A quick note: I don't want to seem tone-deaf with my article header to the current devastation in the Carribean. If you've got the wherewithal, please donate time or money to help those affected by Hurricane Dorian.
If you read articles about security shenanigans as I do, then you read about the coordinated cyberattacks in Texas last month.
This is a pretty amazing story, really. Texas has committed to a coordinated cyber-response that resulted in no ransom paid.
Wow. Congratulations to everyone involved in the recovery, which seems to have been a herculean effort including everything from restoring backups to completely re-ip'ing networks.
Having been a part of major DR exercises and a couple of live all-hands-on-deck situations in the past, I guarantee that there are some extremely exhausted people out there who deserve the kudos of their peers in IT and cybersecurity. They faced a real deal emergency and came out of it.
As I try to say in every post I make about a breach or other incident, this is a hard job to do, with very little thanks or acknowledgment when it goes right, and blame and fingerpointing when it goes wrong.
We have to be right every. Single. Time.
They have to get lucky once.
But take a look at the quote I've included. This is negotiation with terrorists, no more and no less. They lock you down, then make a wild demand, then let you negotiate while in the background everyone is pulling out all the stops and hoping they come out the other end of the tunnel unscathed.
How do you stop ransomware? I'm going to refer to a great Twitter feed that my colleague Alex Goller pointed out: https://insights.illumio.com/post/102fqjq/words-of-wisdom.
When I talk to clients or prospective clients, they're always focused on NAC and endpoint because of potential ransomware attacks. That's great, but to paraphrase SwiftOnSecurity: who cares about the endpoint?
A little hyperbole on my part, sure. You absolutely need to protect your endpoints. There are some fantastic ways to do that. But, in the end, who cares about them? If someone Pwns your end-user laptop, burn it down and restore. If they didn't do their backups, then it's on them.
What should you really be worried about? I talk about DoS attacks, ingress and exploits and reconnaissance all the time. If they use that laptop as a vector to lock down all of your critical infrastructure that, my friends, is a "very bad thing."
TL;DR: Protect your endpoints, but your critical infrastructure should be priority. Gain visibility, model policy, and enforce whitelisting.
"After realizing that insurance companies are likely to advise governments to pay ransom demands instead of covering the huge costs of rebuilding IT networks from scratch, ransomware gangs have started requesting more money."