Protecting Your Data from Modern Cyber Threats

 Ransomware is a type of malicious software designed to block access to a computer system or data, usually by encrypting files, until a ransom is paid to the attacker, commonly referred to as the threat actor (TA). Cybercriminals often demand payment in cryptocurrency to make tracing more difficult. Once the ransom demand is made, victims  are typically given instructions on how to pay in exchange for a decryption key. However,  paying the ransom does not guarantee that access will be restored, and it may encourage  further attacks.  

 Immutable backups are backup copies of data that cannot be altered, deleted, or  overwritten for a predetermined period. This means that even if attackers gain access to  your systems, they cannot modify or erase these backup files. Immutable backups are  essential in defending against ransomware because they ensure a clean, uninfected copy  of your data is always available for recovery. By regularly maintaining immutable backups,  organizations can restore compromised systems without yielding to ransom demands,  minimizing downtime and data loss.  The primary issue with immutable offsite backups is cost, as most providers charge yearly  per terabyte of stored data.  

 Multifactor Authentication (MFA) is a security process that requires users to provide two or  more verification factors to gain access to a system or account. This typically includes  something the user knows (like a password), something the user has (such as a  smartphone or security token), or something the user is (biometric verification). MFA adds  an extra layer of security to safeguard company data. However, although MFA is a critical  component of organizational defense, it can also introduce certain operational  inconveniences.  

 Primary Reasons for Inconvenience  

● Workflow Disruption: 

MFA could complicate daily workflows by requiring extra  steps and reliance on physical devices. Users often need to stop what they're  doing to enter a code or approve a prompt, which can be particularly disruptive in  fast-paced settings where frequent prompts slow down urgent tasks.  

● Device Dependency: 

Most MFA methods require a smartphone or physical  security key. If a user’s phone is dead, lost, or forgotten, they may be completely  locked out of their accounts, turning a security feature into a significant  accessibility barrier.  

● "MFA Fatigue": Frequent authentication requests lead to sensory overload and  annoyance. Attackers exploit this via "MFA bombing," where they send incessant  notifications until a frustrated user approves one just to make the alerts stop.  The most common type of MFA involves receiving a code or notification on a smartphone  that the user must respond to. Virtually all users always have their smartphone available,  so it is a very convenient option. However, if a user misplaces, forgets, or loses access to  their device, they may be locked out temporarily, creating accessibility issues.  

Though users may face some initial inconvenience while incorporating new multifactor  authentication procedures in their daily routines, MFA significantly lowers the risk of  unauthorized access—even if credentials are compromised. By adding this extra layer  of security, organizations can better protect their sensitive data and systems from  ransomware attacks and other cyber threats.  

 Biometric login methods, such as fingerprints or facial recognition, offer both benefits and  drawbacks as well. They increase security by making unauthorized access more difficult  and are convenient because users don’t have to remember complex passwords. However,  if biometric data is compromised, changing it is challenging, and privacy concerns can  arise regarding how this sensitive data is stored and used. Additionally, biometric systems  may not work consistently for all users due to factors like injuries or environmental  conditions.  

 Law enforcement's response to ransomware is characterized by a "victim-centric"  approach that prioritizes immediate reporting, investigative support, and international  disruption of criminal infrastructure. Federal agencies like the FBI and the Cybersecurity  and Infrastructure Security Agency (CISA) serve as the primary coordinators for these  efforts, providing technical expertise and facilitating global takedowns.   

 ● Core Response Strategies - Investigative Support:

Agencies conduct threat  response (identifying and disrupting actors) and asset response (assisting victims  with mitigation and recovery). This includes deploying sophisticated tools to trace  attacks and potentially providing decryption keys for known ransomware variants.  ● International Coordination: Large-scale operations, such as the 2024 disruption of  the LockBit gang, involve multi-national cooperation to seize servers, freeze  cryptocurrency accounts, and unmask leaders.  

● Regulatory & Sanctions Enforcement: 

Law enforcement and the Department of  the Treasury (OFAC) warn that paying ransoms can violate U.S. sanctions if  funds go to designated entities. However, "self-initiated and complete" reporting  to law enforcement is considered a significant mitigating factor in potential  sanctions investigations.   

● Victim Reporting & Guidance: 

Law enforcement strongly advises victims not to pay  the ransom, as it funds future criminal activity and does not guarantee data  recovery. 

Victims are urged to report incidents via:   

o FBI Internet Crime Complaint Center (IC3): The central hub for filing official  reports.  

o Local FBI or U.S. Secret Service Field Offices: For immediate technical  assistance and local coordination.  

o CISA's 24/7 Operations Center: For reporting ongoing threats to critical  infrastructure.   

 Orion Integration Services blocks access to countries and IPs on OFAC and CISA blacklists  (on applicable devices), and applies host intrusion detection, prevention, and anti-virus  protection on all client networks, but these measures are not enough.  Previously,  recommendations have been shared verbally and in writing, such as using a 3-2-1 backup  strategy (3 backups, 2 locations, 1 offsite and immutable), retiring end-of-life hardware  and software, and enabling multifactor authentication. While these measures may add  cost and complexity to daily IT management, they are essential for ensuring robust security  in today’s IT environment.  

 Ransomware poses a serious threat to individuals and organizations alike, potentially  leading to significant financial and data losses. Implementing immutable backups and  multifactor authentication are critical strategies in defending against such attacks. By  combining these protective measures, you can greatly enhance your organization’s  resilience and ensure your data remains secure, accessible, and uncompromised in the  face of evolving cyber threats.  Patrick D. Jackson  President, Senior Technology Officer  Please confirm that you have received and read this document. Your acknowledgement is  important to ensure awareness and compliance with the security recommendations  outlined above.  If you have any questions or concerns, please feel free to contact any of  our staff for further information or clarification.