It begins much like any other day at the work: you’re working on your computer when you receive an email informing you an invoice, customer presentation or a profile from a candidate you been waiting for has arrived for your department. It directs you to download using the link provided. Without giving it much thought, you download and open the file. Sometime later, you discover you can no longer access your files and that several copies of a file named “DECRYPT_YOUR_DATA.txt” have been created.
It’s a chilling moment. Sensitive files on your computer, and probably on the network you’re connected to, have been encrypted. They’ve effectively been taken hostage in one of the fastest-growing forms of cybercrime: ransomware attacks.
Ransomware and Cyber-attacks
This is a known fact that the move to remote work over the last year has led to an increase in cyberattacks. There were more attacks of every kind, but the headline for 2020 was a 150% increase in ransom attacks. In 2020, the amount paid by victims for these ransom attacks increased by a whopping 300%.
Ransomware is becoming highly sophisticated: some recent variants can gain access without connecting to the Internet at all, making its source virtually untraceable. The lucrative and fast pay-off, combined with its stealth and relative anonymity of the transactions, has made this type of cyberattack increasingly attractive to criminals. Indeed, ransomware attacks have reached epidemic levels across the globe.
With high-profile ransom attacks against critical infrastructure, private companies, and municipalities grabbing headlines on a daily basis, 2021, has seen a dramatic increase in this activity. There have been more incidents in the first half of 2020 than in the past five years combined, and we expect the number to increase exponentially. Their severity has also increased, with more sophisticated campaigns being launched against targets with deeper pockets and more motivation to pay quickly.
What Should a Company Do If Attacked?
In the event of a cyber extortion event, companies should notify their senior management and the legal department, and follow the protocol and follow the steps in sequence. Looping in an attorney from the start will ensure that the investigation is protected by attorney-client privilege and the attorney work product doctrine, reducing the risk of exposure in any class-action lawsuits or other legal claims that may be brought in the wake of the data breach.
In order to determine if there is coverage under the applicable cyber insurance policy, the company's insurance carrier must be notified at the outset.. Any communication to the threat actor must be approved by the insurance carrier before it can take place.
The decision whether to pay a ransom rests with senior management and often the board. Every ransomware or cyber extortion event must be assessed individually as to whether to pay or not. Keep an open mind: Often, companies lose precious time as decision makers unacquainted with ransom attacks vow on day one that the company will “never, ever” pay, then come around to the realities of the situation, the availability of insurance money, and the need to protect stakeholders before ultimately deciding to pay. In addition, keep calm and buy time. Threat actors try to create urgency and panic with their demands. Slowing things down is helpful in making the right decisions for your organization. Key questions to consider when deciding whether to pay ransom include:
- How sensitive is the information that has been accessed or exfiltrated?
- Does the company have back-ups of the information, or does it need the decryption keys?
- Do the costs of refusal, such as business disruption, the impact to systems or customers, negative publicity or reputational harm, exceed the ransom demand?
- Is the threat actor tied to a company that is on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity list? (If so, it may be illegal under U.S. law to pay the ransom.)
Depending on the severity of the incident and other factors, at the least most companies will file an online report with the FBI reporting the indicators of compromise (IOCs) involved in the attack to assist law enforcement in tracking these threat groups and hopefully someday bringing them to justice. So far, indictments in this area have been nearly non-existent and American companies have been left largely on their own to thwart these attacks, despite good intentions from law enforcement.
How can I prevent a data breach?
While the increase in cyberattacks is alarming, it has put a spotlight on this growing issue. The most effective way to prevent a data breach is preparation, as an investment in security protocols and training should be paramount to any organization.
Looking at your potential risk and knowing where your data is, controlling who has access to it, and making sure it’s secure should be an absolute priority. It’s still the case that most cyber-attacks start by exploiting our human vulnerability. By training staff to spot suspicious emails or links you can lock the front door and then use technological solutions to ensure the hackers can’t get in around the back.”
To create an effective defense against a data breach, organisations should:
- Keep IT systems and software up-to-date
- Store sensitive data separately
- Secure the email gateway
- Do regular off-site backups of your data
- Control users’ access and privileges
- Provide regular security training for all staff
Profitable and with a potentially fast payout, ransomware is an attractive tactic that’s unlikely to wane in popularity. While large organizations with deep pockets will continue to be prime targets, those that don’t necessarily have much money but do have data of a sensitive and/
or critical nature – such as matters of life and death – may increasingly find themselves in the crosshairs of criminals.
We would love to hear thoughts and viewpoint on this topic from the leaders/practitioners.
#ransomware #malware #cybercrime #informationsecurity #cybersecurity #hacking #cybersecurityawareness #dataprotection #privacy