Nov 07 2019

The Ransomware Blues


Ransomware attacks have proven to be devastating in 2019, and the stakes are growing for public and private organizations. Attacks have disrupted government and municipal services, halted medical surgeries, and forced businesses to close for good. The average ransomware insurance claim from a large company is roughly $2 million, and claims from smaller companies are approximately $150k – 250k. Ransomware is being used more strategically and has proven to be increasingly effective, amounting to greater ransoms. A modern-day ransomware attack is something most organizations simply cannot afford.

Notable Attacks

Dental data backup firm compromised

PerCSoft, an IT managed services provider specializing in the dental industry, was hit with a ransomware attack affecting nearly 400 dental practices that relied on their services. The attack disabled the dental practices’ ability to process and access patient data, which resulted in frustration, damaged reputations, and a loss of revenue.

PerCSoft chose to pay the ransom but not all the data was able to be unencrypted. After several days of recovery efforts, only 25% of the 400 practices affected were restored, while the majority still remained down.

Medical providers close for good

Michigan Brookside ENT and Hearing Center was hit with a ransomware attack that encrypted its entire EHR system. After refusing to pay a $6,500 ransom, hackers responded by wiping the entire EHR system. All patient records, appointment schedules, and payment data was completely erased. Rather than attempt to recover from the incident, Brookside ENT decided to instead close its doors forever.

In a similar scenario, Wood Ranch Medical in Simi Valley, CA, will permanently close its doors after a ransomware attack encrypted all patient records on August 10, 2019. Not only did the attack force the practice to close, it also caused considerable inconvenience for its patients after permanently losing their healthcare records.

Hearing aid manufacturer expecting $95 million in losses

Demant, one of the world’s largest manufacturers of hearing aids, suffered a ransomware attack which required the company to shut down its entire IT infrastructure including its ERP system. In addition to response and recovery costs, Demant was unable to fulfill sales orders for the duration, amounting to a loss almost $95 million. Recovery from the attack will take over a month.

Preventing Ransomware Attacks

When ransomware first appeared, it only affected the system it was executed on and the network folders mapped to it. If you had file-level backups or Shadow Volume Copy configured, the impact was minimal. Most often, it was a loss of 6-12 hours of work.

Present day, ransomware is incredibly advanced, attacks are strategic, and the impact often results in millions of dollars in lost revenue. So, why when you Google ransomware prevention, is having “good backups” or having a disaster recovery plan still commonly the main and sometimes the only recommendation? This recommendation is irresponsible. Much more is necessary to minimize the impact of a ransomware attack:

Security Awareness Training

Phishing is the still the primary attack vector, and employees are still the first line of defense. Educate your team on how to correctly handle suspicious emails to prevent initial downloading or dropping of malware.

Incident Response Planning

Most organizations have a handle of the basic ‘blocking and tackling’ of IT security. What many are lacking, though, is the ability to respond to a security incident. Testing your incident response plan can seriously minimize the impact a ransomware attack may have on your organization.

Disaster Recovery and Business Continuity Planning

What are your core services? What systems and resources are required to deliver these services? What is the maximum tolerable downtime for both? How do you recover within the determined time frame? These are some of the questions your disaster recovery plan (DRP) should address. Your DRP will support your business continuity plan, or the sustaining of business processes during a disruption.

System Security

Exploitation of your systems and the accounts used to access them is necessary to execute ransomware. Therefore, your systems and those accounts must be protected and configured to reduce impact from successful exploitation. Using techniques such as requiring multi-factor authentication for privileged accounts and application of the principle of least privilege for both systems and user accounts can help you reduce the attack surface and impact.

Engage the Experts

Unlike most aspects of IT and business operations, security is the only place where we have a relentless, intelligent and motivated criminal opponent. To ensure your organization is prepared for the latest and most advanced attacks, consider contracting trusted third-party experts to assist.



Photo by Austin Neill on Unsplash