In 2019, a Russian-based hacker group launched an attack on local municipalities throughout the state of Texas. Apollo CISO Andy Bennett, then Deputy CISO of Texas, led the response and successfully defended against the largest coordinated cyberattack against local governments in US history.
Bennett and his team restored business operations to all 23 impacted sites in 8 days flat. And he did it without paying the ransom.
That same hacker group, REvil, is now demanding eight-figure ransom payments. Their recent victims include IT firm Kaseya, meat processor JBS, and other American businesses. US-Russia tensions continue to simmer, as President Biden pressed Russian President Vladimir Putin last Friday to act against these bad actors operating out of Russia.
This leaves many businesses feeling vulnerable to this hacking surge. Bennett explains to Digital Journal what it takes to fight off REvil together with the actions companies must take right now to proactively defend themselves.
Digital Journal: Can you hack the hackers?
Any Bennett: Yes, there is a time and place where hacking the hackers, and taking away their means of hacking, is appropriate. The thing is that you have to do that very judiciously. We (USA) are the world’s superpower in cybersecurity, but the problem is that in cybersecurity, once you use one of your tricks, it is used and out there. In conventional warfare you can make more weapons, but in cybersecurity you have to design new ones. Hacking back is absolutely on the table but must be done very judiciously. Not every single incursion is worthy of a response, since once you use those tools, they are gone.
DJ: How does REvil operate?
Bennett: They always use new approaches in their attacks. They do not sit around and re-use the same programs. In the Texas attacks, REvil used a new and novel malware that would not be caught by any traditional means. Their attack was created, compiled, and delivered within days, and I suspect that is likely the same case with the recent attacks.
DJ: Why do you think it is crucial for companies to not pay a ransom?
Bennett: Ransoms that get paid out reward evil people for the evil things they have done. It empowers them and ensures they will do it again to someone else. Do not make your pain someone else’s.
Paying a ransom offers no guarantee of recovering access or data. In the Colonial Pipeline attack, Colonial paid the ransom but was able to recover their data from backups faster than the decryption process once their access was restored. The ransom was wasted money, while others have paid the ransom and gotten nothing in return. Post-attack recovery is a slow process, and you still have to rebuild your systems and close down the vulnerabilities that left you vulnerable in the first place.
DJ: Have hackers become more sophisticated and dangerous than ever?
Bennett: Bad actors have taken science, made it art, and turned it back into the science of pain. They do this to make sure you are under so much pressure and anxiety that the only thing you feel you can do to recover is paying them, which is patently not true.
Ransomware groups are more sophisticated today because they never stop learning. There is a lot of effective progress being made in the malware and ransomware space that people on the right side of the law could learn a lot from. We talk about being agile, they actually are.
DJ: What is one thing companies can do immediately to defend themselves against cyberattacks?
Bennett: If you had to pick one thing to better your chances, turn on Multi-Factor Authentication (MFA) for everyone. That is the number one countermeasure that prevents the bad actors from leveraging the access they have gotten in your environment. Everything else is a mitigation strategy to constrain the hackers’ reach in your environment, but the only thing that gives you ‘kill switch’ control is MFA.
DJ: What additional security measures are critical?
Bennett: Network segmentation – make sure that systems that do not need to communicate with each other are not linked, there is no need for the thermostat to be talking to your HR systems.
Backups. You need to make sure you have them, test them, and validate them to ensure they actually work and can restore failed or compromised systems. Once you know the backup is usable, take it offline. Bad actors come in and look for your back-ups and will target that first.
