How to counter ransomware? Have a plan ready, and work fast

“It is impossible to learn it while in motion, you must be prepared in advance,” says Code Blue founder Refael Franco, explaining how the Coronavirus changed criminal organizations

Sophie Shulman 14:3320.05.21

Refael Franco, former Deputy Director-General of the Israel National Cyber Directorate, allow me to ask you the question every CEO struggles with - Should I pay or not pay the ransom?

"For those who prepare for an attack in advance and know how to operate against an attacker - the question of whether to pay will become redundant. We at Code Blue use trickery and deception against attackers so such questions won’t be relevant. The deception is both psychological and about the legitimacy of the attacker. It is also possible to carry out counterattacks, but it is more complicated and expensive."

Code Blue founder Rafael Franco Code Blue founder Rafael Franco


If I paid the ransom, will they attack me again, as they say in the movies?

"If you paid - they will return. Moreover, statistics show that in 23% of the cases, even if you paid a ransom, you will not get your files back. After all, these are criminal organizations and not righteous people.”


Could you offer some tips for CEOs, how will they know they are risking a ransomware attack?

“It is not a question of if, rather a question of when. Just as you have an insurance policy, a lawyer, and an accountant - you must have a cyber crisis manager. It is impossible to learn it while in motion, you must be prepared in advance. It's a profession, a new one though, but it is a profession I acquired through many operations I participated in."


You left the National Cyber Directorate this year, precisely when it seems that the cyber threat to Israel is greater than ever. Why?

“In 2020, the cyber defense paradigm has changed. Israel is a target for three types of attackers: First, Iran, interesting but not enough; Then there is BDS (The Boycott, Divestment and Sanctions movement against Israel); And the third, cybercrime. All of the security organizations in the world did not pay enough attention to the third one. And then came Covid, which brought a formative event: the transition of the entire world, all systems, and all commerce towards digital, and organizations had to adapt and act hastily, many organizations were exposed to new technology and the need for cyber defense, but just as the Hebrews rushed out of Egypt so did some of this organizations, and the last thing that was on their mind was security. The result was that massive organizations had to build entire defense systems within one year, compared to the five years it requires.”


“There was also a demographic change among the attackers: drug dealers and arms dealers who also could not leave their houses because of the pandemic, could not cross borders or fly anywhere, were forced to develop their “business” and they switched to cyber. Attacks by Iran and the BDS have not changed, but instead of 15-20 existing and recognized cyber organizations, hundreds more were born as a result of a digital transformation of criminal organizations, making ransom demands one of the greatest economic threats in the world.


“Now it becomes even more complex because if in the past blackmail was one-on-one, it is possible to go after several targets at once. Crime has become asymmetrical and this is a new reality that organizations are not prepared for. There is an influx in ransom demands and extortion attacks, it used to be marginal, not close to today’s scale and scope. It takes the organization months to figure out what happened. ‘Shirbit’ has not yet found all the information that was stolen from it, and it has been five months since it was attacked."


"Sophisticated software is not enough"


What do organizations miss?

“Organizations are in the process of internalizing, but that is not enough. It should be understood that a ransomware incident is not a problem for the information systems manager or the security manager, rather it is a problem for the CEO. You have to change the perception from cyber defense to cyber crisis management. What is damaged in a cyberattack is not just the computer systems, but the business itself. Is the production line being locked? So this is a problem for everyone. If the company does not know how to work together in a crisis, it will not be able to minimize the damage."


So it is not enough to have the best software?

“It is impossible to hermetically close a system, but in the past, the slow pace of attacks allowed enough time to close the holes, but that is not the case anymore. Therefore, you have to prepare in advance for a cyberattack so as not to think about what to do as it happens. This means analyzing in advance what a shutdown will mean, which information is important and which is less crucial, where there are backups, and where there are none. Once you prepare in advance - you know what to do, and if you shoot from the hip it can cost you tens of millions and sometimes even reach insolvency. Studies show that the stock of a company attacked drops by 3% immediately, in the first year it drops by 8.6% and five years later by 15%, which means that investors and customers lose confidence over time."


So how do attackers decide who to go after: Is it the strategic value of the organization or is it how easy it is to break in?

"Both. There are those who knock on every door and there are those who check out the 500 largest companies in Israel. In the past year, we saw more focused attacks, but every criminal organization has its own methodology.”


"Israel leads in cyber defense"


How did so many people suddenly become experts in cyber-attacks?

What do you need to attack? Electricity, access to YouTube because there are hacking tutorials, a basic understanding of the Darknet, and time. There is no shortage of bored 17-year-olds sitting at home for the past year, with an emphasis on the third world. Nothing is required of them, except to be faster than those they attack. You can imagine it as a board on which both sides run and whoever arrives at the end faster will win."


Israel is considered a cyber power, couldn’t we develop something here that will hermetically close our computer systems?

“Israel knows how to protect its critical infrastructure. But this is not the case everywhere else. For example, something like the cyber attack and shutdown of the oil pipeline in the U.S. two weeks ago cannot happen in Israel."


So how does this happen in a country like the U.S.?

"Israel is ahead of every other country in regards to the cyber defense of critical infrastructure. There is no oversight in the U.S. of critical infrastructure because everything is privatized. In Israel, we do not look at whether the infrastructure is privately or publicly owned, but at its level of criticality for the state, at the level of Maslow's scale of needs."


So are cyberattacks and ransom demands like with a chronic illness we have to endure or could there be a game-changer here?

"Just because there are more cops doesn't mean the crime is beaten, I do not see criminal organizations simply disappear. We will see more complex social engineering: emails coming from familiar people, often senior ones that give the feeling that you must open, and the systems are having a hard time finding those. It is true that seniors' accounts are often hacked into because valuable information can be extracted from them, and they carry more permissions. Social engineering is the number one cause of breaking into an organization."


Speaking of the police, we do not see police around the world catching these criminals

It is very difficult to find clues inside the Darknet. There is now an international effort to catch those criminal elements, but so far without the expected results. Attackers currently enjoy full immunity. Countries from the evil axis can also send more hackers without leaving any footprints. So far there is no deterrence, in North Korea for example, it is estimated that 20% of the country's GDP comes from cybercrime."


So even after all the effects of the pandemic will pass, cyberattacks will remain?

"There is no chance in the world that someone who has made such good progress will stop it now."