Well said, Chaos. I wonder if it's becoming a cost of doing business, akin to settling petty lawsuits instead of fighting them in court. I think ransomware insurance is also available now, and that becomes part of the calculation.

Does seem to be on the rise, or it's just getting more widely reported.

The DC Metropolitan police were prepared to pay $100,000 to prevent officer's records being released publicly.

https://arstechnica.com/gadgets/2021/05/...c-police-stall/

Ransomware has gone from “it isn’t a concern” to being highly visible at the Board of Directors level.

One more useful tidbit about the Colonial Pipeline case; it’s been reported on Twitter (I am choosing to not link to that platform) that it was the billing system that was hit with ransomware.

I wonder why companies don't:

(1) Take everything offline
(2) Restore from backups
(3) Bring up networks internally only
(4) Fix security flaws
(5) Carefully open minimal external networking
(6) Monitor, monitor, monitor
(7) Reevaluate if they need such a large online presence
(8) Implement an online presence that it isolated from your internal infrastructure and databases

If you have to pay ransom, that would imply you don't have a good backup strategy in place.

Your list is excellent, haertig.

Based on public sources, it appeared that the victim in this case had good backups. Restoring backups can be very time-consuming. Ransomware operators in general are also stealing data and threatening to release it if the ransom isn’t paid.

Addressing specific points from your list:

1) Networks are borderless more often than not. Most employers would struggle badly here in keeping employees in the field productive without remote access to the network. Going all VPN might not be a big difference to how things operate now, assuming that sufficient VPN capacity exists to try this. This was even more critical during the office shutdowns brought on by the pandemic.

2) Backup tech has gotten a lot better, so we won’t be digging through a mountain of tapes to get everything back. Keeping remote workstation backups recent is far easier.

4) This is INCREDIBLY hard for most organizations. They don’t have the capacity to see where known security vulnerabilities are or to patch them in a reasonable timeframe. There’s an entire industry around outsourcing this critical, fundamental task, and most of the vendors I see who do this for other companies are terrible or worse.

6) The skillset to implement monitoring tools is hard to find; hiring and keeping the people to do the monitoring effectively is very expensive. There’s an entire industry around outsourcing this critical, fundamental task, but unlike in (4) there are some services that are extremely good here. But it’s very expensive.

7) Much of the online presence that is customer-facing is cloud based or otherwise outsourced for many companies. It’s keeping their knowledge workers productive that produces most of the network requirements in many organizations.

8) For sure.

I meant those as a sequence of steps to remedy the current problem. e.g., "(1) Take everything offline" is a limited duration step to allow restoring from backups and fixing of security flaws before going back online in step "(5) Carefully open minimal external networking".

"Take everything offline" (permanently!) would be a very good security precaution, but totally unworkable in today's world. Employees should remotely accesses company infrastructure via VPN at a minimum, with customers accessing only what customers need to access in a totally isolated area (cloud instances, or whatever). Customers may need to see their accounts, but you don't implement that by giving them access to your internal billing database. Even if you have roles and security defined (which you should,for employees), you still don't give customers the chance to even touch your internal infrastructure. It is certainly easier and more convenient to do so, but there goes your security if you travel down that path.

It's quite a demonstration of a companies incompetence. Critical infrastructure should be expected to hold up against state actors. Never mind some group trying to make a buck.

Guess they got access pretty easily, much like the Florida water plant attack awhile back. The plant was running a remote desktop server (team viewer IIRC) on the machine that also had the software to control the amount of which chemicals were added to the water.

Bruce Schneier

Is 85% of US Critical Infrastructure in Private Hands?

https://www.schneier.com/blog/archives/2...vate-hands.html

Big update on the reported threat actor for the Colonial Pipeline attack: https://krebsonsecurity.com/2021/05/dark...n-stash-seized/

Oh, what a tangled web we weave ...