Repelling A Ransomware Attack: Daniel Hofmann of Hornet Security On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Manage permissions wisely: Only grant the necessary permissions to users and systems. If a user or system is compromised, the attacker can do whatever that user or system can do. If that system or user has limited access to the company resources, this mitigates the damage. If attackers want broader access, they must mount more attacks, which increases their risk of being detected.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?

In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Daniel Hofmann.

Daniel Hofmann has been an independent entrepreneur and security industry influencer since 2004. He has held several positions in the IT market. In 2007, he founded Hornetsecurity in Hannover, Germany, and developed services for secure email communication, including spam and virus filters. Under his guidance, Hornetsecurity has developed a comprehensive portfolio of managed cloud security services that serves customers globally from its regional offices around the world. He is responsible for strategic corporate development.

Hornetsecurity is the leading security and backup solution provider for Microsoft 365. Its flagship product is the most extensive cloud security solution for Microsoft 365 on the market, providing robust, comprehensive, award-winning protection: Spam and virus filtering, protection against phishing and ransomware, legally compliant archiving and encryption, advanced threat protection, email continuity, signatures and disclaimers. It’s an all-in-one security package that even includes backup and recovery for all data in Microsoft 365 and users’ endpoints. Hornetsecurity Inc. is based in Pittsburgh, PA with other North America offices in Washington D.C. and Montreal, Canada. Globally, Hornetsecurity operates in more than 30 countries through its international distribution network. Its premium services are used by approximately 50,000 customers including Swisscom, Telefónica, KONICA MINOLTA, LVM Versicherung, DEKRA and CLAAS.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

I didn’t grow up in a tech-focused environment. Both my parents worked independently and ran their own business, and I helped with that throughout my childhood. When computers were introduced for the general market, my parents saw that this could help them and they got one. And I destroyed it! I was so interested to see how it worked, that I pulled it apart. I knew I had to get one of my own and I saved money and did odd jobs to be able to get the most advanced one I could lay my hands on. It was the technical side that appealed to me. I wasn’t interested in gaming, I was interested in how it worked, in the software and how to improve it, in the processes and so on.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

I found out early on that it was very easy to compromise computers over the Internet and this was an issue. At the time, however, I didn’t realize that I could build a business around that. Yet, it was something that occupied my thoughts.

I was an IT Consultant working with many large companies, such as banks and insurance firms, with responsibility for optimizing their IT infrastructure and maintaining their systems. Each company had its own environment and setup and its own requirements. Each one needed an individual and time-intensive approach to protect them and their data.

It dawned on me that it made sense to provide security via one central location, what we today call the cloud but that was different at the time. This realization drove me to develop my first cloud-based system in 2004 and I used it to manage security for each of my customers from a single point.

Can you share the most interesting story that happened to you since you began this fascinating career?

I am glad to say that my career has been interesting from the start, and it is hard to pick any one instance that stands out. I’m passionate about what I do and about the Hornetsecurity team. I’m really happy with the progress achieved so far and it inspires me to continue moving forward. I love to look ahead, exploring and innovating.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

One characteristic of mine is that I don’t accept “This is not possible” as an answer. The truth is that most things are possible as long as you have the time and resources to achieve them. After looking at something, you may conclude that it is too expensive to proceed with, and that is fine — but you might equally find a way to get it done. This is why I believe in “no limits”. To be told “It’s impossible” is not an answer I’m interested in.

Linked to this is the will to develop things that no one else has tried and to explore new options, methods and pathways. This enables us to bring much more value to our customers on the product side. It also ties in with my ability to identify and understand what pain points the customer has — beyond what the customers realize. I dig deeper to discern the actual need, what really needs to be solved.

I also try to innovate all the time. We’ll use what works well and try to add more value to it through innovation. We rethink what we have been doing to improve and achieve more. This ongoing approach is important to me. When attempting to take a direction that no one has taken before, you cannot always know if something will work or not until you actually do it. This takes time and money and yes, if something isn’t working, then I’m quick to stop it, despite the effort invested in it until that point. You need to have multiple innovation tracks going at any one time for this reason. You start again if something doesn’t work, and focus on a fresh idea.

Are you working on any exciting new projects now? How do you think that will help people?

We are. This is our ethos and we are constantly working on exciting projects with the goal of helping others. If our offerings are not helpful, there is no point in developing and marketing them. We have some great launches slated for this year and look forward to sharing news about them very soon.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

Cybersecurity is my area of specialization; Hornetsecurity is all about cybersecurity. Ransomware is just one of the many areas we project against and a small part of what we do. As experts in this field, we make it a point to keep one step ahead, so that we can protect our customers in the fullest possible way. It’s not enough to protect against attacks that are already out there, so we keep track of what hackers do, where from and how they work so as to predict and counter their next steps. We also publish reports to keep customers abreast of trends and to share insights and information, to help raise awareness.

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

There are three main types of ransomware:

• Crypto ransomware: encrypts files; demands payment for decryption
• Locker ransomware: deprives user access to computer; demands payment to get access again
• doxware or leakware: threatens to publish stolen data; demands payment so that the data is not published

There are two main types of ransomware operation:

• fully automated ransomware: user clicks on malicious attachment (or link or whatever), computer gets encrypted
• human operated ransomware: user clicks on malicious attachment (or link or whatever), criminals get access to computer, criminals scan company network and try to infect all the company’s important computers and to encrypt all the computers at the same time to maximize impact.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Everyone.

Private individuals are generally targeted with fully automated ransomware. Businesses may also fall victim to fully automated ransomware, but to them losing a single PC to ransomware is typically nothing but a little bump in the road, meaning they are unlikely to pay. This is why businesses are so often targeted using human operated ransomware.

Of particular concern is the “double extortion” trend, where a hybrid of crypto ransomware and leakware is used, so that first company files are stolen, then the data is encrypted, and eventually the company is extorted twice — once for the decryption key and simultaneously because of the potential leak of the stolen data.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

Our advice is to immediately contact the cybersecurity experts, so that they can assess the situation, take the necessary steps and provide guidance. And also the local FBI field office to inform them of the crime and hand over information to help them track the ransomware attackers and hold them accountable under US law.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

It’s important to clarify that once a company is made aware of a ransomware attack, there is little it can do at that stage other than respond to the attack; any steps it takes to protect itself further would be to defend against future attacks rather than the current one.

On learning it has fallen victim to a ransomware attack, the company should adopt an immediate, three-pronged approach to instantly: stop the ransomware attack, stop the possible exfiltration of customer data and stop attackers from abusing its IT systems from potentially mounting attacks against its customers and business partners.

From a technical perspective, the point “a company is made aware of a ransomware attack” would be the Detection phase of the incident response life cycle. The phases that follow should then be:

• Analysis: assess impact, inform PR (so that they can handle crisis communication with customers and partners)
• Containment: stop the attack
• Eradication: eliminate all artifacts of the attack (malware, compromised accounts, vulnerabilities); this is critical because if you forget one compromised account or piece of malware, the attackers can reenter the system
• Recovery: restore systems to normal operation
• Post-incident activity: inform customers about impact and potential further threats (e.g., stolen information could be used in phishing attacks against them)

However, the most important part of the incident response life cycle comes before the incident:

• Preparation: protect the company and customer data from security incidents such as ransomware

A company that hasn’t already got protection should embark on this right away by installing and maintaining the right cybersecurity and backup solutions.

This also applies to those already impacted by a ransomware attack to prevent this from happening again.

Should a victim pay the ransom? Please explain what you mean with an example or story.

The ideological answer is never. The more money ransomware operators make, the bigger the ransomware problem will become. If ransomware is a lucrative money spinner for cybercriminals, it becomes even more worth it for them to invest more time and effort into creating and enhancing attacks, creating more havoc.

The business answer may differ depending on each individual situation. For many, it will be an outright “No”.

Yet, some companies that lacked sufficient protection have completely lost their data due to ransomware — I have seen CEOs crying at the devastating loss. Sometimes, companies have no other choice but to comply with demands so as not to suffer massive economic damage. And for those victims who do pay, they can be sure that the attacker will be back: If you have paid once, you will likely have to pay again. So a huge investment in new protection mechanisms is inevitable.

If a company chooses to pay, this must be coordinated with law enforcement officials, due to the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) designation against various cybercriminals in relation to ransomware, making payments to them illegal under US sanctions.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

A major mistake would be the lack of a robust security service from a reputable third party, complete with backup and recovery functionality. This is a must, providing both a major line of defenses against attacks and the ability to remediate in the case of an issue.

This should be coupled with a sound incident response (IR) plan so that your team can spring into action according to established protocol should disaster strike — having to work things through step by step in a time of panic and chaos is highly likely to lead to errors and misses.

Another mistake to avoid is assuming that all employees are aware of the different kinds of attacks, what constitutes a suspicious email and what to do in the case of a dubious email or an attack. Having the right policies in place and raising awareness are both important — however, do not rely solely on these; that’s where the third-party solution comes in, to set your mind at rest.

Even for companies with the right systems in place, administrators must avoid granting too many permissions to users and user accounts. When an attacker takes over a user’s account, they can do whatever that user can do. Limiting permissions strictly to what is needed helps curtail this. One deadly sin here is system administrators using their system administrator account for normal tasks such as reading email or browsing the web; if they fall for a phishing email while being logged in as administrator, the attacker gains instant administrator access with potentially disastrous results.

A common mistake is not to install the latest updates. Sometimes, software contains vulnerabilities for which exploits are publicly available. If these are not patched quickly, attackers can get access very easily.

Another one is having non-functional backups. A backup is only complete once it has been restored. Many companies perform backups, but never test the recovery process to verify their backups are complete. Failing to do this leaves companies exposed, even though they may think they have it covered simply by having a backup solution. If you cannot recover your backed up data when trouble strikes, then it is the same as not having backups in place. Having an up-to-date backup solution in place is another buffer against the damage caused by ransomware: You don’t need the pay the ransom to regain a file that has been decrypted because the data is already there in your backups, untarnished.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

As a starting point, tech leaders should include security in every design decision.

Many companies refuse to update software regularly because, in their experience, updates often break their software. While it would help if administrators tested patches before applying them networkwide, the delivery of product robust updates that are simpler would address this problem and help encourage more widespread patching.

On the prevention front, show that crime does not pay by instituting more stringent penalties worldwide and delivering greater enforcement against cybercriminals across the globe.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

Before we dive into the top five things you need to do to protect your business against a ransomware attack, there are two main things you need to consider: Protection, to have the best line of defense possible against threats, and preparation, so that you know what to do should an attack occur, thereby reducing risk. Our top five recommendations cover both aspects.

1. Install an email security solution: Most attacks are email-borne so you need a strong line of defense to protect against ransomware and other security threats. Invest in a robust, comprehensive solution that you can rely on. Ensure that it also includes backup, disaster recovery and business continuity capabilities. Remember: If you can restore the file that the cybercriminals have encrypted, then there’s no reason to pay a ransom because you can access the data all the same.
2. Train your users: Educate your entire team about cyberthreats to raise their awareness. Forewarned is forearmed, as the old saying goes.
3. Have a solid incident response (IR) plan: Should you realize you’ve fallen victim to an attack, that is not the right time to think about what to do. You must have tried and tested processes ready to follow so that you can react quickly enough to prevent damage
4. Keep your systems up to date: Address any software vulnerabilities by updating your software with the latest patches as soon as they are released. This blocks attackers from exploiting known vulnerabilities.
5. Multi-factor authentication (MFA): The #1 attack technique in human-operated ransomware attacks is the use of valid account credentials, usually obtained through another form of cyberthreat. MFA helps prevent illicit access, rendering the stolen credentials useless.
   And here’s a bonus tip:
6. Manage permissions wisely: Only grant the necessary permissions to users and systems. If a user or system is compromised, the attacker can do whatever that user or system can do. If that system or user has limited access to the company resources, this mitigates the damage. If attackers want broader access, they must mount more attacks, which increases their risk of being detected.

You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I believe that, in general, people are too conservative and have too much fear of new things and of change. I’d love to bring about a change in mindset in this regard and encourage others to go one step forward, to move faster and in a new direction. I’d love to make the world more flexible, quicker and agile. For me, even the IT environment is not evolving fast enough, for example, in the fields of cloud transformation, industry digitalization and automation. I suspect the main reason for this is resistance to change and new things.

Embrace the extraordinary and do things that others may advise you not to do.

As a small example, I wanted us to have a company beer wagon, both for in-house events and to take with us to trade shows, partner meetings and so on. People thought this was crazy and they feared we might lose customers as a result. There was a lot of resistance to it. And yet, I went ahead and got our own Hornetsecurity beer wagon and took it to an IT security event and it was a great hit. It is now part of our identity and our culture.

How can our readers further follow your work online?

You can follow us and learn more about what we do and how we can help at https://www.hornetsecurity.com/.

This was very inspiring and informative. Thank you so much for the time you spent with this interview!

Thank you for interviewing me!