide it because of a lack of security controls or because you are susceptible to a ransomware attack and you can't provide that service anymore. That's bad PR that you may never recover from.
[00:03:14] JL: Yeah, especially when it hit your food supply. Didn't we had a meat producer that got it hit?
[00:03:19] JC: Yeah, meat producer, water supply, utilities, major providers of essential products. I mean, there's so much scale than bad press at that point. There are potential supply problems that could take weeks to recover from and could potentially affect people's lives in a really negative way.
[00:03:44] JL: When you think about all of this happening as a consumer of media information, you really don't know whether it's just one sensational issue or is it really an upward trend. What kind of an increase actually have we seen in ransomware attacks? Let's just say, since the early 2021.
[00:04:03] JC: Well, I think there have been, like you mentioned, there are some high-profile attacks that any lay person off the street could talk about, which is very unusual. I think that's very unusual for people in our industry to recognize that when people who aren't in the cyber industry are talking about ransomware, it's probably not a good sign. But it goes back to even — I remember a lot of high-profile cyber attacks from 2019. There was a series of municipal lockdowns with Baltimore, Greenville, North Carolina and Atlanta. They all had these cyber attacks that were really high-profile and they were very underprepared and it caused a lot of issues with the recovery and systems that were essential were offline and it was a really messy recovery effort.
I think the things kind of got a little bit quiet in terms of mainstream ransomware exposure until earlier this year. I think that, I mean from my experience, we've never seen anything like the Colonial gas pipeline that just was an explosion of media coverage. Everyone talking about everyone's lives were affected and I feel like that's the take away from the ransomware attacks of 2021 so far.
[00:05:29] JuL: To add to that, we really haven't seen a ransomware increase like this since 2017 when a major shipping company was affected by the WannaCry ransomware. With that company, they basically halted all operations for two or three weeks, majorly impacting shipping to the U.S. and lots of parts of the world.
[00:05:49] JL: Justin, we've thrown around this term ransomware several time between you and John already in the podcast. Let's just take a second and define this for our audience? What actually is ransomware and how does it differ from other cyber security breaches?
[00:06:09] JuL: We definer ransomware as a software or service that can come into a network by an end-user clicking on a phishing link, and then infecting with a virus a computer on the network and then can be spread around the network to affect all systems and servers, encrypting them and making them not be able to be used for typical operational purposes.
[00:06:31] JL: What is this, just kind of the impact of ransomware in an average organization when you think about how many people would potentially be vulnerable to this? It seems like there are just a multitude of thing that could be impacted. Could you just give us an idea of what will people would experience around this?
[00:06:58] JuL: Sure. The typical experience for a company that will be infected by a ransomware, is that a single user would first be impacted, their machine would get encrypted and it would stop functioning to where they couldn't log in and to their typical daily tasks. But if it's an advanced ransomware, then it will typically spread throughout the network at that point, infecting other computers, workstations and servers to the point where the business operations would be halted for that day or until that ransom was paid and requested by the initial hackers.
That's kind of where the shipping issue that we talked about earlier came into play. Is it encrypted a bunch of the dock workstations at the shipping ports to where they were able to know where certain packages were or certain freight was within the ships? They weren't able to unpack or repack the ships for their final destinations to different countries.
[00:07:49] JC: In terms of operational impact, ransomware is probably the worst type of cyber security event that could happen to an organization, because it totally locks out users from accessing their computers, their machines. Servers are locked up, it can't be used. If you aren't very prepared, in fact, if you're not over prepared for an event like this, then it will take you a lot of time to recover and it can be very costly. Something I like to kind of bring up, an anecdote that I like to bring up is that, the people who are executing these types of attacks, they are highly trained, highly skilled and they realize that there's a lot of money in this and they are —
You can consider them to be business people and they understand that there's a customer service aspect to this, so they want to get in, encrypt your files and have a lot of urgency on this. They know that you can't perform — if you're not prepared for this attack, you can't recover from it on your own. And they're going to say, “If you want to return to operation, we can help you return to your operations if you pay us this money within a certain amount of time.” As we've discussed a little bit, a lot of companies are willing to pay because they know that the cost-benefit analysis of the situation will benefit them by getting their operations back rather than trying to rely on old backups or rely on their own recovery techniques.
[00:09:30] JL: We mentioned earlier about utilities being somewhat of a target. Who and why are some of the companies target it? Are some just easier to get to? Is it a fact that they have a robust infrastructure around cyber security or what really causes someone to choose one company over another relative to their targeting for a ransomware attack?
[00:10:02] JuL: The ransomware attacks really occur between two vectors. One is companies that aren't prepared enough to deal with the ransomware outbreak. Two is ones that are willing to pay if something was to happen. That happens with like oil, natural gas and shipping potentially, those are core services that need to continue and have continuation. So if an attacker attacks those, then they know that those are some industries that can't necessarily rely and continue without them, so they're more willing to pay the ransom to continue operations.
[00:10:35] JC: Through open-source intelligence gathering techniques, you can kind of get an understanding for which companies may not be able to respond quickly or may be more susceptible to actually executing the ransomware attack. They seek them out and they do a lot of preparation. It's not like a random thing that they decide on one day like, “I'm going to attack this company because it's going to be easy.” They do put a lot of thought into their targets and sometimes, it can take weeks or months of kind of putting out little filler, waiting for someone to bite, then finally you're in. You hear a lot of stories about, once they do the forensic analysis after an event like this, you'll see that there are signs that there were foreign presences within the network doing data exfiltration or performing cyber attacks on your network for weeks, months prior to being discovered and finally executing the ransomware.
Because think about it like this, if you can get the data out, sell it, perform as much negative actions inside the network as you can before you and encrypt everything and get discovered, then they're definitely going to try to go for that.
[00:12:00] JL: Well, this is a battle that has to be fought on multiple fronts. I'm sure the government as a whole is taking this pretty seriously because you hear them talk about elections and things like that, that are being attacked. What is the government's role in all of this, Justin?
[00:12:18] JuL: The government hasn't necessarily decided yet what their route needs to be. They said that their priority is first defending and protecting the United States' borders and themselves from cyber attacks, then second, the companies within. That being said, they do want to continue protecting us and our assets, but they don't necessarily have control over who attacks certain parts of industry. Like the oil producer that was attacked earlier this month or last month was not necessarily part of the — the government wasn't, but was a core part of our nation's assets. The government said that they can't necessarily protect those core assets, but that they're trying to deal with it with diplomacy.
[00:13:06] JL: It's kind of tricky. Local individual companies got to be on a high alert, government has to be out there, kind of spotlighting. If I'm a leader of a company right now and I'm thinking about my vulnerability, how do I decide how much of an investment I want to make in protecting my infrastructure? Is there any way for me to make a judgment call on that?
[00:13:39] JuL: Sure. The easiest way that we see it is to have, first, a vulnerability assessment. Understand your risks where they exist within your network. Then try to make a list of checklists from that point of what to cross off. We see the companies are dealing in ransomware, that they attack the most vulnerable companies first. If you were better off in the next guy or the next company out there, that you're less vulnerable to be attacked by one of these bad actors. This isn't always the case, but could be true for a lot of industries. Having a vulnerability scan or vulnerability assessment and understanding your place within that ranking order of how you set both from your external network and internal work is a great place to start.
[00:14:28] JL: I think we also saw quite an uptick in unusual categories of business if I recall. Hospital systems, healthcare providers were in the spotlight as far as ransom attacks during the COVID period of time. What makes them especially vulnerable, anything specifically that you can think of?
[00:14:52] JuL: Yes. We find that hospitals historically have had a lot of outdated equipment, that for either cost reasons or the vendor of equipment that they can't be updated and patched regularly. We still see systems in hospitals, machines in hospitals that still deal on software from 2013 regularly connected to the internet. We consider that a major risk within our healthcare industry and we're trying to help those clients secure those devices, but it's still a major issue. That goes back to them being a more vulnerable target that are more willing to pay for an encryption while to unencrypt data because there are critical infrastructures.
[00:15:38] JC: Not to mention that health records and data related to healthcare is really important to protect. And for these clients, if they were to lose some of these health data, then it would be a lot more valuable to potential attackers than the normal credit card data. That's another reason why they could be seen as high-value targets.
[00:16:07] JL: We talked already about one of the first things that company should do and leaders should consider if they have any question about their current infrastructure safety and that's a vulnerability assessment. If you could, just share with our listeners beyond a vulnerability assessment, what might be a couple of things that people really need to be thinking about doing or investing in fairly quickly to make sure that they're protected as possible from future ransomware attacks.
[00:16:42] JuL: Sure. A few things that we recommend to start out as great protection from ransomware attacks is first, a robust end-user awareness training program. We see time and time again that the way the most ransomwares get into companies is a single employee clicking a link to a phishing email. The first line of defense should always be considered to be the human element, as us as users of the company or employees of the company. A robust phishing program to protect and defend against phishing, and then training users to not click on phishing emails will be the first line of defense against a type of ransomware.
[00:17:26] JC: A lot of companies see end-user training awareness programs as to be just a box to be checked on their audit report. I think that Justin and I have found that the more companies that have a people-focused approach and they know users by name who might be repeat offenders on their phishing assessments. They're typically the companies who are most prepared for these types of events and they take seriously the threat of phishing attack, because they know that the potential risk of one of their users clicking, providing credentials could be what it takes for an attacker to gain access to their network. After all the money you've spent on security appliances and security controls if one user gives up their username and password. Then that could be the beginning of the end for their network and could potentially lead to a ransomware attack.
[00:18:35] Jul: In additional control, we definitely recommend all our clients follow is a robust backup and restoration capabilities within their IT infrastructure. We see a lot of clients not necessarily have automated backups placed within their environment to where they backup their core applications within a timely manner. We recommend that they definitely continue to get on to a schedule for their backups that can be restored to. Also, restoration is a major part of the whole backup for restoration process, to where Colonial Pipeline, one of their major issues was the time it would take them to restore for backups, was one of their key issues of why they paid the ransom, because they hadn't tested their restoration process in well in advance to be prepared for how long will it take to restore or what would their core infrastructure systems to restore immediately after the incident.
[00:19:30] JL: Well, there is a lot in play here and I think it's safe to say that these ransomware attacks are not going away anytime soon. I think we all need to stay vigilant and encourage each other. I love those recommendations about the vulnerability assessment, end-user training and kind of having a robust phishing awareness program. If our listeners, Justin and John, have any further questions or just want to bounce some things off you as it relates to where they're at versus where they need to be, how might they communicate with you or your team?
[00:20:08] JuL: If anyone wants to talk to John or I about where their security program is or what improvements they need to make or directly with what's going on in their current environment, you can email us at dhg.cyber@dhg.com.
[00:20:26] JL: dhg.cyber@dhg.com. That's pretty simple and easy to remember. Hey! Thanks, guys. I really appreciate your time and sharing your insights on this really important topic, because I think we all know that everybody's lives can change in a moment once something like this happens within an organization. Some great suggestions, some things to be aware of, but we appreciate all the work that you're doing for our clients and just making a difference in the future of cyber attacks and ransomware in our country. Thanks for all you're doing.
[00:21:02] JC: Thanks so much, John.
[00:21:03] JuL: Yeah, absolutely. Thank you.
End of Interview
[00:21:08] JL: Thank you for joining us today on GrowthCast with John Cole and Justin Lance with DHG's Cyber Security group. I'm your host, John Locke, and I look forward to reconnecting with you soon on another episode of DHG GrowthCast. Until then, be sure to rate, review and subscribe to DHG GrowthCast on Apple Podcast, Spotify or Podbean.
