By Chris Bisnett, Founder & Chief Architect, Huntress Labs

When You Can't Be Clairvoyant, Have Clear Security Strategies

Individuals, companies, industries, and even governments have been significantly impacted by ransomware this year, and it's unlikely to stop any time soon. As the attacks continue to evolve, security, IT, and DevOps teams will also need to evolve their security solutions and recovery strategies. Here are some forward-looking ideas as to how they can do just that:

Ransomware Deluge Continues, Do You Have a Recovery Strategy?

In the last year, attackers have realized that they have a better chance of being paid and can collect bigger payouts if they are able to successfully ransom all or most of a company's computers. Previously, the majority of ransomware attackers were one-off attacks that would ransom a computer or two as users opened email attachments or downloaded and executed malicious executables. While hitting an entire organization with ransomware isn't new (we've seen reports in the news about hospitals and other critical infrastructure being ransomed), we're seeing an increase in the number and scale of organizations being crippled by ransomware.

As we continue to see our customers' networks crippled by ransomware and their difficulty in recovering and restoring services, we've thought quite a bit about how we can help solve this problem. We still don't believe that ransomware can be solved by any generic solution so instead, we're focusing on how we can help improve the recovery process. Obviously, if you could stop the ransomware incident before it happens that would be the best solution, but the next best thing would be if you could restore quickly and easily. In 2020, having better visibility into what computers are ransomed will make recovering systems easier.

MSPs Will Need to Be Armed With The Right Security Tools

In 2019, we've seen a dramatic shift in the Managed Service Provider landscape where the tools they use to remotely manage hundreds or thousands of machines used against them by attackers to deploy ransomware. When this happens, all the computers for every one of their customers are encrypted, often crippling these small companies and leaving them without the means to conduct business. We continue to see more companies who have not configured security or prepared for an attack like this. In 2020, I think we'll see the same types of attacks applied to larger organizations where the attackers are specifically looking to gain access to network infrastructure that allows them to ransom all the computers, rather than only a few users who happen to click the phishing email. These companies are extremely vulnerable because they usually have small IT departments with only a handful of technicians, limited budget, few security solutions, and even fewer security skills.

Providers Are On The Hook: Cyber Insurance and Backup and Data Recovery Are Working Against the Current

If this trend continues and expands in scale like I'm predicting it will, not only will the customers who get ransomed be affected, but this will continue to ripple outward and affect the companies that provide services to the ransomed companies. The two providers who are most likely to feel the strain are cyber security insurance underwriters and backup and data recovery providers.

Cyber security insurance underwriters do not have enough data to measure or understand the risk posed to any of these companies, and are largely making a big gamble that the companies are going to do everything they can to avoid having a massive cyber security incident. The complexity of securing these networks against attacks continues to grow and attackers are taking advantage of this. Without being able to accurately predict the chance and cost of an incident, underwriters are at risk for not being able to pay claims if businesses are attacked at an ever increasing rate. It's even possible that some of the larger providers are considering dropping cyber security offerings for these reasons.

Feeling Restored in 2020? Lacking Confidence in Backup and Data Recovery (BDR)

The first step for any company hit by ransomware is obviously to restore from backups. BDR market has continued to shift from on-site backups with off-site copies to a fully off-site model where all the data is sent and stored with a cloud provider. These providers are able to purchase storage in bulk and are able to provide services at a cheaper cost and with less management overhead for their customers. We've seen this scenario play out a few times in 2019, and it will likely increase in 2020, where backup providers do not have the capability to scale and provide recovery when a customer needs to restore hundreds or thousands of machines all at once. Their service generally works when it's a handful of computers but restoring an entire network at the drop of a hat requires an immense amount of bandwidth, both on the BDR provider side and the customer side. The fallback restoration and recovery method is to ship physical hard drives to the customer so that they can manually restore each machine.

Unfortunately, the level of effort required to organize the drives and physically visit each machine means that restoring with this method is a total nightmare. We've seen this happen at least twice in 2019 and I expect this will happen at an increasing rate in 2020, which will negatively affect customers' confidence and willingness to purchase BDR solutions without significant investment and improvement by the BDR providers.

With more clarity around your security and recovery plans, 2020 doesn't seem so daunting. Reflecting on this year allows us to learn from mistakes and have a better plan in place for the future. A new year usually inspires resolutions - this year, make security resolutions to better protect your partners and business.

## 

About the Author

Chris Bisnett is a veteran information security researcher with more than a decade of experience in offensive and defensive cyber operations. While serving with the NSA RedTeam, he attacked government networks and systems to identify and remedy vulnerabilities. He is also a recognized Black Hat conference trainer and has taught his "Fuzzing For Vulnerabilities" course at several events around the world. Prior to founding Huntress Labs, Chris co-founded LegalConfirm, LLC where he led product design and development until the company was acquired in 2014.