The Director's Cut: The importance of a ransomware prevention strategy

Ransomware attacks against U.S. companies grew by 102% over the previous year. Among the many ransomware strains is ‘Medusa’, a variant so severe the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI jointly issued a public advisory to warn companies.

Since it was first seen in 2021, Medusa has been used in at least 300 successful ransomware attacks, with many of the victims belonging to critical infrastructure organizations. Medusa operates like a franchise: criminals rent the ransomware from developers and split the profits from ransom payments, which range from $100,000 to $15 million. Hackers now steal data before locking systems, using the threat of leaking data to force victims to pay. This technique is called ‘double extortion.’

For a ransomware attack to be effective, the hacker must be able to hop from one computer to the next within a network to spread the virus. If the network doesn’t allow this, disruption is minimized. This mitigation is called ‘network segmentation’ and acts like having separate compartments on a ship–if one floods, the others remain safe. This prevents ransomware from spreading unchecked.

To reduce risk, the advisory also recommends keeping software up to date, enforcing multi-factor authentication, storing backups in places hackers cannot reach, and having a well-rehearsed recovery plan. A modern zero trust architecture will also prevent infections by requiring every user and device to continuously prove they belong there.

Questions directors should ask management:

• Is our network effectively segmented to prevent the spread of ransomware?
• Do we have a recovery plan that includes offline backups, and when was it last tested under real-world conditions?
• How does management detect and respond to early signs of ransomware activity?

On the radar

What controls are in place to detect and prevent insider threats and how are employees trained to recognize risky behavior?  

No company wants to think of their employees as a threat, but the conviction of a Texas man on charges of sabotaging his employer is a good reminder that not all cyber threats are external.

Davis Lu, a software developer formerly with Eaton Corp began to insert malicious code into his company network following a 2018 corporate reorganization that reduced his responsibilities and system access. In 2019, he hid a ‘kill switch’ in the system that would lock out all users if his login details were disabled; when he was terminated in September that year, the code was activated, disrupting thousands of users globally and costing the company hundreds of thousands of dollars in losses. Causing intentional damage to protected computers carries a maximum penalty of 10 years in prison.

How are we assessing and mitigating risks from nation-state cyber threats, particularly in critical systems?

At the Wall Street Journal’s Tech Live Cybersecurity event in New York this week, General Paul Nakasone, former commander of United States Cyber Command and concurrent Director of the National Security Agency, spoke about geopolitical threats, including how Chinese nation-state hackers had infiltrated the Littleton Electric Light and Water Department in Massachusetts. General Nakasone said he believed this was a cyber sleeper cell strategically pre-positioned, awaiting activation, and wondered what other vulnerabilities might exist nationwide and how well prepared companies are to respond.

Nation-stage groups, including from Russia, North Korea, Iran, and China were found to have exploited over 300 companies with an eight-year old vulnerability in Windows that remains unfixed.

The on-demand recording of NACD Northern California’s webinar on Cyber Threats, Geopolitics, and Business Resilience: The Board's Playbook, which I spoke on, contains a wealth of information on increasing resilience against geopolitically motivated attacks. 

How does our security strategy adapt when executives’ public profiles change?

Changes to an executive’s public profile can result in increased information security risks, as evidenced at X (formerly Twitter) and Tesla. Not only has Elon Musk’s role in the Trump administration led to a wave of vandalism against Tesla vehicles and facilities, but both companies are now dealing with cybersecurity and privacy issues.

In early March, X was hit with a denial of service attack that stopped some users from reaching the social media application. Some researchers said a number of X servers were not properly secured, leaving them vulnerable to such an attack. A pro-Palestinian group took credit for the attack, which disrupted traffic for several hours.

Hacktivists also published a list of Tesla owners' names, addresses, phone numbers, and emails online, raising privacy concerns. There is no evidence Tesla was breached and it remains unclear how the information was compiled.

***

Zscaler is a proud partner of NACD’s Northern California and Research Triangle chapters. We are here as a resource for directors to answer questions about cybersecurity or AI risks, and are happy to arrange dedicated board briefings. Please email Rob Sloan (rsloan[@]zscaler.com), VP Cybersecurity Advocacy at Zscaler, to learn more.