Every Company Suffering a Ransomware Attack has a Sysadmin Somewhere Saying, “I F—ing Told You So.”

The title is largely my opinion because obviously I’m not researching the inner IT workings of every single company that’s been hit by a ransomware attack, but this statement actually came up in my day job not too long ago and it really made me think about how often IT warnings go unheeded.

In case you’ve been living under a rock, ransomware attacks continue to rise. While the basic idea remains the same, the complexity of the attacks (and the ransom amounts demanded) have skyrocketed.

What’s more, with only a few notable exceptions, most are preventable. And even more shocking, many companies already had people on staff who knew how to prevent them but didn’t give them the resources or decision-making power to do so.

A Personal Story

I worked for a company in 2016 that was hit by the WannaCry ransomware attack. I was a relatively new network admin who came in a year earlier from a high-security environment. I learned early on that every employee had local admin rights on all the computers. When I asked my IT manager why this was the case, the response I got was, “The C-Suite won’t let us take them away because it slows things down if they have to wait for us to install things.” In other words, everyone in IT knew it was a bad idea, but our hands were tied.

Fast forward to a year later… an employee opens a malicious email attachment and when the Windows User Account Control pops up and says, “are you sure you want to do this?” they’re able to simply click “yes”. That kicked off an encryption worm that ran through the entire enterprise hitting anything and everything the employee had access to. Did I also mention, there was no real separation of rights on corporate file servers? Everything was being encrypted.

This company was a 24/7 manufacturing plant. Every hour of downtime costs them tens of thousands of dollars. The damage could have been worse, I was able to isolate the user account in the middle of the attack and disable it and then spent 36 sleepless hours restoring files from backup. The company only lost about 10 hours’ worth of production.

That evening I got the all-clear from the CEO to remove local admin rights from everyone. Something I recommended a year earlier and multiple times since, couldn’t take place until the people in charge were able to see with their own eyes & wallets, what it costs to ignore the people you entrust your critical systems to.

Other Examples

Over at Reddit, the sysadmin sub is regularly full of stories where someone has warned their company about a vulnerability and been ignored, only to find themselves cleaning up the mess later.

Here are a few examples of big hacks that resulted sometimes in ransomware attacks and others in stolen data which were completely avoidable and either likely or verifiably warned against by the IT staff in place.

Home Depot

The hack of Home Depot’s Point of Sale system was one of the first real big hacks that hit the news. It was also one of the first times a company’s cyber security team publicly stated their warnings went unheeded.

SolarWinds

More recently, and probably more devastating in scope, the SolarWinds hack of 2020 was an incredibly damaging exploitation of technology. Details are still foggy about how the company’s core code became corrupted with malware, but an exposed update server with a simple password may be to blame. Did anyone specifically warn them? We might never know, but at the very least someone chose to ignore setting up a server policy that would have required a complex password.

Ransomware Attacks are now the Most Prominent Malware Threat

A 2019 report published by Datto stated that 85% of Managed Service Providers reported ransomware to be the most common malware threat to their clients. And that report is a full 2 years before the massive Kaseya supply chain hack that resulted in thousands of MSP customers being infected with ransomware.

Ransomware is so pervasive now for basically one reason: it’s profitable. While other types of malware quietly steal information for sale on the black market or steal victims’ CPU cycles to mine for cryptocurrency, ransomware offers a very effective way to extort money directly from the victim.

In 2021, one of the largest US insurance companies reportedly paid hackers $40 million when their own systems were hit with Ransomware. This is an incredible sum of money that not only encourages hackers to continue their attacks but also provides them with enough financial backing to make their attacks even more sophisticated.

Sophisticated – But Still Preventable

In theory, every cyberattack that succeeds is preventable, but in a real-world scenario sometimes companies just accept the risk as part of doing business.

The bulk of ransomware attacks still take hold via phishing emails, unprotected remote desktop sessions, and software vulnerabilities^[source]. While protecting against software vulnerabilities, especially zero-day exploits can be tricky and difficult, there’s almost no excuse in today’s technology-driven world for a company to put resources in place to protect against phishing emails and RDP sessions… and those are 2 of the most common attack vectors!

So why don’t they do it? Why would most companies and government organizations fail a basic cyber security audit when the cost of suffering an attack is so enormous?

Culture & Competition

Invisible Services

In a competitive market, companies are driven to operate in the leanest fashion possible in order to be profitable. In this frequent race-to-the-bottom on expenses the first places most companies cut are what I call invisible services.

Invisible services are those parts of the company that don’t provide an immediate influx of money and regularly are staffed by folks who aren’t part of the normal office staff. Janitorial and information technology staff are generally the bulk of a company’s invisible crew. And they’re remarkably similar.

Generation Gap

Historically, companies are led by corporate staff. And while the average age of CEOs has come down in the last 20 years, the bulk of them still come from a generation that didn’t grow up with technology remotely in use by their very own companies today.

This gap has fostered the idea that Information Technology is simply an overhead expense rather than a value-added service to their company. It’s something to be heavily controlled, minimized, and made as lean as possible.

There’s nothing wrong on the face of it if the leader understands what a well-functioning IT department does, but when that’s not the case (which is most of the time), these departments get cut to the point of not being able to perform their duties & protect the company from a ransomware attack.

But Change May be on the Horizon

The average age for a C-Suite member is now 56. Why is this significant? Today’s 56 year-olds are among the first CEOs who might have a better idea of how important it is to protect a company’s data. This new wave of more tech-savvy CEOs is likely to place more priority on cybersecurity than their predecessors.

Additionally, a lot of insurance companies used by businesses are being asked to payout ransomware demands or process claims from the costs of recovery efforts. As a result, many business insurance policies are now requiring the insured to take specific steps towards securing their systems or they’ll flat-out refuse to cover them or payout on claims. These compliance requirements can be highly technical such as enforcing 2-factor authentication for certain systems or even dictating that a certain percentage of the operating budget be spent on cybersecurity-related initiatives.

Finally, as businesses are beginning to bear the brunt of the cost of poor cybersecurity through higher insurance premiums and lawsuits from affected customers, the cost of increasing their security posture is beginning to look more attractive. Cyber security is starting to be viewed as part of the road to profit rather than an expense that robs you of it.

Sources & Additional Reading

Varonis – 81 Ransomware Statistics, Data, Trends and Facts for 2021