Blog

In the first part of our Rise of Ransomware as a Service series, we learned RaaS enables organizations to purchase ransomware and gain hacking resources which were not accessible before. With heightened access to malicious software, a rise in ransom attacks has followed. In this second part of our Rise of RaaS series, we will focus on ransomware protection and defense.

This post will review three high-profile cyberattacks that grabbed America’s attention this past year. Understanding how these attacks occurred, and the snowball effect that often follows, allows organizations to build their defenses and implement strategies to thwart similar assaults, as hackers often reutilize techniques. We’ll review some key steps and new security strategies that, when implemented, will ensure your organization is protected, as well as resilient, to ransomware.

The first attack we want to expound upon is what many know as the hack on the Pentagon and Department of Homeland Security. This recognition is due, of course, to the major security risk this hack imposes to the United States. But the Pentagon and DHS were not the only entities compromised in this attack. Fortune 500 companies, as well as additional government agencies, were also breached. These organizations all had one thing in common: a third-party vendor named SolarWinds, a Texas-based vendor that provides IT management tools for their customers.

It’s unclear how hackers gained access to the SolarWinds infrastructure, but once inside they began work on creating a duplicate of a SolarWinds patch that was due to be released to customers. The replica included the same bug fixes and software updates that SolarWinds had intended it to have, but lines of malicious code were added. At the very last second, right before SolarWinds was set to deploy their patch, the hackers switched the two and the replica patch containing malicious software was released. Customers were then able to download and deploy what they thought was the SolarWinds patch. Once this patch was deployed on any server with Internet access, a backdoor was opened and the attackers made themselves right at home. The intrusions were only discovered when the cybersecurity giant, FireEye, noticed some strange activity in their network and investigated. They traced this activity to the SolarWinds patch and discovered the malicious code.

Without FireEye’s inspection, the hackers could have continued undetected, extending their reach before locking down data and requiring a ransom for restoration. This prompts a frightening question: Could hackers have used the same methodology as the patch swap, or something similar, to gain access to other organizations and have yet to be discovered? We will review ransomware protection tips towards the end of this article, but we think it’s worth mentioning now that a “see something, say something” approach is of critical importance. Many employees may write off suspicious activity as a glitch or one-off scenario, but a sense of due diligence to investigate these situations caught a breach that affected an estimated 18,000 organizations. Of course, not everyone has the same resources as FireEye, but a log of suspicious activity and when it occurred can give your third-party vendors reason for an additional patch review.

The attack on Kaseya occurred more recently, on the Friday before the Fourth of July weekend. Like the Solar Winds attack, the Kaseya breach affected their customers as well. Kaseya provides IT management solutions for managed service providers (MSPs) and IT teams. The managed service providers who utilized Kaseya‘s products provide security and management services to their customers. This management integration caused a snowball effect and allowed hackers within the affected MSPs to gain access to Kaseya’s customers’ infrastructures as well. This led to the breach reaching about 1,500 companies.

The attack occurred when hackers from REvil, the Russian based cybercrime group, found a zero-day vulnerability, or a vulnerability that has just been discovered, in Kaseya’s VSA servers which allowed them entry. From here, REvil hackers scanned the internet to find any of Kaseya’s customers utilizing this software in order to exploit the vulnerability and access their infrastructure as well. REvil demanded $70 million dollars in exchange for a key to decrypt their environment. As mentioned in the first part of this series, REvil has since taken down their site and did so without providing any decryption keys for those, like Kaseya, still in negotiations. Kaseya has stated that they have since obtained a universal decryptor from a third party.

The last and most recent breach we’ll touch upon is the attack on Accenture. This attack happened on Tuesday, August 8^th when the cyber-crime organization, LockBit, encrypted data on Accenture’s infrastructure and seemingly exfiltrated the data offline. Lockbit has threatened to release the data to their site if a ransom is not paid.

According to Accenture, they had tactics in place to minimize the impact of this attack. Once suspicious activity was noticed, their team worked quickly to trace the activity and lock down their servers to limit what the hackers could access. From there, they were able to roll their encrypted servers back to their latest backup or snapshot version. This rollback method is effective and a route many organizations have taken in the past. Rolling your servers back may cause you to lose any changes made from the time the last backup or snap was taken to the time of the rollback, but allows organizations to get their infrastructure up and running quickly, without paying a ransom.

In the next section, we will provide tips to protect against ransomware, as well as techniques to make your environment resilient if an attack does occur. However, we want to emphasize the importance of backing up your servers, as we’ve seen in this example. Doing so frequently will minimize the data lost and allow for easy and seamless disaster recovery in the wake of an attack. It’s also good practice to store backups in a separate location so if one server is destroyed or compromised, the backup is not lost with it. Now, let’s jump into some additional steps you can take in order to be both protected and resilient.

A new cyber security practice rising with RaaS is vendor consolidation. As the examples reviewed in this post have shown, companies both large and small can fall victim to ransomware through their third-party vendors. With this revelation, many organizations are taking preemptive measures to protect themselves and limiting vendors will help reduce your attack surface. The vendor consolidation strategy involves using one vendor to fulfill as many tasks as possible and building in-house solutions to replace software that’s currently contracted out.

One step to implementing this strategy is to understand the full reach each vendor has, which can allow you to utilize them for multiple needs. You may need to do your research and ask about other products your trusted vendors provide. It’s common for vendors to fulfill multiple needs and not get to market each of their products to you, so you might not know the full capabilities one vendor has. For example, DataMotion, Inc. is best known for our secure messaging technology, but we are also a Health Information Service Provider (HISP). This is a separate product and therefore may not come up when searching and researching about our secure messaging APIs. However, with a quick inquiry into our full product list found either on our website or through a sales representative, this can be easily discovered.

In addition to the vendor consolidation strategy, it’s also important to ask your vendors what their security stack looks like, and which companies they work with. Have this conversation not only while searching for a vendor, but also with current vendors. As industry leaders learn more, new security best practices, techniques and strategies will be developed (such as vendor consolidation) and it is important that you and your vendors work to implement them.

MFA is another great way to prevent a breach. A password is a mere speed bump that is one successful brute force attack away from being broken. The more complex a password is the longer the brute force may take, but it will still be hackable. Once a password is cracked, a second layer of defense is required. Most multifactor authentication strategies require the user to type in a code they receive from a text, email or authentication app that is only valid for a short period of time (so the code can’t be brute forced as well).

Finally, a resilient infrastructure is extremely important. You can do everything correctly on your end to protect your company against ransomware, but a vulnerability in a vendor’s product or system can still leave you open to a breach. Therefore, you must ensure that you have internal security measures in place to minimize damage if a breach does occur. This is why a least privilege model (LPM) or zero trust is essential.

The least privilege model ensures each system and user only has access to what they need to do their job, and no more than that, thus limiting any access to a hacker if they gain network entry. Similarly, zero trust treats an internal network just as it would traffic coming from outside the network; users and devices are not trusted simply because they have joined the network. They must be verified, just as a user from outside would be. Those who implement zero trust also utilize LPM, encryption and MFA within their internal network. The use of either model means if any user or system is compromised through a zero-day vulnerability or phishing attack, the data the hackers can open is limited by the access available. A zero trust approach is something DataMotion has implemented since the early stages of our development.

The encryption factor of zero trust is one we especially advocate for. Encrypted data on file servers, as well as any sensitive emails and messages, will help protect data from intruders within your environment. Hackers will not be able to open or read encrypted data in folders and messages. In the same vein, if encrypted data is exfiltrated from your environment, and the attackers threaten to decrypt your data and post it for all to see you don’t have to worry.  Your encrypted data will be unreadable. Windows file servers make it easy to encrypt sensitive data, and a tool like DataMotion makes it easy to send and receive encrypted messages and know they are backed up on our messaging portal.

As ransomware continues to rise, cybercrime groups are becoming stronger and smarter. They are learning to target organizations that will enable them to reach as many companies as possible through a single vulnerability. Attacking third-party vendors often creates a snowball effect, allowing the organization’s customers, and in some cases customers’ customers, to fall victim as well. Understanding this risk allows companies to take preemptive steps to help protect themselves. In addition to vendor consolidation, understanding your vendor’s security level and keeping up with security best practices will help prevent a breach. A least privilege model and data encryption will help keep you resilient if a breach does occur.

The final post of this RaaS Series will cover the aftermath of an attack, including the steps often taken to bring encrypted infrastructures back up and running, how victims engage in negotiations, and the legal issues that often follow. Keep an eye out for this installment, as it will also provide additional security tips to help protect your company from a ransomware attack.

If you haven’t already, please visit our recent Danger for Data series, which focused on potential security vulnerabilities in an enterprise’s back-end and business sides, as well as how your team can mitigate these risks. To learn more on how you can take action now and protect your data while in motion, visit https://datamotion.com/tour-services/.

• The Rise of Ransomware as a Service
• The Rise of RaaS: The Real Cost of Ransomware

• The New York Times’ Scope of Russian Hacking Becomes Clear: Multiple U.S. Agencies Were Hit by David E. Sanger, Nicole Perlroth and Eric Schmitt
• NPR’s “A ‘Worst Nightmare’ Cyberattack: The Untold Story Of The SolarWinds Hack” by Dina Temple-Raston
• NPR’s “A Ransomware Attack Hit Up To 1,500 Businesses. A Cybersecurity Expert On What’s Next” by Leila Fadel
• The Verge’s “19 days after REvil’s ransomware attack on Kaseya VSA systems, there’s a fix” by Richard Lawler
• Inforsecurity Magazine’s “Accenture Tied Up in $50M Ransom Lockbit 2.0 Attack” by Sophia Waterfield
• Gartner Top Security Risk and Trends for 2021 contributed by Kasey Panetta
• CPA Practice Advisor’s Zero Trust and Least Privilege: What a Cybersecurity Mindset Looks Like

From the attacks on SolarWinds to the JPS Meat Packing Company, the threat of a cyberattack has been democratized. Enterprises both large and small, across industries, have reported attacks and ensuing business disruptions, financial losses, and damaged reputations. In this article, the first of a three-part series on the rise of ransomware, we’ll cover what Ransomware as a Service (RaaS) is, the key players, what is being done to combat future attacks, and if your enterprise could be a target. (Hint: The answer is probably yes.)

What exactly is Ransomware as a Service (RaaS)? You can think of it as the sinister twin of Software as a Service (SaaS). Just like Salesforce sells its CRM software for customers to utilize, cybercrime organizations are now offering ransomware in a similar vein. In short, organizations that have built malicious software are now offering the technology to others for a profit. Scary, right? With malicious software for sale, groups with fewer technical resources and those who want a solution without the work of building one themselves, are now able to gain the same hacking abilities as the large and sophisticated groups that spent years cultivating software to exploit system weaknesses and lock down network-wide data.

This malicious new industry is on the rise. According to a Gartner report, 27% of all malware incidents in 2020 were a result of ransomware. There are a few possible reasons why. One reason is that this is an incredibly profitable venture–many companies opt to pay their attackers, as this is often the fastest route to get their systems back up and running. Another reason could be that in addition to profit, malicious software is now more readily available through Ransomware as a Service (RaaS). The more organizations with access to malicious software, the larger the number of attacks launched at corporations per year will be.

Throughout the years, we have seen many cybercrime groups come and go, often dismantling and regrouping under a new name to avoid detection. Two of the most notorious hacking groups, often in the news today, originate from Russia; REvil and Darkside.

REvil, which stands for Ransomware Evil, was behind the Memorial Day weekend attack on the meat processing company JBS, and the attack that targeted Kaseya VSA servers right before the Fourth of July holiday. Kaseya provides IT management solutions for MSPs and IT teams; many customers of Kaseya with on-premise VSA servers were also affected by the attack.

Darkside has claimed credit for a number of cyberattacks globally, but their most recent claim was the attack on Colonial Pipeline. This attack resulted in major disruptions of US oil distributions to southeastern states, causing gas and oil shortages in the area, and attracting the unwanted attention of the US government.

Both organizations have gone dark since their latest attacks. Darkside shut down their sites due to pressure stemming from the attention of the US government, but uncertainty surrounds the reason why REvil’s sites went down. Experts believe that the two groups will also appear again, next time under new names.

As a result of these high-profile attacks, many organizations are investing the necessary resources to train their employees on better security practices, and build their cybersecurity stack. From CASBs, secure data transfer solutions, SIEMs, endpoint protection and more, security is fast becoming a top priority to help combat looming cyber assaults from RaaS. In addition to building their own protection, many organizations are looking to the government for help.

One of the government’s responses to these recent cyberattacks was to create the Ransomware and Digital Extortion Task Force. The goal of this task force is to bring the full weight and resources of the Department of Justice (DOJ) in response to new attacks on US companies. As many other organizations have done, Colonial Pipeline decided to pay the ransom needed to quickly bring their servers back up on May 8^th. The task force was able to recover roughly 2.3 million dollars (almost half of the payment made to Darkside) which added to the mounting pressure the attackers were facing.

According to the Cybersecurity and Infrastructure Security Agency, DarkSide has publicly stated they “prefer to target organizations that can afford to pay large ransoms instead of hospitals, schools, non-profits, and governments.” Cybercrime groups will also do their diligence to identify corporations with ransom insurance, or finances earmarked specifically for that purpose. While larger enterprises are currently the favorite for cyberattacks, smaller organizations also fall victim; however, the ransom amount demanded of smaller entities tends to be significantly lower than that of larger organizations.

In the next part of the Ransomware as a Service series, we will focus on how ransomware attacks have succeeded in the past, and discuss actionable steps to help protect your organization now and in the future. In the meantime, we invite you to visit our Danger for Data series, which focused on potential security vulnerabilities in an enterprise’s back-end and business sides, as well as how your team can mitigate these risks. We also invite you to learn more about the security-first zero trust strategy, and how DataMotion employs this model to help keep your organization’s data safe from would-be thieves while in transit.

To learn more on how you can take action now and protect your data while in motion, visit https://datamotion.com/tour-services/.

• Rise of RaaS: Consolidating the Vendor Risk Factor
• The Rise of RaaS: The Real Cost of Ransomware

It’s a safe bet to say that your organization is concerned about cybersecurity. Your IT team is likely well-staffed and has implemented the latest security tools, and trained non-IT staff on the ills that befall those who click on external links and attachments without checking. Your organization has trusted but verified, perhaps verified then trusted. But is the “trust but verify” standard enough? Are you really operating as safely as you could, or rather, should be in today’s cyber climate?

The answer is no. Let us explain.

I’d like to take a moment to discuss two of the more prominent schools of practice in IT security– “trust but verify” and “zero trust” (or “trust no one”).  To illustrate these examples, let’s draw upon a well-known bastion of high-stakes security—the White House.

“Trust but verify” focuses on a strong external defense through establishing a solid perimeter. The White House employs precisely that—the iconic iron fence, a no-fly-zone, bullet-proof windows (which cannot be opened), monitored alarm systems, and of course, the Secret Service detail. Your organization’s IT security architecture has likely built the equivalent of the White House perimeter, using firewalls, proxy gateways, system alerts, password requirements and vendor training. (Perhaps you also have a no-fly zone!) In theory and perhaps in practice, any external hackers are going to have a rough time accessing your organization’s data or compromising your servers or mainframe.

Reading this, “trust but verify” sounds sufficient on paper. However, the complacency zone is the danger zone, and this is where the “zero trust” concept comes in. You have a strong exterior, but what about your organization’s interior? Like the White House, your most valuable resource is also your biggest risk: people. Which takes us to our second concept, that of “zero trust” or “trust no one.”

Let’s go back to 1600 Pennsylvania Avenue. Once you (lawfully) gain access, you’ll find scores of people milling about, including legislative and household staff, guests from Capitol Hill, tourists, etc. While everyone has gone through a standard security check, ranging from a metal detector to an FBI background check, the Secret Service cannot afford the standard “trust but verify” approach, and must rely on “zero trust” as a consistent, elevated means of security.

Zero Trust is, at its core, an enhanced level of managing access, with hyper-awareness of who is on, and has access to, your network and data. For instance, while a White House intern or assistant has been vetted at hiring, and perhaps passed through a couple of checkpoints for that workday, does it make sense for that intern or assistant to have unfettered access to the Situation Room, or the Residence?  Should a tourist be able to simply walk into the Oval Office? And would just anyone have access to the President? Of course not. Vetting should not equal full access.

Back to your organization. Those who have access to systems, including company email and other communication tools are likely your staff, or trusted third parties, such as vendors and contractors. However, you’re not likely to hand over, say, a master list of security passwords to the Marketing team if they ask. Nor would you give a list of the home addresses and contact information of staff to a software vendor. Sure, you trust these folks, but do they need this level of access to sensitive information? We’ll go out on a limb and say no.

Essentially, trust but verify relies on a strong defense, vetting then trusting people and systems. Zero trust is an internal strategy, focusing on hypervigilance around not only system security compliance, but access.  Here at DataMotion, we abide by both.

Case Study: Health Insurance Technology Startup

eBook: The Guide to Protecting Data in Motion

In the United States alone, statistics reflect as many as 2,500 security breaches daily, with insider activity accounting for up to 58% of this number. (1)  An internal breach has various causes, including BYOD practices, malicious activity, carelessness, or from plain, old-fashioned ignorance or human error. Additionally, 52% of employees surveyed do not feel that sharing login credentials poses a security risk to their employer. (2) Whatever the cause, a zero-trust strategy greatly reduces your organization’s chances of an access-related security lapse.

Like the Secret Service, DataMotion employs the “zero trust” approach (albeit, for us it is sans earpieces and guns—for some of our customers, it’s both). We provide a strong, multi-layered, security-and-compliance-centered strategy for your organization’s secure exchange —here are a few examples of how we apply this concept to keep your data safe:

Zero Visibility We facilitate your secure exchanges, but our team cannot view your messages, data or documents. Ever. They are seen by the sender and the intended recipient; after that, your organization’s protocols come into effect.

Limited Physical Access Only those employed by the data center may access servers running our systems. Any third parties that require access for critical functions are authorized and under contract by the data center.

Key Management The DataMotion system automatically handles encryption key management, creating a secure, easy to use system in which the encryption seeds are unique to each message and megabyte (MB) of document exchanged between users.

Governed Data Access All actions are validated by the data layer before data is accessed. Application servers have no direct access to data tables, and have to ask “may I please” to interact with the encrypted data store. The type and scope of every request must be approved by the data layer, producing a “need to know” environment that greatly reduces the attack surface.

Separation of Duties Data breaches can occur when there is overlap between access to source code and production systems. At DataMotion, developers have access to the code, but not the systems, and our operations team has access to the systems, but not the code. There is no Venn diagram of access, thus greatly reducing risk.

Background Checks In addition to a series of interviews and reference checks, all DataMotion employees also undergo additional background checks when hired.

DataMotion’s zero-trust architecture is only part of protecting your organization’s data.  In addition to the steps we take behind the scenes, each exchange meets your industry’s regulations and requirements, such as HIPAA, GLBA, PCI-DSS, HITECH, GDPR, PIPEDA, FINRA, FERPA, CCPA and CJIS,ensuring that your securely-sent communications are fully compliant.

While we trust no one, we are pleased to be trusted by others, with the following certifications:

• DirectTrust/EHNAC Registration Authority
• Certificate Authority, Health Information Service Provider
• ONC-HIT 2015 Edition Health IT Modular Certification
• SOC 2 clouds.

We are also, as of this writing, working on HiTrust certification.

DataMotion’s zero trust model helps achieve all these certifications and helps you, the customer, remain compliant with many different requirements and regulations.

When the US President travels, he’s not flying commercial, nor driven around in a standard sedan. No, this is where secure transit is employed, including Air Force One and the Beast. And secure transit just happens to be our specialty.

The presidential limousine (dubbed “the Beast”) is no ordinary car—its many security features include eight-inch-thick, armor-plated doors, Kevlar-reinforced tires, a specially-encrypted phone, and a Secret Service driver that is highly trained to be prepared for any driving condition or maneuver. Given this level of security, the President has excellent odds of travelling safely from Point A to Point B and arriving unscathed.

Your organization’s secure data and documents shouldn’t have to fly coach, nor be strapped into a 1960 sedan. DataMotion’s zero trust, security-first design is like the Beast—while we might not use Kevlar tires or armored plates, we do have the technological equivalent in our FIPS 140-2 encryption and our governed core (with need-to-know control and full activity reporting) ensuring that your data and documents in motion and at rest in our system are protected and arrive unscathed on their journey from Point A to Point B.

We know that like the president, your data can travel anywhere at any time, so we have built this same Beast-mode level of secure exchange into our new DataMotion app (available in the Apple App Store).

Let’s take a final jaunt back to the White House, where members of the First Family will have Secret Service agents tailing them wherever they go. If you are a teenager with a detail, chances are you’re going to try to give them the slip because let’s face it, it’s hard to blend in when you’re followed around by a bunch of serious-looking guys in suits. However, that same teenager will likely be more amenable to having their detail around if the suits are replaced by jeans, khakis and maybe a concert tee shirt. This way, the teen feels more at ease, and there are still layers of security surrounding the teen while they are in motion (or “on the move”) but blending in better.

This principle applies to DataMotion’s philosophy that security that is transparent is used. If it’s clunky or requires several additional steps, no matter how well-meaning or earnest an employee may be, bypassing security protocols might be the easiest way to quickly send documents and data, putting your organization at risk. Unobtrusive, transparent security is the way to go, enabling an employee to easily follow protocol and keep your data secure.  DataMotion’s APIs can easily integrate into any workflow, offering a seamless, frictionless experience for your staff and clients, keeping people productive and data secure.  By leveraging a zero trust architecture that offers a smooth experience, you have just elevated your organization’s security and productivity. We’d call that beauty and the beast.

There you have it. You’ve likely realized that the trust but verify approach, while providing a high perimeter, doesn’t do anything for your organization’s soft underbelly. We encourage you to leave your cybersecurity comfort zone, learn more about DataMotion, and about how our security-first approach can benefit your organization and clients.

Still have questions? Send us a note.

Sources

1. Insider Threat Statistics on Data Breach (pilixo.com)
2. Insider Threat Statistics: The seriousness of insider threats, intentional or not (isdecisions.com)