Asking the right questions
“Chelsea or Arsenal?”, “iPhone or Android”, “Pfizer or AstraZeneca?” – common conversational questions. “Do I pay, or do I not pay?” – a question victims of ransomware attacks know only too well. And with ransomware attacks-including hardware-based ransomware attacks, on the rise, such a question might soon become more common; just over a year ago, it was unimaginable to think that our daily conversations would be about vaccine manufacturers.
The catch-22 of ransomware
Almost as controversial as which vaccine one is getting, victims of ransomware must decide whether they will pay the ransom or not. It is, of course, recommended not to pay – for many reasons. For one, as US Secretary of Energy, Jennifer Granholm, says, “you shouldn’t be paying ransomware attacks, because it only encourages the bad guys”. So much so, that around 80% of victims who paid the ransom faced a subsequent ransomware attack.
Further, paying the ransom is not a guarantee to file restoration. As explained by FBI Director Christopher Wray, “victims may not automatically get back their data despite forking over millions”. Whether the decryption key was faulty, or not even provided, 17% of victims who paid a ransom did not reclaim their stolen data, according to Kaspersky’s research. However, many enterprises store backups of their data, minimizing the pressure to pay. In 2019, Teamsters used their archival material to rebuild their systems following a ransomware attack. They avoided the payment and recovering 99% of their data.
Not paying, however, is not always an option; more than half of victims pay the ransom, according to Kaspersky’s global research. Critical infrastructure, which is finding itself a frequent victim, has a low tolerance for downtime. Any amount of downtime puts national security at risk, and thus critical infrastructure is under immense pressure to provide continuous operations, which often means paying the ransom. It is no surprise that healthcare was the most targeted industry for ransomware in 2020, as attackers knew the world was relying on healthcare facilities to tackle the pandemic.
The importance of critical infrastructure’s continuous operations is evident by the $4.4 million and $11 million paid by Colonial Pipeline and JBS, respectively, following ransomware attacks. The former decided to pay following the mass chaos that ensued from just five days of downtime. The latter was concerned with the risk of future issues and data exfiltration, despite most of its facilities being operational.
The cost of not paying is not only an issue faced by critical infrastructure. Enterprises might not have their data backed up, meaning their only option is to pay; that, or their data disappears forever. Even if companies do have data backups (which they should have), attackers can use stolen data as leverage to entice payment. And, of course, there are the financial costs that are not limited to the ransom itself. Monetary losses following a ransomware attack extend far beyond the attack itself and, often, it is a higher cost than the amount demanded.
So, if paying the ransom encourages more attacks, and not paying the ransom puts the organization and even national security at risk, how does one get out of the catch-22 situation?
Catching the problem – Hardware-based Ransomware Attacks
We would not have to choose between different vaccines had the pandemic never happened. Similarly, enterprises will not have to decide whether to pay the ransom or not if they do not get infected in the first place. While infection is not entirely avoidable, enterprises have several options that, when deployed simultaneously, can reduce the chances of a successful attack. The FBI, and many other expert cybersecurity sources, suggest the following practices:
- Be a cautious and conscientious computer user.
- Keep systems and software up to date.
- Deploy anti-virus and anti-malware software.
- Back up data regularly.
- Create an incident response plan.
Such recommendations provide enhanced protection and should be quickly adopted if they have not been already. However, by neglecting hardware security, none of the above recommendations address the issue of Rogue Devices. Without hardware security, the Physical Layer remains uncovered, thus allowing Rogue Devices to go undetected as they operate on this layer-which can result in hardware-based ransomware attacks… Spoofed Peripherals are manipulated on the Physical Layer and impersonate legitimate HIDs, being detected as such by endpoint security software. Network Implants go entirely undetected by network security solutions, including NAC, as they sit on the Physical Layer, which such solutions do not cover. Without hardware security, enterprises are completely exposed to hardware-based ransomware attacks, no matter how many alternative security measures are in place.
Sepio Systems’ Hardware Access Control (HAC-1) solution provides entities with the Physical Layer coverage they need to obtain complete device visibility and, in doing so, also protects against hardware-based attacks. As the leader in Rogue Device Mitigation (RDM), Sepio’s solution identifies, detects and handles all peripherals; no device goes unmanaged. HAC-1 uses Physical Layer fingerprinting technology and Machine Learning to calculate a digital fingerprint from the electrical characteristics of all devices and compares them against known fingerprints. In doing so, HAC-1 can provide organizations with ultimate device visibility and detect vulnerable devices and switches within the infrastructure.
In addition to the deep visibility layer, a comprehensive policy enforcement mechanism recommends on best practice policy and allows the administrator to define a strict, or more granular, set of rules for the system to enforce. When a device breaches the pre-set policy, HAC-1 automatically instigates a mitigation process that instantly blocks unapproved or Rogue hardware. Just as the tackling of COVID requires various efforts, so will the handling of ransomware; think of HAC-1 as the vaccine for hardware-based ransomware attacks.