Ransomware is a serious threat for organizations of all sizes. Cyber criminals steal files and demand a ransom for the decryption key, which allows the organization to get their files back. Criminals target companies, municipalities, hospitals and others, scaling their demand to what they believe the victim can pay. They even hit small businesses, assuming the business won’t have a backup routine and they will have to pay the ransom demand rather than risk losing critical files.

Should companies pay ransom demands by hackers

Should Businesses Pay a Ransomware Demand?

There’s a theory saying if a business pays the ransom for their files, they will get them back. Otherwise, the crime wouldn’t pay as victims would see paying the ransom is futile. Nevertheless, the FBI says companies should not pay. Paying does not guarantee cyber criminals will provide the decryption key. Paying may also leave the business open to additional attacks as they become known as an easy target. Recent studies show 20 percent of organizations which pay the ransom never get their data back.

What happens When Companies Refuse to Pay the Ransom?

Cyber criminals behind the Maze Ransomware strain erected a website where they listed at least eight companies that refuse to pay the ransom. They also published proof of their successful attack, embarrassing companies that managed to keep the breach out of the news. If ransomware attacks are data breaches, it forces companies to follow their State’s data breach notification laws and industry-specific federal laws.

In May 2019, the City of Baltimore refused to pay a $76,000 ransom demand, payable in Bitcoin. The mayor said the city would just have to find the money somewhere to rebuild their network. As a result, the city had to pay over $18 million to restore their systems. This does not count the cost of preventing additional attacks.

Should Companies Report a Ransom Demand to Law Enforcement?

Businesses should contact the FBI’s Internet Crime Complaint Center (IC3), regardless of whether they can restore their files without paying the ransom. The FBI needs as much information as possible to investigate cyber criminals and the tactics they use. Healthcare providers in the United States must report demands for ransom to the Department of Health and Human Services.

What’s the First Thing an Organization Should Do After Receiving a Ransom Demand?

After reporting the demand to the FBI’s local field office, a company must enact their business continuity plan. This includes having an organization’s IT department or an outside company isolate the malware. Next, a company can restore their data from the backup, which should be stored offline or in the cloud. Organizations with backup plans have been able to recover their data without paying a ransom in more than half of the recent ransomware attacks.

Next, companies must inform investors, customers and other affected parties regarding what happened. Explain which data is in the hands of cyber criminals and how the company is taking steps to handle the situation. Companies that act immediately and are transparent regarding the data breach fare better in the public eye.

Why Companies Should Avoid Handling Ransom Demands on their Own?

In 2016, Uber allegedly paid $100,000 in Bitcoin to cyber criminals to delete the 57 million user files they stole. Uber employees found two of the three men responsible for the ransomware attack and instead of alerting law enforcement, they had the men sign nondisclosure agreements. Uber didn’t disclose the hack to law enforcement until 2017, a year later, when new CEO, Dara Khosrowshahi, took over. U.S. Attorney David L. Anderson in San Francisco charged Uber’s former Chief Security Officer Joseph Sullivan with obstruction of justice. Having been a former federal prosecutor specializing in computer crimes, Sullivan should have known better.

How Many Companies Pay the Ransom?

About three-quarters of companies who have never been hit with a ransomware demand say they wouldn’t pay. Once targeted by ransomware, two-thirds of companies pay, according to an IBM study. Cyber criminals are becoming more sophisticated; they only ask for a ransom they believe the company will see as reasonable compared to losing sensitive data. Companies also consider the loss of their reputation compared to the cost of paying the ransom. Rebuilding confidence in a brand is an expensive and time-consuming task.

How Do Companies Pay the Ransom?

Bitcoin was the only option when the first ransomware attacks began. The virtual currency is nearly untraceable, as are Western Union payments demanded by some cyber criminals. Ransom demands have evolved since Bitcoin’s price has become so volatile. Today, many actors behind the latest attacks want Amazon or iTunes gift cards.

Large and small companies are equally at risk as ransomware is increasingly easy to implement. Cyber criminals don’t have to be genius coders; Ransomware-as-a-Service is as cheap as $39 on the dark web. Criminals can attack numerous organizations, making thousands of dollars even after paying the RaaS provider their cut.

Identity and access management certifications

There are many types of accounts within systems and some accounts have more privileges or power to access and execute highly sensitive data and transactions than standard accounts. The majority of accounts fall within what is considered to be “normal” or “user”. Although user account credentials can be stolen to access systems, it is not likely these accounts will present a great threat to the organization. In contrast, privileged accounts which we will cover in detail are cause for concern if they are abused by insiders or stolen by hackers. Thus, although account security is important, privileged account protection must be of utmost priority for organizations.

According to Henry Bagdasarian, “privileged accounts offer the best bang for the buck to hackers who are always looking for easy and fast ways to gain system and account access.”

Privileged account management best practices

What is a Privileged Account?

A privileged account is one with access to sensitive data, critical functionalities of an organization’s IT infrastructure and systems, as well as high-impact transactions. Privileged accounts can be grouped under seven categories:

1. Local Administrative Accounts

These are accounts with access to sensitive system functionalities. They are used for IT tasks such as server maintenance and database management.

2. Privileged User Accounts

These are accounts with access to sensitive data and transactions assigned to limited number of individuals within the organization who may also be referred to as “super users”.

3. Domain Administrative Accounts

These are the most targeted types of accounts within an organization. They have access to all servers and workstations and can be used to tamper with other accounts.

4. Emergency Accounts

These are fail-safe accounts established to elevate unprivileged user accounts to admin accounts during emergency cases in order to resolve system issues or secure systems in counter attacks. They are also called break-glass and fire-call accounts.

5. Service Accounts

These are privileged domain and local accounts used to facilitate communication between applications/services and the operating system. They are complex to operate and hardly ever expire, hence creating potential dangers.

“Most companies don’t have a good accounting of their service accounts; their existence is sometimes unknown to the organization, they are either unassigned, dormant and never used, they never expire, and often have weak or no passwords” according to Bagdasarian.

6. Active Directory or Domain Service Accounts

These accounts are used to organize data into a logical hierarchy, hence facilitating the smooth operation of core functions within the organization. They are sensitive because applications and services cannot run unless these accounts are synchronized.

7. Application Accounts

These accounts are used to manage certain aspects of applications, including running batch jobs and providing access to databases. These accounts’ passwords are stored as unencrypted files and are under significant risk as a result.

Privileged Account Capabilities

Privileged accounts described in the above categories have the following capabilities:

  • Ability to install system hardware or software
  • Ability to create and modify accounts
  • Ability to execute transactions
  • Ability to reset passwords for others
  • Ability to access sensitive data
  • Ability to change IT infrastructure, systems, and configurations
  • Access to all machines and workstations in the system

How is a Privileged Account different from a Standard or Normal Account?

In summary, the underlying difference between privileged and normal accounts is that privileged accounts have more capabilities than standard accounts and require enhanced security and protection as we will cover in this article.

Privileged Account Management and Security Best Practices

As mentioned, privileged accounts must be protected better than standard accounts. Privileged Account Management (PAM) essentially entails a rigid plan and IT infrastructure to manage all privileged accounts. It entails a great deal of accounting, security, and monitoring. Below are some of the best practices to keep in mind:

Strengthening Password

Strong password is a basic cybersecurity requirement and a necessary tool for accessing any account. Privileged accounts must have their passwords changed routinely and follow best password management practices. They must be kept confidential and never shared. There are some password management tools such as LastPass that can securely store passwords and provide password strength analysis.

Separation of Privileges and Duties

Ideally, privileged accounts should only be granted to appropriate personnel. This necessitates separating and assigning privileges and duties on a need-to-have basis. Ideally, only a limited of number of select individuals within the organization and departments must be entitled to owning a privileged account. It also entails separating roles and functions, including users’ entitlement to read, write, edit, and execute data, among other things.

Separation or segregation of duties and privileges can be used to prevent security breaches by personnel and ensure log integrity for incident investigations.

Segmentation of Systems and Networks

Segmenting systems and networks essentially entails separating them, just like privileges and duties are separated based on relevance and importance. Systems and networks are segmented based on trust levels and privilege settings. Usually, privileged accounts run on the upper levels while unprivileged ones are allocated to the lower levels – consequently, the upper levels are more secure than the lower ones.

Monitoring and Auditing Privileged Activity

One of the threats to privileged accounts is a breach from within the organization, usually by personnel with privileged access. This is why it is necessary to monitor suspicious privileged activity by implementing Privileged Session Management and Monitoring (PSM). In addition to monitoring and recording privileged activity, it is also necessary to audit all activities by capturing keystrokes and screenshots. It is also necessary to implement ways to detect and prevent unauthorized access.

It is also important to have user threat analytics systems for personnel with access to privileged accounts. This will help detect any deviations from the recommended guidelines and help prevent potential attacks before they start.

On that note, it would also be prudent to enforce real-time vulnerability-based least-privilege access. This would enable real-time risk-based access decisions to stop potential breaches as they occur.

Mitigating Threats to Privileged Accounts

Just because privileged accounts are allocated tighter security measures does not mean that they are immune from attacks. Threats to these accounts exist in various forms and can be perpetrated either unintentionally by unwitting personnel or intentionally and maliciously by hackers with a robust plan and sophisticated resources.

An attack on a privileged account can bring many of the organization’s operations to a standstill. This is why it is important to have ready solutions to these threats. Experts recommend the following:

Being Proactive

Being proactive essentially entails taking precautions anticipating these and other threats. Recommended security measures include the requirements mentioned earlier, such as separation of privileges, password management, and implementing Privileged Session Management and Monitoring (PSM).

Upgrading to Better Security Systems

Hackers are becoming more and more sophisticated as time passes. Your organization’s current security system may not be a match for future hackers’ tactics, so it is important to upgrade to the latest cybersecurity systems. For example, integrating biometric security solutions to your current security system would considerably reduce the number of active threats and risks to the whole system.

Changing Credentials Regularly

Credentials essentially are the keys to your organization’s accounts and the entire IT infrastructure. They can become compromised at any time, so it is important to change them regularly to be safe specially if they have already been compromised without your knowledge. It is also advisable to be creative when choosing credentials to make them unique and, therefore, difficult to hack.

Training Employees

Employees often are the weakest link in most organizations’ IT systems. This is because they are ignorant of the looming threats and do not understand how to protect themselves from hackers. As such, it is important to talk to employees about the importance of good cybersecurity practices and equip them with the necessary resources to protect their accounts.

Leading Brands in Privileged Account Management

There are many Privileged Account Management platforms. The following is an overview of three PAM service providers:

Beyond Trust

Beyond Trust was listed as a leader in Privileged Access Management. Its PAM services are customizable and especially ideal for companies running multiple operating systems in their networks.

Centrify

Centrify is made up of two service provision categories dealing with PAM and IDaaS offerings. The company has also received recognition by industry research firms.

CyberArk

CyberArk excels at mitigating risks and offering customized technical support. It was also named a leader in Privileged Identity Management.

Identity and access management certifications

Final Word

The threat posed by cyber-attacks is always looming, and it is getting worse as time goes by. Avoid becoming a victim by securing your most important accounts and digital platforms. Pay particular attention to highly privileged accounts by implementing a PAM solution. Identify privileged accounts, assign ownership, secure with strong authentication, and monitor to detect misuse.