Following a recent increase in the frequency and scale of ransomware attacks around the globe, Attorney General Fitch is joining attorneys general across the country in urging businesses and public entities to assess their current data security practices and take appropriate steps to protect operations and consumer data.
“Cybercrime and cyber-enabled threats exploit vulnerabilities in information systems to extract customer-rich data, information, and money,” said Attorney General Lynn Fitch. “To counter the increased risk and potential consequences of cyber threats, it is critical to implement and execute strong security practices to protect consumer data and vital systems infrastructure nationwide.”
Ransomware is a form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Cybercriminals demand ransom in exchange for decryption, often threatening to sell or leak exfiltrated information if the ransom is not paid. Ransomware is a growing threat, generating billions of dollars in payments to cybercriminals and inflicting significant damage on businesses and government entities alike.
Just before the July Fourth holiday, REvil, a Russian-linked cybercrime gang, perpetrated the single largest global ransomware attack on record against the software company Kaseya, infecting thousands of client systems in at least 17 countries. REvil demanded $70 million in cryptocurrency in exchange for decrypting all affected machines. This is REvil’s second high-profile attack in recent weeks—having extorted $11 million from JBS Foods, the world’s largest meat-processor, a month earlier.
Attorney General Fitch serves on the National Association of Attorneys’ General’s Internet Safety / Cyber Privacy and Security Committee, which issued a joint advisory discussing the pressing threat that ransomware attacks pose to American businesses and government entities and recommending several best practices to respond to the threat, including:
• Backup your data, system images, and configurations, regularly test them, and keep the backups offline: Ensure that backups are regularly tested and that they are not connected to the business network, as many ransomware variants try to find and encrypt or delete accessible backups. Maintaining current backups offline is critical because if your network data is encrypted with ransomware, your organization can restore systems.
• Update and patch systems promptly: This includes maintaining the security of operating systems, applications, and firmware, in a timely manner. Consider using a centralized patch management system. Use a risk-based assessment strategy to drive your patch management program.
• Test your incident response plan: There is nothing that shows the gaps in plans more than testing them. Run through some core questions and use those to build an incident response plan: Are you able to sustain business operations without access to certain systems? For how long? Would you turn off your manufacturing operations if business systems such as billing were offline?
• Check your security team’s work: Use a third-party penetration tester to test the security of your systems and your ability to defend against a sophisticated attack. Many ransomware criminals are aggressive and sophisticated and will find the equivalent of unlocked doors.
• Segment your networks: There has been a recent shift in ransomware attacks—¬¬from stealing data to disrupting operations. It is critically important that your corporate business functions and manufacturing/production operations are separated and that you carefully filter and limit internet access to operational networks, identify links between these networks, and develop workarounds or manual controls to ensure industrial control system (ICS) networks can be isolated and continue operating if your corporate network is compromised. Regularly test contingency plans such as manual controls so that safety critical functions can be maintained during a cyber incident.
A variety of resources are available for organizations of all types, including:
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) offers guidance here.
The National Institute of Standards and Technology (NIST) offers guidance here.
And, CISA and the Federal Bureau of Investigation (FBI) have also issued specific guidance for managed service providers (MSPs) and their customers affected by the Kaseya ransomware attack, discussed above. This guidance can be found here.
Victims of ransomware should report it immediately to CISA, a local FBI Field Office, or Secret Service Field Office. Victims should also file a report online through the Internet Crime Complaint Center (IC3).