Repelling A Ransomware Attack: Ryan Weeks of Datto On The 5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack

Employee education and training play an essential role in preventing ransomware attacks. Organizations should educate their staff and clients about ransomware, specifically detecting phishing and social engineering schemes. This will save time, money, and resources in the long run and help mitigate attacks before they even happen. Employees’ lack of cybersecurity awareness is a leading cause in successful ransomware attacks against SMBs. Employee training is an integral part of a successful cybersecurity protection program as it will ensure that all staff understands the cyber threats they face.

Ransomware attacks have sadly become commonplace and increasingly more brazen. Huge enterprise businesses, gas pipelines, universities, and even cities have been crippled by ransomware and forced to pay huge ransoms. What can an individual or a business do to prevent and repel a ransomware attack?

In this interview series, we are talking to cybersecurity experts who can share insights from their experience and expertise about the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack.” As a part of this series, I had the pleasure of interviewing Ryan Weeks, the Chief Information Security Officer at Datto.

As Chief Information Security Officer (CISO), Ryan leads and manages Datto’s Information Security program, empowering Datto’s managed services provider (MSP) partners, and the small and medium sized businesses (SMBs) they serve, on their ongoing cyber resilience journeys. His work is directly responsible for helping MSPs and SMBs prevent, detect, and recover from cyber attacks.

Thank you so much for joining us in this interview series! Before we dig in, our readers would like to get to know you. Can you tell us a bit about how you grew up?

Growing up I worked on farms and in lumber yards, so I developed a strong work ethic at a young age. During that time, I was exposed to technology and networking. I was fascinated by learning how technology could be broken or bypassed and how you could redesign systems to avoid those flaws. It was a hobby, but when I learned that there was a career path that celebrated this type of thinking, I knew that was what I wanted to do with the rest of my life.

Is there a particular story that inspired you to pursue a career in cybersecurity? We’d love to hear it.

Early on, I was introduced to someone who managed Intrusion Detection systems for a living as a security consultant and thought what he did was fascinating. I had the opportunity to watch him work, and he would sometimes explain things to me. The more I was exposed to, the more I wanted to learn.

Can you share the most interesting story that happened to you since you began this fascinating career?

There are four formative events that I will never forget in my career because all of them were tectonic shifts in the threat landscape. The first was the onslaught of computer virus worms around the turn of the 21st century. The second was the evolution of viruses and worms to exploit kits. The third was when ransomware first hit the scene and the fourth event was when wipers were used to try and destroy businesses.

You are a successful leader. Which three character traits do you think were most instrumental to your success? Can you please share a story or example for each?

Tenacity — when I set an objective for myself, I pursue it with an intensity of purpose and resolve until it is done. I was selecting schools for my grad degree and I sat in on a lecture at Northeastern University (NEU). I learned two things that day, I needed to get my degree from NEU and I wanted to be a Chief Information Security Officer. Everything I have done since then has been singularly aimed in that direction.

Agility — plans change as threats and risks change. If you want to succeed in InfoSec you need to embrace change, and be willing to rethink your plans given new information at any time. Course correct, and iterate. We’ve all had a situation where it feels like changing our approach is not a good idea given the amount of effort already expended. That’s a sunk cost fallacy. We need to be willing to jettison ideas and plans in the face of new information if it means we’re more likely to accomplish our mission.

Team — make sure you are surrounding yourself with the best people possible for the mission. Give people chances to do jobs bigger than they have ever done before and work with them so they feel safe, but challenged. When you find these people take care of them, nurture their intellect and careers. Having a strong focus on mission and your team is a key ingredient to unlocking teams that outperform and building a strong culture that encourages them to live up to their full potential. I have career progression plans for all my direct reports in my head, even if they do not.

Are you working on any exciting new projects now? How do you think that will help people?/You are a person of enormous influence. If you could inspire a movement that would bring the most amount of good to the most amount of people, what would that be? You never know what your idea can trigger. :-)

I have a few ideas that have turned into active projects that are in the works. Some have been multi-year endeavors. I am not one to seek credit, so I am working to be a driving force behind the scenes for changes that will improve community defense of MSPs and SMBs. When they land, it is my hope they will become a critical resource for improved education and cyber resilience in the IT Channel.

For the benefit of our readers, can you briefly tell our readers why you are an authority about the topic of Ransomware?

As the CISO for Datto, I understand the current cybersecurity challenges, needs, and best practices of small businesses (SMBs) and the technology service providers that support them, managed service providers (MSPs). Based on my years of experience in the cybersecurity industry, I have a unique perspective on the rapidly growing MSP industry, including how this emerging channel impacts the broader technology landscape. Before joining Datto, I was responsible for securing enterprise applications, systems, and sensitive customer financial data at FactSet Research Systems. I orchestrated all facets of the global information security program. Furthermore, I hold a B.S. in Computer Information Systems from Ithaca College and an M.S. in Information Assurance from Northeastern University. I also hold many security certifications, including the Certified Information Systems Security Professional (CISSP) and the Certified Information Security Manager (CISM).

Ok super. Thank you for all that. Let’s now shift to the main focus of our interview. In order to ensure that we are all on the same page let’s begin with some simple definitions. Can you tell our readers about the different forms of ransomware attacks?

In a simple definition, ransomware is a type of malware that encrypts files and folders and demands payment from victims to decrypt them. This cyberattack method is easily spread and has proven highly effective for cybercriminals.

To better understand how to protect against ransomware attacks, we need to look at how ransomware attacks commonly occur. Information-stealing malware is a leading precursor to ransomware, which involves cybercriminals using malware to find and steal valid credentials, which are then sold to initial access brokers or ransomware affiliates groups. Phishing is another tactic utilized by cybercriminals. Phishing scams are typically delivered in an email using tactics that make users complete actions that compromise their credentials or result in malware execution on their systems. Lastly, unpatched vulnerabilities are an enormous threat to organizations’ and individuals’ data. Without patches (a change to a computer program that is designed to update or improve it) a network’s software and operating systems become vulnerable to exploitation by cybercriminals, which can lead to ransomware.

Who has to be most concerned about a ransomware attack? Is it primarily businesses or even private individuals?

Ransomware attacks can impact organizations of all types and sizes, but SMBs and individuals are particularly vulnerable to these attacks. Cybercriminals usually target these smaller demographics because they don’t have as many data security tools or protections as larger companies. Over the last few years there has been a significant increase in ransomware attacks on SMBs and the MSPs who serve them due to their ability to target numerous SMBs through a single point of entry within an MSP. This trend is expected to increase in 2022. As such, it is imperative that organizations prepare now, because it is no longer a case of if, but when.

Who should be called first after one is aware that they are the victim of a ransomware attack? The local police? The FBI? A cybersecurity expert?

Once a business or individual is aware that they have been attacked by ransomware, they should immediately contact their legal council, MSP, cyber insurance provider, and breach coach to inform them of the situation. Once contacted those groups will then help the victim by following their current crisis response plan or by informing them on who else they should call and when. This includes internal and external stakeholders and law enforcement. Often cyber insurance will cover fees for technical response and recovery assistance, legal counsel and breach coaches, but you have to make sure that the provider is covered by your policy if you are not using the one they provide. Either way, it is vital to report cyberattacks to law enforcement agencies. Reporting helps government agencies, companies, and IT providers understand the scale at which cybergangs are acting. Reporting also influences the nation’s top law enforcement agencies to pass cybersecurity legislation to help capture and prosecute cybercriminals.

If a company is made aware of a ransomware attack, what are the most important things they should do to protect themselves further, as well as protect their customers?

Many steps need to occur if a company is aware that they have fallen victim to a ransomware attack. First, businesses must assess their networks to confirm where the organization has been hit and to then isolate the infected system(s) and computer(s) immediately while securing backup data or systems by taking them offline. Next, they must confirm their backups are intact and free of malware. They then need to change all online account passwords and network passwords after removing the system from the network. Once the malware is removed from the system, victims should update all system passwords and delete registry values and files to stop the program from loading. Finally, victims should contact law enforcement and report the attack.

Should a victim pay the ransom? Please explain what you mean with an example or story.

While most people’s immediate thought when asked if they should pay ransom during a cyberattack is no, some victims might not have this luxury. Sadly, there is no one-size-fits-all approach to handling ransomware attacks. No attack is exactly the same, even if the same cybercriminal is behind it. The victim’s ability to handle an attack in a way that is best for its operations and customers differs depending on the victim’s situation. That said, paying the ransom fee doesn’t guarantee that the victim will re-grant access to the stolen data, and not post it or re-sell it elsewhere. In some cases, victims have been asked to provide more money to access their data or have paid the ransom and were never given a decryption key. The best way to prevent this situation is to test and validate recovery strategies regularly to ensure when an attack does arise, you are in a position of strength versus playing defense.

What are the most common data security and cybersecurity mistakes you have seen companies make that make them vulnerable to ransomware attacks?

One of the biggest mistakes an organization can make is not putting people and processes ahead of technology. It is essential that companies provide their teams with the skills needed to identify and prepare for the eventuality of an attack instead of relying on technology to mitigate an attack after it has happened. To do this, there are a few things companies should consider. When MSPs are searching for new talent, they need to ensure their applicants have a basic level of understanding about security and security-related tasks. SMBs should also consider a co-managed approach where organizations outsource talent to add cyber maturity to their team. Additionally, organizations must identify what is working and what isn’t within their current security strategy. Finding a framework to help construct cybersecurity strategies (like the National Institute of Standards and Technology (NIST) Cybersecurity Framework) can help companies identify the outcomes to achieve cyber resilience.

Another mistake I see commonly is businesses trying to use outdated hardware. While this may save money in the short term, delaying upgrades to business infrastructure and continuity and backup solutions will inevitably cause a crash or lead to the inability to successfully recover in the event of a ransomware attack. In the long run, these incidents will cost a business infinitely more than the cost of implementing the upgrades in the first place.

What would you recommend for the government or for tech leaders to do to help limit the frequency and severity of these attacks?

With the pandemic exacerbating the rise of ransomware, tech leaders and the government must promote the use of third-party security assessments. At Datto, we show our dedication to securing MSP’s technology by participating in the Building Security in Maturity Model (BSIMM) assessments. The BSIMM is an independent third-party security assessment of software applications based on a widely-accepted maturity model rooted in real world activities of over 120 global companies. Currently, Datto is the only MSP-focused company to assess under the BSIMM. Additionally, transparency of vendors on their security efforts is vital for MSPs to overcome the ‘crisis in confidence’ occurring in the channel today. Tech leaders must push for MSPs to build an application security program that is externally validated using an industry-standard maturity model to help promote cyber resilience. Self-attestation is not enough.

Ok, thank you. Here is the main question of our interview. What are the “5 Things You Need To Do To Protect Yourself Or Your Business From A Ransomware Attack” and why? (Please share a story or example for each.)

The best way to combat ransomware attacks is to take preventative measures to stop cybercriminals from encrypting or stealing your data. Here are five things organizations or individuals should do to protect themselves from ransomware attacks:

1. Employee education and training play an essential role in preventing ransomware attacks. Organizations should educate their staff and clients about ransomware, specifically detecting phishing and social engineering schemes. This will save time, money, and resources in the long run and help mitigate attacks before they even happen. Employees’ lack of cybersecurity awareness is a leading cause in successful ransomware attacks against SMBs. Employee training is an integral part of a successful cybersecurity protection program as it will ensure that all staff understands the cyber threats they face.
2. Use a multi-layered approach to monitor network activity and actively scan for malicious malware threats. Invest in a good quality antivirus program with real-time protection and use programs that shield your data and block ransomware from holding files hostage.
3. Patch and update software and systems continuously. This is a vital step to safeguard business data and eliminate vulnerabilities that cybercriminals can leverage. With a remote monitoring and management (RMM) tool, patching and software updates can also be automated. This type of tool will provide ease to the minds of organizations since they know it will capture any irregularities in their systems.
4. Regularly back up files and data with a business continuity solution. Modern total data protection solutions, like Datto, take snapshot-based, incremental backups as frequently as every five minutes to create a series of recovery points. If your business suffers a ransomware attack, this technology allows you to roll back your data to a point-in-time before the corruption occurs. This type of prevention helped MSP provider TeamLogic IT when the Crowne Plaza hotel in Boston found out that several of their computers and important files were being attacked by a ransomware gang. Before this incident, the hotel had taken the advice of TeamLogic and installed a proper backup and disaster recovery (BDR) solution, which meant there was no need to pay the hackers as they were prepared and had access to backups of their data.
5. Create a cybersecurity checklist. This checklist will help organizations or individuals keep track of their progress in developing a robust, multi-layered cybersecurity strategy that can save a business’s data.

How can our readers further follow your work online?

Readers can find me on LinkedIn where I post. They can also learn more about my work at Datto on our company blog: https://www.datto.com/blog

This was very inspiring and informative. Thank you so much for the time you spent with this interview!