February was a tough month for the Colorado Department of Transportation, which suffered two back-to-back ransomware infections. After security measures to protect against the first ransomware infection were put in place and recovery was underway, a new ransomware variant was able to penetrate defenses and re-infect systems in the environment.
This was just the latest among numerous reports of ransomware or other malware infections reported in recent months. These attacks affected hospitals, healthcare organizations, and state and local government agencies and resulted in enormous expenses to restore the data.
The Colorado Governor’s Office of Information Technology (OIT) is working with the FBI and other security agencies to identify how the ransomware entered the DOT network and has begun restoring systems from backup. OIT also indicated that no ransoms would be paid.
To pay or not to pay—that is a vexed question. While paying the ransom of a security breach is generally discouraged by security professionals and government agencies who respond and advise on cyber security, the decision can be a difficult one. It involves many factors including the time and cost to restore systems, as well as the state of the organization’s backup and the value of the data that stands to be lost.
Recent research by online security company McAfee reports that up to 30% of ransomware cases they examined used either “fake or nonexistent” contact information for infected victims to send ransom payments to. Other reports also suggest that recovery keys were not provided even after a ransom payment was made. This should cause everyone to wonder whether paying a ransom after a security breach does any good at all.
Anti-virus solutions alone are insufficient to prevent costly infections
In a 2017 Ransomware Report by CyberSecurity Insiders, 74% of respondents relied on data backup and recovery as the most effective response to a ransomware infection. This, despite the fact that nearly the same majority (73%) reportedly relies on anti-virus or other types of endpoint security product to prevent a ransomware infection.
Many agencies won’t comment publicly about the security posture in their organizations or specify which antivirus solution they use to prevent malware threats such as ransomware. This is understandable from an operations security perspective. However, the number of public ransomware reports suggests that costly ransomware infections still penetrate defenses and that an effective response plan must include data backups of all critical systems.
After public reports of a malware infection in its environment, one organization in the healthcare industry, which initially declined to comment about their security defenses, did eventually respond, “Of course we were running antivirus.”
The Colorado Governor’s Office of Information Technology confirmed that antivirus technology was deployed in the CDOT environment as well. Clearly relying on antivirus alone is insufficient in today’s threat landscape to adequately protect against new ransomware and other malware variants. The CDOT and many other organizations utilize data backups along with other security technologies to protect against these threats. The best way to recover is with a data backup and restoration plan. Refusing to pay a costly ransom arguably deters future attacks.
What are you doing to protect your organization from ransomware attacks?