By Brian Greenberg and Cameron Laghaeian.
Originally appearing at Forbes on 6/23/2021.
Ransomware is one of the fastest-growing forms of cybercrime. It begins when ransomware criminals gain access to a company’s network and, like a virus, spread their malware, infecting all the company’s computers. From there, the malware encrypts all the company’s data, making the information unreadable, shutting down the business until a ransom is paid, often in the millions of dollars. Since 1989, cybercriminals have been holding data ransom for financial gain. Ransomware results in system-wide downtime for the victims and financial loss from the impact on the business and the ransom payment itself. While well-architected hardened defenses against would-be hackers are necessary to reduce the likelihood of a breach, there are no guarantees of thwarting an attack. When an attack occurs, the only way to recover data encrypted by ransomware is to restore the data from backups stored offline and isolated from the threat.
The Threat Of Extortion
As if encrypting your data for ransom wasn’t enough, an even more nefarious development has increased the impact of ransomware events on businesses. Cybercriminals have been copying and downloading data to their own servers before encrypting the data on the victims’ computers. This gives the hackers two methods for financial gain:
- They demand a ransom payment for the key to decrypt the victims’ data.
- They can extort more money by threatening to publish the company’s data on the dark web, thereby exposing all manner of confidential information.
This second threat can have an even more devastating impact on businesses. Essentially, hackers could publish all the information about a business’s operations and its clients on the dark web for other criminals and even competitors to use. The damage this would cause to businesses, especially for regulated organizations such as healthcare providers, can be far worse than a simple ransom paid to unlock encrypted data. Moreover, even if a company does pay extortion money, there’s no guarantee that the criminals wouldn’t publish the confidential data regardless.
A Complex Problem
From daily news headlines, the severity and frequency of these breaches suffered by private companies and governmental agencies seem ubiquitous and unending. It’s impossible to harden any IT system enough to guarantee that no hacker would ever have access to any company’s internal systems.
IT systems are just too complex. They’re a combination of personal computers, smart devices and servers, all connected via networks. The configuration of various computer and technology components involved in any given company is in a constant state of flux. They are constantly added to, updated and replaced, occasionally introducing undetected vulnerabilities resulting in zero-day attacks. Effectively, cybercriminals will always find a way to break into any given system, thereby gaining access to the company’s data. Therefore, the only effective remedy to even further reduce the likelihood of data loss is to encrypt the data at rest, making it unreadable to hackers.
Despite the many advantages of data encryption, we don’t use it everywhere. The whole encryption process presents many challenging complexities, including:
- Encryption key management.
- Computational cost.
- Data storage.
- The need to share data with various internal and external systems.
Any encryption scheme requires at least one key. This key has to be complex enough to prevent the data from being decrypted using brute force methods, causing it to be hard to remember and impractical to enter on-demand as authorized users try to interact with the data.
Fortunately, there are various solutions to help organizations manage the encryption keys offered by multiple solutions providers. These solutions can provide numerous encryption schemes, including application-level encryption, which means that only an authorized application can read the encrypted data in the database. The drawback to this method is that if a hacker gains access to the application, they will have access to the data.
A more robust solution would leverage entity-level encryption with unique keys for various entities based on each business’s definition of what constitutes sensitive data and tie the authorization to the users. In cybersecurity, this is considered akin to the “principle of least privilege,” where systems’ or users’ access rights are limited to only what’s strictly required to complete a function or required to do their jobs.
For example, a healthcare provider could have a unique encryption key for each patient and authorize each patient to access their data. This method will guarantee that patients can only see their own records since they will not have the keys for any other patient’s information stored within the same database. Leveraging this level of encryption can only be done if the encryption logic can manage all the keys and patient authorizations and still allow authorized employees’ access to any patient’s records. This method would only expose a single patient’s data if the patient’s device, pc or smartphone, is compromised.
With a secure key management scheme, cybercriminals will not have any way to decrypt the sensitive information even if they obtain a copy of the entire database. While this level of encryption will not prevent hackers from further encrypting the data and demanding a ransom for the decryption key, it will prevent them from attempting to publish the data on the dark web.
The Ultimate Defense
Ransomware is a grave threat to any business. It’s an incredibly complicated problem that traditional IT defenses have been unable to stop, and a single strategy cannot fix it. The ultimate defense is a multifaceted approach depriving cybercriminals of their prize. First, companies need to employ frequent and automated backups securely maintained offline to recover data encrypted by ransomware. Secondly, companies need to begin leveraging entity-level encryption making data unreadable by unauthorized actors. In combination, these two approaches can seriously cripple a cybercriminal’s power to impact businesses and their clients.
You must log in to post a comment.