WASHINGTON — Over recent years, cybercriminals have targeted governments and small businesses alike in massive digital heists — making hundreds of millions of dollars in 2021 alone in exchange for unlocking victims' systems. As the attacks got more high profile, peaking after Colonial Pipeline's shutdown last spring led to fuel shortages across the East Coast, the need for solutions became more desperate.
In 2021, U.S. government officials, academics, and members of think-tanks and the private sector formed the Ransomware Task Force. Its latest report was published in early August with the help of the Center for Internet Security. The report is designed to give small and medium sized businesses a checklist of step to prepare for, defend against, and recover from ransomware attacks, using data about attacks and what strategies have worked in the past.
The most vulnerable
Although there's been a debate recently about whether the overall rate and cost of ransomware attacks is decreasing — due to global attention, law enforcement action, seizing digital funds, and international pressure on Russia, where many ransomware gangs operate from —it's still a major problem. The Ransomware Blueprint is directed toward small and medium-size businesses because of how frequently they are targeted and their relative lack of resources.
In February 2021, the Cybersecurity and Infrastructure Security Agency (CISA) noted a trend after a spate of high-profile international and law enforcement attention on big ransomware attacks: The criminals had slowed down their "big game" hunting, or targeting of large businesses and critical infrastructure. That left smaller businesses, whose victimhood might draw less attention. According to the Ransomware Taskforce, businesses with fewer than 500 employees were hit by 70 percent of the attacks in 2021. The blueprint is designed "to remove a critical barrier" for small and medium businesses "with limited cybersecurity expertise in defending against ransomware," concluded the authors of the report.
According to the blueprint, ransomware defense begins by knowing what's on the network.
That means keeping a registry of all software, hardware, and data on the cloud, exploring how the network functions on an average day and who has access to which components.
It sounds simple, but, according to Valecia Stocchetti, a senior cybersecurity engineer and co-author of the blueprint, criminals are constantly studying.
"Sometimes the criminals are more familiar with what is going on in your network than you are," she said in an interview with NPR.
Once everything is identified, the work of protecting the network begins.
That means training employees and making sure the network is configured securely, which includes installing firewalls and making sure users or software that are later added on can't bypass security procedures.
Each organization should also have a tiered system of access, making sure employees don't have privileged access to parts of the network they don't need for their work.
Organizations need to keep a close eye on research published about security vulnerabilities, and constantly be patching those holes when companies release the fixes. CISA maintains a list of vulnerabilities and ranks them according to how dangerous they are and how easy they are for criminals to exploit, helping organizations prioritize the work to patch them.
Many of the instructions, while tailored toward ransomware, offer good general information.
The report's authors note that attackers can use several strategies to break into systems before launching a ransomware attack, including malicious email attachments or web browsers. Deploying anti-malware software and preventing removeable media from automatically running on the system can make a big difference.
Stocchetti said one of the most helpful pieces of advice is to install multifactor authentication, meaning multiple ways to verify identity beyond just a password.
Sometimes, despite best efforts, criminals still find a way in. That's why it's vital that companies have a plan to respond to an attack, and that they practice it frequently and know who is authorized to do what in an emergency.
"It's things like making sure you make a list of who to contact when you know the fire erupts because not everything is 100 percent bulletproof, as we all know," she said.
That also means that organizations backup their data, encrypt those backups, and make sure the backups aren't connected to the primary network, or the criminals will get access and make all the effort worthless.
One of the biggest quandaries for companies hit by ransomware is whether to pay to unlock their files, action that the FBI discourages but is sometimes difficult to avoid when critical functions are disrupted by the attack.
But there's also a cost to lost business, reconstituting systems, hiring incident response experts, and repairing damages. Cyber insurance policies can be helpful to offset those costs.
However, sometimes companies struggle with understanding or feeling fully protected by those policies. According to a recent study from Blackberry and Corvus Insurance, a high percentage of companies said they would hesitate to get into business with organizations that aren't covered by cyber insurance, recognizing its importance. However, just 14 percent of small and medium-size businesses have policies that cover over $600,000, restrictions that led more than half of respondents to say they hoped for more financial assistance from the government, particularly when attacked by a nation state. Many companies said there's a lack of transparency from some firms about what is actually covered by their policies, which are constantly getting more expensive.
Davis Hake, the co-founder of Resilience Insurance and one of the co-authors of the blueprint, told NPR that a more symbiotic relationship between the insurance industry and small and medium-size businesses could be beneficial.
If insurance companies require their policy holders to implement the action items in the blueprint, or offer to help them put those things in place, he said, it will help increase resilience and, hopefully, limit costly payouts.
"We're very good at pricing the risk and using that data to understand that as an industry," Hake said in an interview. "But what I really think is the industry needs to move from not just pricing the risk, but also learning how do we protect our risks."