May 2, 2022
Breaking Down NYDFS Guidance on Ransomware
Ransomware has quickly become one of the most expensive, business crippling cybersecurity events. According to Forbes, the average cost of a ransomware attack reached nearly $2 million in 2021, doubling from $760,000 the previous year. As ransomware costs increase, organizations must be ever-prepared to prevent and/or mitigate these attacks.
The Cybersecurity and Infrastructure Security Agency (CISA) defines Ransomware as “an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.”
During a ransomware attack, encrypted files are offered back to the affected organization for a ransom, with promise of the safe return of the encrypted files, as well as restoration of normal operations. If the impacted party refuses to pay the ransom, the encrypted files are usually leaked or destroyed.
The impact of ransomware can be devastating and could lead to:
- Organizational downtime and disruption
- Loss of data
- Reputational damage
- Financial loss
Organizations can reduce or mitigate the risk of ransomware attacks with proper strategy and effective controls.
The New York Department of Financial Services (NYDFS) provided guidance on ransomware which highlights strategies and controls outlined in the 2017 23 NYCRR 500 Cybersecurity Regulation that could mitigate/reduce the risk of successful ransomware attacks. Key areas highlighted include:
1. Email Filtering and Anti-Phishing Training
2. Vulnerability and Patch Management
3. Multi Factor Authentication (MFA)
4. Disable RDP Access
5. Password Management
6. Privileged Access Management
7. Monitoring and Response
“These controls, when implemented together, significantly reduce the risk of a successful ransomware attack” – NYDFS
NYDFS recommends the following to reduce the impact of a ransomware attack:
- Maintain segregated backups
- Update and test incident response plan
- Do not pay the ransom
The efficacy of implementing these controls was evident in two recent ransomware events.
In the case of the CNA Financial Ransomware attack in March of 2021 where CNA paid roughly $40 million in ransom, attackers used malware known as ‘Phoenix Locker’, a variant of the ransomware ‘Hades’. This type of malware is known to gain initial access to companies’ networks using remote desktop protocol (RDP) or by accessing virtual private networks (VPNs) using compromised credentials. This attack could have been mitigated by following the NYDFS guidance of disabling RDP access on employee workstations.
In February 2021, video game developer, publisher, and distributor, CD Projekt Red was a victim of a Ransomware attack. However, unlike the CNA Financial incident, CD Projekt Red did not pay the ransom. The organization had an effective backup and recovery plan which allowed them to continue operation with no loss of data.
As seen above, effective controls set the foundation to mitigate the risk of a ransomware attack, and in the case of a breach, mitigate and continue operations. The Johnson Lambert Cybersecurity team assists companies with assessing their Cybersecurity Governance posture against NYDFS Regulation 500 and other Cybersecurity frameworks.
Remember, the Federal Bureau of Investigation (FBI), Multi-State Information Sharing and Analysis Center (MS-ISAC), CISA, NYDFS, and other federal law enforcement recommend against paying a ransom.