According to a June 1 post at BleepingComputer by Lawrence Abrams, GrandCrab operators are shutting down their operations after a year and a half. This is after they claim to have generated more than $2 billion in ransom payments, averaging $2.5 million weekly. GranCrab operators declare they have personally earned $150 million, which is believable given their go to market strategy.
To me, this is astounding on many facets. It seems even the bad guys have a cutting point. But this is after wreaking havoc on loads of organizations. Organizations from municipalities to hospitals and MSPs have been affected. I can understand why an executive would consider giving in to extortionists’ demands, weighing the cost of mitigation and recovery or paying for the encryption keys.
But this is like rewarding the bank robber for robbing the bank or, at best, paying the bank robber to NOT rob the bank. Based on simple economics, the cost of the incident will unfortunately get passed down to the unassuming consumer. That is, if the occurrence didn’t upset the balance of the organization so much that it shut the doors. Either way, this is bad for everyone. Even though GrandCrab is shutting down, don’t think ransomware will go away. There will be a new bigger, better scam coming down the pipe, because the model works at generating revenue for the bad guy.
Ransomware is talked about everywhere. It’s impossible to hide from. When we asked our client base what they most fear, what keeps them awake at night, the number one response is ransomware. We are overdue for organizations to invest time and resources into preparing for recovery from this nightmare and stop paying the bank robbers. The likelihood of falling victim is greater than you might think.
The best way to respond to a ransom attack is to be prepared for the worst and hope for the best. Have a plan, playbook or runbook in place and make sure it is actively practiced….often. You can partner with a Managed Security Services Provider to call on if needed but, if you don’t have a plan and backups or decryption keys, you are at a massive disadvantage.
The best bet is to practice these common sense steps, which by the way is basic security hygiene.
- Patch, patch, patch and verify you are patched
- Back up important data
- Back up applications, configuration files, and other data you will need to restore services
- Keep at least some of those backups offline
- Practice restoring from backups, often
- Keep an updated network diagram. Highlight the systems with the most valued data
- Know where to sever communications to prevent spread
- Educate users about malware infections and the ways malware gets into your organization
- Do not allow domain administrators to log in at a workstation. Give user accounts the minimum set of privileges required to function effectively
- Do not allow programs to execute from non-standard locations, such as temporary or internet cache locations
- Consider endpoint and network-based detection and prevention technologies
I challenge all organization to be prepared to handle a ransomware attack without paying the ransom. If we all do this, attackers return on investment or effort will dramatically decrease. This, in turn will lesson the effectiveness of the attack strategy and we will see less extortion tactics focused on file encryption for ransom. It is well past time for us to quit paying the bank robber to NOT rob our banks!