Don’t Wait Until Ransomware Has Your Business Locked Down

Ransomware victims are paying hundreds of thousands of dollars to cybercriminals. It doesn’t have to be this way!

March 3, 2020 • Published by

In my daily scan of the security news headlines, I’ve been noticing that more and more frequently, companies hit by ransomware are paying up. A more recent example is the City of Cartersville, Georgia, which paid a whopping $380K to its attackers.

Why are businesses and municipalities going against the guidance of FBI, Secret Service, etc., and paying the ransom? The reality for many victims is they must get back online and functional as quickly as possible. (In some instances, recovering from backups is actually taking longer and has more internal cost than some of the ransom payments; in others, the businesses don’t have usable backups.)

As a primary engagement, ControlScan just handled an incident response for a 30-plus location convenience store chain. They were not targeted specifically; they happened to be sitting on Comcast Internet and had a poorly configured system exposed externally. Attackers are constantly scanning commonly used Internet providers for these kinds of vulnerabilities to exploit. While they didn’t pay the ransom, it did cost this chain well into the $60K range just to recover point-in-time and get things back to “normal.”

Plan ahead to save time and money.

More companies are being hit, and more companies are being forced to pay a potentially non-recoverable “ransom fee” if they don’t have plans in place. These plans need to include:

  1. Prevention – Block and stop the attacks before they create an incident. It’s not if companies get attacked, targeted, or become a victim of “friend of a friend” emails… it’s when.
  2. Detection – Sometimes even the best prevention mechanisms can slip. Know when you are impacted, quickly, so you can contain and minimize the damage.
  3. Response – Know what to do when a legitimate threat is detected, whether that is through internal, knowledgeable incident response, or through the assistance of an MSSP partner like ControlScan.

We saw Ursnif hit a financial services client just last week. Ursnif is a piece of malware that is designed to steal data, usually around the financial space. It steals browser sessions, cookies, usernames/passwords stored in the browser, and sits and watches what you type into websites through keyloggers. The source of the attack? An email from a trusted partner of theirs, from an email address they were used to receiving emails and links from.

Because ControlScan is this financial services firm’s partner for MDR, the malware was blocked, our SOC efficiently responded to contain and clean the affected system, and there was ZERO impact to the company. You can imagine the impact for a financial services company that does a lot of logging in and out of bank accounts, investment accounts, etc. The cost to this customer for that protection, was miniscule compared to the potential havoc a Ursnif malware attack could have wreaked.

Ransom payment recovery is a HUGE deal.

Remember that c-store chain I mentioned earlier? The ransom was initially set to $100K in order to get their systems and files decrypted.

That was a number their executive team was unwilling to pay, because of the financial impact to their business. Imagine your company staring at the realization it could be out of business because a random employee opened an email. I don’t like scare tactics, but these real-life examples are sobering.

One more recent example: An email from our sales team about MDR and how important it is was sent to a company that became an incident response client… They received it 2-3 weeks prior to getting hit with ransomware. “I was interested but figured we could look at it later” was their response when I asked why they didn’t contact our team earlier.

Ready to talk? Give us a call at 800-825-3301, ext. 2, or complete and submit the “Request Information” form on this page.