TECH INTELLIGENCE: Do not pay

A better plan for dealing with ransomware attacks

Carl Mazzanti//October 7, 2024//

Ransomeware

PHOTO: DEPOSIT PHOTOS

Ransomeware

PHOTO: DEPOSIT PHOTOS

TECH INTELLIGENCE: Do not pay

A better plan for dealing with ransomware attacks

Carl Mazzanti//October 7, 2024//

Listen to this article

Recently, I was at an event and an official from a municipality in New Jersey approached me. The person – who is not a client – told me they had suffered a cyber attack that crippled their network and had just authorized a $500,000 ransomware payment to get the hacker to release their systems. I wish they had spoken with me first.

Carl Mazzanti
Mazzanti

These kind of payments are, unfortunately, increasingly common. A hacker sneaks by the digital defenses of a municipality, company or other organization, and locks up their system, threatens to release confidential information, or lifts personally identifiable and other information to target other people with all sorts of scams.

In early 2022, for example, a city in Florida was crippled when a ransomware attack took down its computer systems. In August 2022 a local sheriff’s system was targeted, impairing the office’s ability to process criminal arrests. One study found that nearly half of all ransomware attacks are directed against cities.

Municipalities are often encouraged – by their insurers – to pay the ransomware. That is likely because they either expect to get reimbursed by their own reinsurer, or because the carrier will make it back through higher premiums.

Another possibility is that law enforcement may be able to track down the bad actors and return a good chunk of the cash. That is what happened in the case of Colonial Pipeline — which paid about $4.4 million in May 2021 after its oil and gas pipelines across the eastern U.S were crippled by ransomware. About a month later, the U.S. Department of Justice announced it managed to recover about $2.3 million of the ransom payment.

It is good that insurers can spread the risk through reinsurance, and I am happy for Colonial Pipeline. But any time a municipality or other organization pays off a ransom demand, they make a big mistake. It is sort of like saying: “My roof leaks every time it rains, but instead of fixing it, I will put a bucket underneath the drip.” They are addressing the symptom, instead of the cause.

And just as a leaky roof will only get worse over time, paying a ransom to a cyber attacker just guarantees that you are a good customer — hackers know you are an easy source of revenue, and they will keep coming back. One report found that 36% of organizations that made one ransom payment were hit again, while 41% who paid failed to recover all of their data.

We see this all the time when victimized organizations reach out to us for the first time (after the fact, unfortunately) and ask us to help them clean up their operations.

We get them back up and running, but we also always advise them to a) not pay the ransom in the future and b) make an investment in their own cyber infrastructure, which will reduce their risk of being penetrated.

It is a matter of setting up layered defenses – encompassing human and technological elements – that together can keep out bad actors. With this strategy, even if they manage to breach one portion of your cyber defenses, other layers will still stand and block them.

The configuration of training and technology will be customized for each organization, but these layers typically include:

  • Training – so employees are aware of phishing attempts and how to avoid being scammed by them.
  • Password protections – including generating hard-to-guess passwords, keeping them secure from unauthorized eyes, and changing them periodically.
  • Multifactor authentication – or a way of proving that, when you try to sign into something, you really are who you say you are.
  • AI-enabled tools – can scan for suspicious behavior, and Issue alerts or quarantine suspicious emails and other communications.
  • Automated and AI-backed SIEM/SOC platforms (security information and event management/security operations center) – that help prevent data breaches. SIEM monitors network traffic and resources providing centralized security dashboard displaying alerts and suspicious activity. SOC hunts for threats and reports on issues in digital environment providing 24/7 monitoring and threat response and assessment and management of compliance for regulated industries

 

Municipalities and other organizations routinely collect a great deal of sensitive information, which makes you a rich target for cyber criminals. Attacks against municipalities and other organizations are rising and are also getting more sophisticated. But when you refuse to pay a ransom, and work with an experienced cybersecurity partner, your network and data will be safer, and your bank account will stay healthier.

Carl Mazzanti is president of eMazzanti Technologies in Hoboken, providing IT consulting and cybersecurity services for businesses ranging from home offices to multinational corporations.