Infiltrate, Extort, Repeat – The Ransomware Pandemic. Part 1: Ransomware on the Rise
10 November 2021
The last two years have seen a pandemic of epic proportions sweep across the globe, wreaking havoc in its wake and doing untold damage to the lives of billions. As organisations have adapted to deal with unprecedented challenges posed by Covid-19, hackers have taken advantage of a febrile environment, resulting in a spike in so-called “ransomware” attacks.
These have had a sometimes-crippling effect on countless organisations, large and small. Often, victims must decide between paying a ransom, to restore systems and recover data, or refusing and facing potentially significant costs and catastrophic business interruption.
In this series we explore some of the strategies that can be implemented to prepare for, and minimise the impact of, a ransomware attack. We also consider the merits, legality and practicalities of paying a ransom.
Ransomware on the Rise
Ransomware is a form of malware that, once infecting a computer or system, encrypts data and files to render them inaccessible and unusable. Attackers will then typically send a ransom note demanding payment in return for the decryption keys required to restore access, and may threaten to publicly release sensitive data that they have obtained during the attack as a form of “double extortion”.
Ransomware attacks pose a growing risk as they become more lucrative and easier to carry out. The emergence of groups offering so-called “Ransomware-as-a-Service” (RaaS), such as REvil and DarkSide, combined with the ready availability of on-demand malware kits, has made the process simpler than ever for would-be attackers. In addition, hackers typically demand payment in anonymous cryptocurrency that is difficult to trace, further reducing the risk of repercussions.
The Covid-19 pandemic fundamentally changed the way many access their online systems, with remote access systems such as remote desktop protocol (RDP) servers and virtual private networks (VPNs) becoming fundamental to the operation of businesses worldwide, as people logged on from home. This extension of networks gave rise to new vulnerabilities for exploitation by hackers using a combination of weak passwords, credentials gained through phishing attacks, the absence of multi-factor authentication and software deficiencies. The result – an estimated 300 million ransomware attacks were carried out in 2020, a rise of more than 150% on the prior year. In 2021, business costs associated with ransomware were expected to hit $20 billion, while cyber insurers have reported a fourfold jump in claims from 2019 through 2020. This rise in costs is being driven in part by the “big game hunting” tactic that is being adopted by many attackers. Larger companies have been targeted with the aim of extracting larger ransoms, driven by the knowledge that many will not be able to endure the damage resulting from the average 15 business days of downtime caused by ransomware attacks. In March 2021, we saw US insurance giant CNA Financial pay $40 million to regain control of its network; in the same month, Acer received what is thought to be the largest ransom demand to date when REvil offered a “discounted rate” of $50 million while using stolen corporate data from the electronics manufacturer as leverage. According to Palo Alto Networks, the average ransomware payment increased by 171% to $312,493 in 2020.
Fortify Your Defences and Equip Your Team
As with all forms of cyber-attack, it is a huge challenge to prevent ransomware attacks from occurring. The continuous nature of technological change, software development, and support and maintenance, combined with growing sophistication and frequency of attacks, means that even the most proficient of information security teams can struggle to stay one step ahead of the attackers. What businesses can do is ensure they invest in information security as a key priority and have robust programmes and procedures in place to ensure they are well prepared in the event that they become a target of attackers. The UK’s National Cyber Security Centre recommends adopting a “defence-in-depth” approach, constructing multiple layers of defences with mitigations at each layer to best improve the opportunity to identify potential ransomware attacks and address them before they are able to cause damage.
- A well-resourced security programme: A comprehensive information security programme is perhaps the most effective way businesses can reduce the risk that they fall victim to a ransomware attack. The scope of these programmes can be vast depending on the size and complexity of technology stacks. However, a baseline programme for all medium-large businesses should include the implementation of appropriate antivirus and anti-malware software, regular and proactive network monitoring (on a 24/7/365 basis), regular patching and software updates, robust access controls including the use of multi-factor authentication and other human verification systems (for all remote access points) and use of other network-based bot management tools to detect illegitimate traffic.
- Appropriate internal training: Many attacks are caused by human error or inaction. It is imperative that all staff receive regular training so they are aware of the risks associated with cyber-attacks and understand their own role in preventing and responding to them. Phishing was the second most common cause of ransomware attacks identified by Group-IB,7 and providing simple tips to help employees recognise malicious emails can help reduce the risk of a successful attack.
- Incident response plans and procedures: Organisations should ensure that they have detailed incident response procedures in place and should conduct regular table-top exercises to test these procedures and ensure relevant personnel (including senior personnel) understand their roles. The response procedures should include a predefined list of critical systems of which recovery is to be prioritised.
- Business continuity plan and disaster recovery: In addition to general business continuity and disaster recovery plans, organisations should design a strategy for recovering in the event of a ransomware attack to minimise disruption and allow for continued operation of key business functions while remedying any attack suffered. Incident response procedures should be tested under disaster recovery conditions to ensure that they are workable in such scenarios. Often ransomware attacks can restrict the use of email and business mobile phones; therefore having a plan that enables core teams to work without these functions is imperative.
- Maintain regular back-ups: Regularly backing up data and ensuring that these back-ups are secured is vital to preparing for any potential ransomware attacks. Having access to back-ups of important files, stored in multiple locations both locally and on cloud-based services, which are separate from and not connected to the network, will allow access to these files to be maintained in the event of an attack. Sophos found that 56% of victims of ransomware attacks in 2020 were able to use back-ups to retrieve their data, rather than paying a ransom.
- Internal expertise: A well-resourced team of information security specialists is essential to enable a business to maintain its day-to-day operations, to manage and implement its security programme and to react in the event of an incident.
- Access to external resource and expertise: When an attack occurs, a business will likely want to engage external support from external specialists, including those with expertise in incident response, dark web monitoring, system rebuild, cyber forensics and PR management as well as external legal counsel who can assist with regulatory notifications, complaints, enforcement against third parties and advising on the payment of ransoms. Establishing these relationships (and putting in place engagement terms) before an attack has occurred will save a huge amount of time in the vital hours immediately following an incident.
- Accountability and risk monitoring: The appointment of a Chief Information Security Officer or another senior executive officer with responsibility and accountability for information security (as well as appropriate incentives) will drive good performance and ensure that senior executives are alive to and aware of the risks associated with ransomware attacks.
This article was created for ICLG.com. Read Part 2: React, Respond and Remediate, or download the full piece below.