This past week the HIMSS conference was held in Las Vegas. Healthcare Dive reports on a session on whether healthcare organizations should pay to settle a ransomware attack. It’s complicated because “With patient lives on the line, continuity of care is essential — and it might cost more to fight the attack by halting operations and bringing in pricey outside cybersecurity consultants.” In this regard, Fierce Healthcare informs us that “

A massive cyberattack May 1 cost Scripps Health $112.7 million through the end of June, with lost revenue bearing most of the cost.

The nonprofit San Diego-based hospital system reported the impact during its second-quarter earnings filed Tuesday.

Healthcare Dive adds

Currently, security experts are experiencing a strategic sea change in how they counter cyberattacks, shifting from a focus on shoring up defense — an increasingly outdated and ineffective plan, given the increasing volume and complexity of cyberattacks, coupled with the massive size of healthcare organization’s IT surfaces that need protection — to survivability. Panelists recommended companies assess their IT strengths and weaknesses to know how to prepare, even role-playing a breach to see how their contingency processes play out and workforce responds.

In that regards, here are some articles that caught the FEHBlog’s eye this week:

• ISACA offers a thought provoking article on this topic: “Today, organizations’ No. 1 prerogative is implementing consistent data security measures and ensuring that it does not cause undue complexity in IT operations and business application changes. Complexity hides attacks by insiders and increases the chance of human error: Thales Data Threat reports 2021 states that respondents consider malicious insiders as the top threat at 35 percent, with human error at 31 percent. This blog post explores the approach and technology that is useful to reduce complexity in data security measures across the organization.”
• SupplyChainBrain discusses “Why Virtual Private Networks Aren’t Enough to Ensure Cybersecurity.” In short, “We still find VPNs being heavily used, but zero-trust is starting to pick up steam. Some of the major firewall vendors and VPN vendors are beginning to introduce zero-trust-based access. Fewer and fewer folks are doing traditional credential-based access on VPN, but the Colonial Pipeline ransomware attack showed us that large infrastructure providers are still using a username and credentials instead of moving to multi-factor. Those that are doing multi-factor are definitely moving toward adding device trust on top of that to create additional security. The multi-factor authentication market is quite strong, but there’s room for improvement, even in traditional VPN architecture.”
• TechTalk looks at steps toward achieving data security in the cloud.

In closing, here’s a link to Bleeping Computer’s The Week in Ransomware. In short, “This week we saw an existing operation rise in attacks while existing ransomware operations turn to Windows vulnerabilities to elevate their privileges.” In this regard, Cyberscoop reports on

The so-called PrintNightmare vulnerability in Microsoft software is turning into a dream for ransomware gangs.

For the second time this week, security researchers have warned that extortionists exploited the critical flaw in an attempt to lock files and shake down victims. It shows how, more than a month after Microsoft disclosed the bug and urged users to update their software, a new round of exploitation is under way against vulnerable organizations.

A ransomware group dubbed Vice Society recently seized on the PrintNightmare bug to move through an unnamed victim’s network and attempt to steal sensitive data, Talos, Cisco’s threat intelligence unit, said Thursday. A day earlier, cybersecurity firm CrowdStrike said that hackers using another type of ransomware had tried to use PrintNightmare to infect victims in South Korea. Neither Talos nor CrowdStrike named the targeted organizations.

ZDNet adds that just this week

Microsoft released an update that changes the default behavior in the operating system and prevents some end users from installing print drivers. 

The key change in this month’s Patch Tuesday update for the bug CVE-2021-34481, aka PrintNightmare, is that users will need admin rights to install print drivers. 

Vulnerability scan anyone?

Security Week informs us that the infrastructure spending bill currently under U.S. Senate consideration includes

approximately $2 billion to “modernize and secure federal, state, and local IT and networks; protect critical infrastructure and utilities; and support public or private entities as they respond to and recover from significant cyberattacks and breaches.”

The bill, which contains more than 300 occurrences of the words “cyber” and “cybersecurity,” includes the Cyber Response and Recovery Fund, which provides $20 million per year until 2028 for assisting government and private sector organizations respond to cyber incidents.

A total of $550 million has been allocated to enhancing the security of the power grid. Some of the money is for developing solutions to identify and mitigate vulnerabilities, improve the security of field devices and control systems, as well as addressing issues related to workforce and supply chains.

The Washington Post adds that the “Senate Democrats and Republicans cleared another key procedural hurdle Saturday [August 7] on a roughly $1 trillion bill to improve the country’s infrastructure, though disagreements continue to plague lawmakers and prevent the measure’s swift passage.”

Nextgov informs us that

The Cybersecurity and Infrastructure Security Agency will work with agency stakeholders and new private-sector partners to minimize the risk of cyber incidents and better coordinate defensive actions if successful attacks occur under a new effort announced Thursday [August 5].

The Joint Cyber Defense Collaborative, or JCDC, will aim to take a proactive approach to cyber defense in the wake of several high-profile breaches that affected the federal government and public, according to CISA Director Jen Easterly. * * *

Initial industry partners include Amazon Web Services, AT&T, CrowdStrike, FireEye Mandiant, Google Cloud, Lumen, Microsoft, Palo Alto Networks and Verizon. * * *

Current government partners in the effort thus far include the Department of Defense, U.S. Cyber Command, the National Security Agency, the Department of Justice, the Federal Bureau of Investigation and the Office of the Director of National Intelligence. 

Here is a link to the JCDC’s website. The NextGov article indicates that the JCDC’s initial focus will be on ransomware.

According to Bleeping Computer’s The Week in Ransomware

If there is one thing we learned this week, it’s that not only are corporations vulnerable to insider threats but so are ransomware operations.

The LockBit 2.0 ransomware is now trying to recruit corporate insiders to help them breach networks. In return, the insider is promised millions of dollars.

On the flip side, ransomware operations are vulnerable too. Yesterday, after being banned from the Conti ransomware operation, a Conti affiliate leaked the training material for the ransomware operation on the XSS hacking forum, giving security researchers and defenders an inside look at the tools being used by the group.

ZDNet advocates “Constant review of third-party security critical as ransomware threat climbs.”

Cyberscoop reports

The Biden administration backed away from the idea of banning ransomware payments after meetings with the private sector and cybersecurity experts, a top cybersecurity official said Wednesday [August 4].

“Initially, I thought that was a good approach,” Anne Neuberger, deputy national security adviser for cyber and emerging technology, said at an Aspen Security Forum event. “We know that ransom payments are driving this ecosystem.”

Experts, including former government officials serving on a non-profit ransomware task force, helped shift that view, following high-profile hacks against Colonial Pipeline, the food production company JBS and Kaseya, a Florida-based IT firm. Payments from the Colonial Pipeline and JBS attacks totaled more than $15 million, a number that likely represents a fraction of the funds sent to extortionists.

“We heard loud and clear from many that the state of resilience is inadequate, and as such, if we banned ransom payments we would essentially drive even more of that activity underground and lose insight into it that will enable us to disrupt it,” she said.

The FEHBlog has registered for a free Public Contract Institute webinar on Data Abduction: Combatting and Limiting Ransomware Risks. Here is a link to the registration page.

Finally this past week the National Institute of Standards and Technology released for public comments draft revisions to existing relevant Standard Publications:

• SP 800-53A Assessing Security and Privacy Controls in Information Systems and Organizations

• SP 800-160 Developing Cyber-Resilient Systems: A Systems Security Engineering Approach

The public comment deadline is October 1, 2021, for SP 800-53 and September 20, 2021 for SP 800-160.

The Federal Bureau of Investigation announced that on July 28, 2021, “The Cybersecurity and Infrastructure Security Agency (CISA), Australian Cyber Security Centre (ACSC), United Kingdom’s National Cyber Security Centre (NCSC) and Federal Bureau of Investigation (FBI) released a joint cybersecurity advisory today, highlighting the top Common Vulnerabilities and Exposures (CVEs) routinely exploited by cyber actors in 2020 and those vulnerabilities being widely exploited thus far in 2021. Cyber actors continue to exploit publicly known—and often dated—software vulnerabilities against broad target sets, including public and private sector organizations worldwide. It’s recommended that organizations apply the available patches for the 30 vulnerabilities listed in the joint cybersecurity advisory and implement a centralized patch management system.” Check it out because as the FBI explains “One of the most effective best practices to mitigate many vulnerabilities is to update software once patches are available and as soon as is practicable. Focusing cyber defense resources on patching those vulnerabilities that malicious cyber actors most often use should be ingrained in the culture of every organization. This approach offers the potential of not only bolstering network security, but also impeding the disruptive, destructive operations of our adversaries.”

To help reduce such vulnerabilities, the federal government’s Cybersecurity and Infrastructure Security Agency (“CISA”) announced yesterday July 30

the launch of its VDP Platform for the federal civilian enterprise, the latest shared service offered by CISA’s Cyber Quality Services Management Office (QSMO) and provided by BugCrowd and EnDyna. The VDP Platform provides a single, centrally managed online website for agencies to list systems in scope for their vulnerability disclosure policies, enabling security researchers and members of the general public to find vulnerabilities in agency websites and submit reports for analysis. The Department of Homeland Security (DHS), the Department of Labor (DoL), and the Department of Interior (DoI) are among the agencies planning to leverage this platform at the onset. * * *

Through this crowdsourcing platform, Federal Civilian Executive Branch (FCEB) agencies will now be able to coordinate with the security research community in a streamlined fashion and those reporting incidents enjoy a single, usable website to facilitate submission of findings. The platform encourages collaboration and information sharing between the public and private sectors by allowing uniquely skilled researchers to submit vulnerability reports, which agencies will use to understand and address vulnerabilities that were previously unidentified. BugCrowd and EnDyna, the service providers, will conduct an initial assessment of the vulnerability reports submitted. This initial assessment will free up agencies’ time and resources and allow agencies to focus on those reports that have real impact. * * *

For more information about QSMO and CISA’s new VDP platform, visit Cyber QSMO Marketplace, VDP Fact Sheet, or contact us at QSMO@cisa.dhs.gov.

On a related note, per CISA,

The National Security Agency (NSA) has released an information sheet with guidance on securing wireless devices while in public for National Security System, Department of Defense, and Defense Industrial Base teleworkers, as well as the general public. This information sheet provides information on malicious techniques used by cyber actors to target wireless devices and ways to protect against it. CISA encourages organization leaders, administrators, and users to review NSA’s guidance on Securing Wireless Devices in Public Settings and CISA’s Security Tip on Privacy and Mobile Device Apps for information on protecting devices and data.

These preventive measures are timely because according to Security Weekly, “A global study commissioned by IBM Security shows that the average cost of a data breach exceeded $4.2 million during the coronavirus pandemic, which the company pointed out is the highest in the 17-year history of its “Cost of a Data Breach” report.”

Last but not least, here is a link to Bleeping Computer’s The Week in Ransomware.

Ransomware continues to be active this week, with new threat actors releasing new features, No More Ransom turning five, and a veteran group rebrands.

This week marked the fifth anniversary of No More Ransomware, where they announced that they had saved €1 billion in ransom payments through the decryptors on their platform.

We also saw ransomware groups continue to innovate with LockBit 2.0 now using group policiesto automate the deployment of their ransomware over a Windows domain.

I shared what I know about the inner conflict of the Babuk ransomware gang that led to the Admin starting a new RAMP cybercrime forum and the rest of the team launching Babuk version 2.0.

Finally, DoppelPaymber has rebranded as a new ransomware operation known as Grief, which began operating in May.

Also Bleeping Computer informs us that “A new ransomware gang named BlackMatter is purchasing access to corporate networks while claiming to include the best features from the notorious and now-defunct REvil and DarkSide operations.” Oh joy.

Bleeping Computer’s This Week in Ransomware leads with the following:

This week has quite a bit of news ranging from the USA formally accusing China of the recent ProxyLogon vulnerability and Kaseya mysteriously obtaining the universal decryption key.

The US government this week officially attributed the ProxyLogon Microsoft Exchange attacks to China. Threat actors used this vulnerability to install a variety of malware, including the BlackKingdom ransomware.

In a surprise announcement, Kaseya has stated that they received the universal decryption key for their July 2nd REvil ransomware attack. This key will allow all victims of the attack to recover their files for free.

Cyberscoop has a more detailed story on the Kaseya hack resolution.

In other ransomware news / protective advice

• The RSA Conference offers advanced common sense advice on how to handle a ransomware attack. “In the recent ISACA Ransomware Pulse Poll, 21% of respondents reported that they have already experienced a ransomware attack, and 46% consider ransomware to be the cyberthreat most likely to impact their organization within the next 12 months.”
• ISACA advises that the importance of conducting periodic information security audits of cloud services vendors from the perspectives of the vendor and the customer.
• Threatpost explains the importance of creating a long term remote security strategy as business begin to formalize permanent hybrid working arrangements. In the author’s opinion.

HHS’s Office for Civil Rights, which enforces the HIPAA Privacy and Security Rules has request public input as follows:

We want to hear from you! OCR and our partners at the HHS Office of the National Coordinator for Health Information Technology (ONC) are seeking user feedback and improvement suggestions on the Security Risk Assessment (SRA) Tool.  The SRA Tool is designed to help small and medium-sized healthcare providers conduct a security risk assessment, as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Services (CMS) Promoting Interoperability Program. If you have suggestions on how to improve the Tool, we ask you to complete our short survey by July 31, 2021:https://stats.altarum.org/limesurvey/index.php/547532?lang=en.

Finally the Washington Examiner reports that

The House Energy and Commerce committee passed eight bipartisan bills this week to better equip the government and businesses with tools to handle the recent explosion in ransomware attacks.

The bills, which passed with overwhelming bipartisan support, are focused on increasing coordination between the government and relevant industries, implementing cybersecurity best practices, educating everyday technology users, limiting the use of Chinese devices, and strengthening the security programs at the Federal Communications Commission and the National Telecommunications and Information Administration. * * *

One key purpose for the bills is to increase coordination between the federal government and affected businesses and industries.

“These bills will really improve the information sharing and cybersecurity readiness testing of the government by forcing all the right people to get into a room and fix things,” said Shane Tews, a senior fellow who focuses on cybersecurity and technology issues at the American Enterprise Institute, a right-of-center think tank.

“Hopefully, we get to a stage where the government is gaming out cyber problems and vulnerabilities in advance and then sending out software patches to solve them every week, like Microsoft, and other companies do internally on a regular basis,” she added.

Sound idea.

The American Hospital Association informs us that

The White House yesterday announced an interagency task force and other initiatives to protect U.S. organizations from ransomware attacks [on July 15]. The task force has been coordinating federal efforts to improve the nation’s cybersecurity as directed by the president in April. In addition, the departments of Homeland Security and Justice yesterday launched a one-stop website for federal resources to help organizations reduce their ransomware risk; the Treasury Department’s Financial Crimes Enforcement Network will convene public and private sector stakeholders in August to discuss ransomware concerns and information sharing; and the State Department will offer up to $10 million for information leading to the identification or location of anyone engaged in malicious cyber activities against U.S. critical infrastructure.

Here’s a link the Bleeping Computer’s Week in Ransomware.

Ransomware operations have been quieter this week as the White House engages in talks with the Russian government about cracking down on cybercriminals believed to be operating in Russia.

This increased scrutiny by law enforcement and the growing fear that Russia is no longer a safe haven for cybercriminals has led to what is believed to be the shutdown of the notorious REvil ransomware operation. * * *

This shutdown is not believed to be caused by law enforcement, and it is likely we will see this group rebrand as a new operation in the future.

On the Microsoft front, Security Week reports yesterday that

After spending the last two months pushing out multiple Print Spooler fixes (one as an emergency, out-of-band update), Redmond’s security response team late Thursday acknowledged a new, unpatched bug that exposes Windows users to privilege escalation attacks.

Microsoft’s advisory describes an entirely new vulnerability — CVE-2021-34481 — that could be chained with another bug to launch code execution attacks.  

There is no patch available and Microsoft says the only workaround is for Windows users to stop and disable the Print Spooler service.

From the advisory:

An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly performs privileged file operations. An attacker who successfully exploited this vulnerability could run arbitrary code with SYSTEM privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

An attacker must have the ability to execute code on a victim system to exploit this vulnerability.

Microsoft said the vulnerability has already been publicly disclosed and credited Dragos security researcher Jacob Baines with the discovery.

SC Media informs us

More than 22.8 million patients have been impacted by a health care data breach so far in 2021, a whopping 185% increase from the same time period last year where just 7.9 million individuals were affected according to a new report from Fortified Health Security.

Malicious cyberattacks caused the majority of these security incidents, accounting for 73% of all breaches. Unauthorized access or disclosure accounted for another 22%, and the remaining 5% were caused by smaller thefts, losses, or improper disposals.

Further, the number of breaches reported to the Department of Health and Human Services during the first six months of 2021 increased by 27% year-over-year. Health care providers accounted for the most breaches with 73% of the overall tally, compared to health plans with 16% and business associates that accounted for 11%.

“Healthcare organizations have literally hundreds of electronic entry points into their data networks, everything from EHRs, radiology and lab systems, to admission, discharge and transfer systems, to supply chain ordering and internet-enabled medical devices — and any one of these could be the Achilles’ heel exploited by a bad actor,” the report authors wrote.

In other cybersecurity news

• Per Homeland Security Today, “The Senate [on July 23] confirmed by unanimous consent former NSA deputy for counterterrorism Jen Easterly to lead the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security.” “Easterly was a managing director at Morgan Stanley, serving as global head of the firm’s Fusion Resilience Center, and a senior fellow at New America’s International Security program. After her NSA role from 2011-2013, she served on the National Security Council as special assistant to the president and senior director for counterterrorism. Easterly served more than 20 years in the Army and was responsible for standing up the Army’s first cyber battalion. She was also instrumental in the creation of U.S. Cyber Command, and served as executive assistant to National Security Advisor Condoleezza Rice for a time.” Good luck, Ms. Easterly
• Earlier this week the HHS Office for Civil Rights which enforces the HIPAA Privacy and Security Rules issued its Summer 2021 Cybersecurity Newsletter. The newsletter is headlined “Controlling access to electronic protected health information; for whose eyes only? “Ensuring that workforce members are only authorized to access the ePHI necessary and that technical controls are in place to restrict access to ePHI can help limit potential unauthorized access to ePHI for both threats.”

Bleeping Computer brings us up to date on the Kaseya cyberattack:

The REvil affiliate responsible for this attack chose to forgo standard tactics and procedures. Instead, they used a zero-day vulnerability in on-premise Kaseya’s VSA servers to perform a massive and widespread attack without actually accessing a victim’s network.

This tactic led to the most significant ransomware attack in history, with approximately 1,500 individual businesses encrypted in a single attack.

Yet, while BleepingComputer knows of two companies who paid a ransom to receive a decryptor, overall, this attack is likely not nearly as successful as the REvil gang would have expected.

The reason is simply that backups were not deleted and data was not stolen, thus providing the ransomware gang little leverage over the victims.

There’s a lesson in there for both sides.

Cyberscoop provides background on the REvil gang.

[REvil is] one of the more prominent ransomware-as-a-service groups, experts say, in which other criminals can use a strain of ransomware on a rental or subscription basis, or in exchange for a share of the payments. That business model lowers the barrier for anyone to get into the business of ransomware, because it requires no technical expertise in developing the code itself. It’s a trend that’s contributed to the rise of the ransomware phenomenon.

On the good guys side

• The Wall Street Journal reports that “New York City has become the first major American metropolitan area to open a real-time operational center to protect against cybersecurity threats, regional officials said. Set in a lower Manhattan skyscraper, the center is staffed by a coalition of government agencies and private businesses, with 282 partners overall sharing intelligence on potential cyber threats. Its members range from the New York Police Department to Amazon.com Inc. and International Business Machines Corp. to the Federal Reserve Bank and several New York healthcare systems. Until last week, the two-year effort known as New York City Cyber Critical Services and Infrastructure was completely virtual.”
• Cyberscoop informs us that “Few people, if any, seem to grasp the breadth and cost of the scourge, as there are no legal requirements for victims to disclose when they pay hackers to unlock their network.  That, combined with the suspicious that most victims don’t, report their digital extortion payments, makes it harder for law enforcement and security firms to combat attacks, or even understand how to fight them. That’s the impetus behind a project that Stanford University student and security researcher Jack Cable launched on Thursday, dubbed “Ransomwhere,” a plan to track payments to bitcoin addresses associated with known ransomware gangs. “Having public transparency around the impact of ransomware, especially as we’re proposing and considering different actions to try to combat ransomware — we’ll need a way of seeing whether those actions actually work,” Cable said in an interview with CyberScoop.”

On July 6, according to CISA, “Microsoft has released out-of-band security updates to address a remote code execution (RCE) vulnerability—known as PrintNightmare (CVE-2021-34527)—in the Windows Print spooler service.”

For other news, here is a link to Bleeping Computer’s The Week in Ransomware.  

The Wall Street Journal reports this morning that

The ransomware group that collected an $11 million payment from meat producerJBS SA about a month ago has begun a widespread attack that could affect hundreds of organizations world-wide, according to cybersecurity experts.

The group, known as REvil, has focused its attack on Kaseya VSA, software used by large companies and technology-service providers to manage and distribute software updates to systems on computer networks, according to security researchers and VSA’s maker, Kaseya Ltd.

The use of trusted partners like software makers or service providers to identify and compromise new victims, often called a supply-chain attack, is unusual in cases of ransomware, in which hackers shut down the systems of institutions and demand payment to allow them to regain control. The Kaseya incident appears to be the “largest and most significant” such attack to date, said Brett Callow, a threat analyst for cybersecurity company Emsisoft.

SecurityWeek and Bleeping Computer have all of the details on this troubling cyberattack.

In other cyberattack news, Forbes reports on Microsoft’s PrintNightmare, “the name that has been attached to a zero-day vulnerability impacting the Windows print spooler. A vulnerability that can ultimately, it would appear, lead to an attacker taking remote control of an affected system.” Bleeping Computer informs us about available mitigations here and there.

Cyberscoop adds that

Going on offense against attackers and penetrating the secrecy surrounding attacks are two ways the Biden administration is pondering to tackle ransomware, a top White House official [Anne Neuberger] said on Tuesday June 29.]

Neuberger made her remarks as the Biden administration has undertaken a number of initiatives to crack down on ransomware, following the high-profile attacks on Colonial Pipeline and meat supplier JBS. Among them is conducting a ransomware review that includes a focus on disrupting attackers, building an international coalition, studying the U.S. government’s policies and expanding analysis of cryptocurrency given attackers’ use of it to receive payments. 

The administration is wary of banning ransomware payments entirely, something Neuberger called a “difficult policy position” that could harm companies who feel they have to pay up to decrypt their networks, even if the U.S. government discourages such payments.

In the tools department

• This week, “The US Cybersecurity and Infrastructure Security Agency (CISA) has released the Ransomware Readiness Assessment (RRA), a new module for its Cyber Security Evaluation Tool (CSET).”
• CISA also “is developing a catalog of Bad Practices that are exceptionally risky, especially in organizations supporting Critical Infrastructure or NCFs. The presence of these Bad Practices in organizations that support Critical Infrastructure or NCFs is exceptionally dangerous and increases risk to our critical infrastructure, on which we rely for national security, economic stability, and life, health, and safety of the public. Entries in the catalog will be listed here as they are added. * * * While these practices are dangerous for Critical Infrastructure and NCFs, CISA encourages all organizations to engage in the necessary actions and critical conversations to address Bad Practices.” CISA cautions that the catalog does not necessarily includes all Bad Practices. Nevertheless, it’s worth a periodic gander.

The Wall Street Journal reports that the SolarWinds hackers are back at it.

Microsoft Corp. said [in a blog post] hackers, linked by U.S. authorities to Russia’s Foreign Intelligence Service, installed malicious information-stealing software on one of its systems and used information gleaned there to attack its customers. * * *

Most of the attacks were unsuccessful, but three of Microsoft’s customers were compromised during the campaign, the company said. “We have confirmed that two of the compromises were unrelated to the support agent issue, and are continuing to investigate the third instance,” a Microsoft spokesman said.

Microsoft identified the hackers behind the break-in as Nobelium, the same group associated with the sophisticated hack at Austin, Texas-based software maker SolarWinds Corp. U.S. authorities have said this group is part of Russia’s Foreign Intelligence Service, known as the SVR. Russia has denied involvement in the SolarWinds hack. A Russian embassy representative didn’t immediately return a message seeking comment on Microsoft’s blog post.

“This should concern all of us,” said Sherri Davidoff, chief executive of the security consulting firm LMG Security LLC. “Hackers made it past the defenses of one of the world’s most sophisticated technology suppliers, whose software underlies our entire economy.”

ZDNet explains in an illuminating article about where we stand in ransomware struggle

Regularly updating backups – and storing them offline – also provides another means of lessening the severity of ransomware attacks, because even in the event of the network being encrypted, it’s possible to restore it without paying cyber criminals, which cuts off their main means of income. 

Nonetheless, the rise of double extortion attacks has added an extra layer of complexity to this issue because if the organisation doesn’t pay a ransom, they’re faced with the prospect of potentially sensitive information about employees and customers being leaked. 

“Do you have a plan if if your information starts leaking out?,” says Hultquist. “Those pieces need to be in place now, not when it hits the fan”

While Phoenix NAP Global IT Services describes the 18 best practices to deter ransomware, The Wall Street Journal adds that “companies [now] stress-test systems by emulating successful cyberattacks.” Zurich Insurance via the Financial Times explains “Given that cyber exposures are now seen as inevitable, it only makes sense for businesses to invest in resilience. The fundamentals of resilience are protecting profitability through business continuity and incident response planning. The best way to assess that resilience is to see how quickly and effectively your business can react to any given scenario. That’s what cyber risks stress tests are all about.” The article goes on to break down one of these tests for the reader.

As alway’s here’s a link to the Bleeping Computer’s The Week in Ransomware.