Proactive endpoint protection can help prevent your business from getting locked out by ransomware.

In my daily scan of the security news headlines, I’ve been noticing that more and more frequently, companies hit by ransomware are paying up. A more recent example is the City of Cartersville, Georgia, which paid a whopping $380K to its attackers.

Why are businesses and municipalities going against the guidance of the FBI, Secret Service, etc., and paying the ransom? The reality for many victims is they must get back online and functional as quickly as possible. (In some instances, recovering from backups is actually taking longer and has more internal cost than some of the ransom payments; in others, the businesses don’t have usable backups.)

As a primary engagement, we recently handled an incident response for a 30-plus-location convenience store chain. They were not targeted specifically; they happened to be sitting on Comcast Internet and had a poorly configured system exposed externally. Attackers are constantly scanning commonly used Internet providers for these kinds of vulnerabilities to exploit. While they didn’t pay the ransom, it did cost this chain well into the $60K range just to recover point-in-time and get things back to “normal.”

Plan ahead to save time and money

More companies are being hit, and more companies are being forced to pay a potentially non-recoverable “ransom fee” if they don’t have plans in place. These plans need to include:

  1. Prevention: Block and stop the attacks before they create an incident. It’s not if companies get attacked, targeted, or become a victim of “friend of a friend” emails… it’s when.
  2. Detection: Sometimes even the best prevention mechanisms can slip. Know when you are impacted, quickly, so you can contain and minimize the damage.
  3. Response: Know what to do when a legitimate threat is detected, whether that is through internal, knowledgeable incident response or through the assistance of an MSSP partner like PDI.

We saw Ursnif hit a financial services client just last week. Ursnif is a piece of malware that is designed to steal data, usually around the financial space. It steals browser sessions, cookies, usernames/passwords stored in the browser, and sits and watches what you type into websites through keyloggers. The source of the attack? An email from a trusted partner—with an address from which they were used to receiving emails and links.

Because PDI is this financial services firm’s partner for MDR, the malware was blocked, our SOC efficiently responded to contain and clean the affected system, and there was ZERO impact to the company. You can imagine the impact for a financial services company that does a lot of logging in and out of bank accounts, investment accounts, etc. The cost to this customer for that protection was miniscule compared to the potential havoc a Ursnif malware attack could have wreaked.

Ransom payment recovery is a HUGE deal

Remember that c-store chain I mentioned earlier? The ransom was initially set to $100K in order to get their systems and files decrypted.

That was a number their executive team was unwilling to pay, because of the financial impact to their business. Imagine your company staring at the realization it could be out of business because a random employee opened an email. I don’t like scare tactics, but these real-life examples are sobering.

One more recent example: An email from our sales team about MDR and how important it is was sent to a company that became an incident response client…they received it two to three weeks prior to getting hit with ransomware. “I was interested but figured we could look at it later” was their response when I asked why they didn’t contact our team earlier.

Ready to talk about your business’ cybersecurity efforts? We’re here to help put you on the right path. Contact us today.