This is the sixth post in the series entitled 2019 Predictions: What’s In Store for Windows and Office 365 Pros, and today we’ll explore why a publicly traded company’s stock will take a direct hit due to a successful and highly sophisticated ransomware attack in the coming year.
Ransomware has gone the way of natural disasters and shuttle launches in the news – no one is paying a whole lot of attention anymore even though they are still happening. Hurricanes are still spinning up, the U.S. and Russians recently tried to launch two astronauts into space aboard a Soyuz rocket, and ransomware is still locking down and destroying data.
This malware may be wearing thin on our attention, but it's still out there and getting more sophisticated. Cybercriminals aren’t going for the masses, they are targeting their corporate victims and, in some cases, bypassing users with stolen credentials (e.g., SamSam); and they are even pairing their attacks with Mimikatzto increase their reach.
How can a ransomware attack affect a company’s stock price?
The City of Atlanta came to a standstill in March 2018 because of a massive ransomware attack on its services for warrant issuances, water requests, new inmate processing, court fee payments and online bill-pay programs across multiple city departments. The city never paid the ransom, but the total cost of the attack is projected to cost them $17 million.
Imagine if the City of Atlanta were a publicly traded retail company that had its vital services locked up by ransomware: PoS systems offline; the accounting system compromised; customer and prospect lists used for email and mobile marketing encrypted.
And imagine its Black Friday or Cyber Monday. $17 million in ransomware cleanup would be minimal compared to lost sales.
And then imagine that retailer explaining the quarter miss and lost revenue to stakeholders and financial investors.
It's easy to see how such an attack can have such a hugely public financial toll, and, frankly, I’m surprised it hasn’t happened yet.
Account-based marketing ransomware
Cybercriminals keep the odds in their favor by adapting and growing more sophisticated. Sure, an entry-level hacker could get in on the game with Ransomware-as-a-service; but, just like effective marketing, the real money is in targeting. Think of it like account-based marketing (ABM) for ransomware gangs.
For the past 3 years, the SamSam ransomware variant has reportedly netted $6 million for the Eastern European cyber gang. With that much money coming in, why stop? And as late as October 2018, they were continuing their campaign targeting 67 organizations.
That may seem like a small number, but the group behind SamSam isn’t going for the spray-and-pray approach used by less sophisticated criminals. They meticulous research and target their victims, exploiting vulnerabilities or using stolen credentials gained through phishing, email fraud or some other means.
And just as organizations may be using artificial intelligence (AI) in ABM to find the next logical cross-sell within specific customer accounts, cyber criminals are weaponizing AI to create personalized phishing e-mails for targeted organizations (with effective rates above 20%) and mutating malware and ransomware more easily to evade security defenses.
The ransomware toolkits du jour combines the attack with Mimikatz and other known know hacking tools (like EnternalBlue) to create self-propogating worms that target entire networks, including the backups.
How to protect yourself and your stock price from a ransomware attack
It’s important to remember that you can never “solve” security with one process, one tool or one action. You need to have multiple layers of protection that includes many key components. These components include:
- Least privilege model enforcement and effective permissions reporting to both limit a user to just what they need to do AND to understand the full extent of their permissions that may be hidden in nested AD groups.
- Threat detection solution that models individual user behavior patterns to detect anomalous activity that might indicate suspicious users or compromised accounts. Rapid file access, changes are BIG signs of a ransomware infection in progress.
- Event log management, especially one that monitors PowerShell commands launched by users in your IT environment to catch mimikatz kits earlier in the process.
- Real-time auditing that will correlate user activities from both threat detection and event log management to gain a complete picture of what might be happening in your environment.
- Automated response actions when a threat is detected such as disabling users who are invoking known PowerShell recon toolkits (like PowerSploit) or Invoke-Mimikatz or its traces in script blocks.
Dive in further to best practices to prevent or mitigate a ransomware attack in progress with this Osterman Research whitepaper: “Best Practices for Protecting against Phishing, Ransomware and Email Fraud.” You’ll explore cybersecurity practices that decision makers should seriously consider:
- Audit your current security infrastructure
- Implement multi-layer email security
- View security holistically
- Establish detailed and thorough security policies
- Train all users, including senior executives