As more and more companies allow their employees to work from home due to the COVID-19 pandemic, the number of cyberattacks too are rising. Among the most common cyberattacks in 2020 were ransomware attacks, up 150% from the previous year. Even the amount of ransom being demanded has jumped by more than 300% in 2020.
It’s as if the hackers are on a ransom spree. They’ve spared no one — from stock markets, pipelines, schools, to even cruise line operators — all have been held hostage. The number of attacks has continued to rise even as the Coronavirus pandemic rages across the nation.
The year 2021 hasn’t had a great start either. High-profile ransomware attacks against critical infrastructure companies, municipalities, and private organizations have been making headlines globally.
The attacks have even turned more sophisticated and in some cases the amounts of ransom demanded went as high as tens of millions of dollars. Holding companies and municipalities hostage by seizing their data has become the common method of operation of these hackers.
The extent and breadth of the attacks warrants answers to the following questions. Are companies in a position to better understand ransomware prevention? Who exactly is responsible for the recent surge in ransomware attacks? What is the best way organizations can respond to this threat?
This and more is what we have tried to discuss in the following article. Let’s dive straight into it.
The Changing ‘Game’ of Ransomware Attacks
The ransomware game has changed in recent times. Some years ago, the attacks targeted at gaining access through a phishing email. Hackers would use this email to deploy malware. When an unsuspecting individual clicked on this email link, it would encrypt the servers of that organization. To offer the decryption keys the extortionists would demand a ransom. This was usually a high amount in the five- or even six-figure range.
In recent times, it’s become a whole new ballgame. Now it’s not just a few miscreants having fun and demanding large amounts of money. Ransomware attacks have become a massive business.
Of the over 6000 companies Hiscox, Ltd., surveyed in 2020, 43% had suffered a cyberattack, and one in six had been a ransomware attack. The amount of ransom demanded has also grown in the past year and a half. The six-figure range is now close to the mid to high seven-figure range. Some ransom demands have reached into tens of millions of dollars.
Between A Rock And A Hard Place
Since the ransom is paid via Bitcoin or whatever other cryptocurrency the threat actors demand, it is difficult to trace and catch them. Payment by cryptocurrency is quick, easy, and mostly anonymous — a perfect solution for ransomware hackers to hide their ill-gotten gains.
Often these threat actors are highly organized criminal organizations operating in Eastern Europe and elsewhere. They have a good understanding of the financial picture of the companies they are targeting and know exactly how to exploit them to their maximum advantage.
In exchange for keeping the company’s data private, the threat actors give the affected party a “pay up or else” ultimatum. To obtain the decryption keys and avoid leakage of confidential information and divulging details of valuable intellectual property, the companies give in to the demands of the extortionists. Left with no other option, companies either pay the criminals millions of dollars in ransom or face the risk of their sensitive and valuable confidential information, including customer and employee data, getting publicly exposed.
Surprisingly, there are some extortionists who do seem to have some ‘honor’. They destroy the stolen files and the decryption keys as well as give the extortionee their word that they will not misuse any information. Some are even known to have adjusted to the preferred cryptocurrency of the extortionee and as a goodwill gesture even provided a small percentage upcharge. One threat actor even threw in the decryption keys, even though the extortionee company negotiated a lower ransom because they didn’t need the keys.
What Options Do Companies Have When Attacked
In the current time since almost every company risks the threat of cyberattacks, ransomware attacks in particular, it would be prudent on their part to draft a written incident response plan and follow it at the time a cyber-extortion incident takes place. Both the senior management and the legal department should be informed immediately, with an attorney looped in from the start. The presence of an attorney ensures that the attorney-client privilege and the attorney work product doctrine, both protect the investigation.
Another party to be notified during a ransomware attack is the company’s insurance carrier. It is the insurance company that determines whether the safety of coverage is applicable under the existing cyber insurance policy. The reason it is essential to involve the insurance carrier right at the beginning is because it is the insurance company which will have to approve the offer to pay ransom to the threat actor.
But the last word remains with the senior management and often the board of whether a ransom will be paid at all. It is important that during such a time of crisis not much precious time is wasted in taking decisions.
Keeping an open mind helps. Having a “will never ever pay” attitude can lead to unnecessary wastage of time in taking a quick and final decision. Instead it is better to realize the seriousness of the situation and arrange for the availability of money for the ransom amount, while at the same time understanding the need to protect stakeholders.
Being able to buy time is significant. It is common for threat actors to try and create panic with their demands. At such a time of emergency a number of key questions need to be considered some of which include:
- How sensitive is the data that is in possession of the hackers?
- Is there a backup of the data that has been exfiltrated?
- Does the hacked data require the decryption keys?
- Will the cost of refusing to pay surpass the ransom demand?
- Is the extortionist connected to a company that is on the Office of Foreign Assets Control sanctioned-entity list of the U.S. Treasury Department?
The answers to these questions will decide whether the company will pay the ransom or not. Also, most companies file an online report with the FBI following the ransomware attack. The report contains the indicators of compromise involved in the attack.
This helps law enforcement to hunt down the threat actors in an attempt to bring them to justice. But despite the involvement of law enforcement, American companies have largely been trying to thwart these attacks on their own.
Can Companies Reduce The Risk Of A Ransomware Attack?
Though no perfect or time-tested solutions exist that companies can rely on during a ransomware attack, there are a few steps that if put into place can to some extent reduce the risk of an attack. These steps can also reduce the risk of damage at the time of the unfortunate incident.
Some of these steps that can be followed to prepare for an attack include:
- Companies must review their cyber insurance policy and ensure that ransom is a part of it.
- The incident response plan should clearly state who is responsible for what action and at the time of a ransomware attack. This will ensure that least time is wasted in taking a quick decision to resolve the issue.
- Having a communication channel in place, such as a texting app, in the event that a ransomware attack disrupts the company’s email systems, ensures that the senior management can continue to be in touch with each other.
- All company accounts, including service accounts and social media accounts, should have multi-factor authentication enabled. Companies should also ensure strong spam filters are in place.
- Employees can be trained to identify phishing emails so that a cyberattack can be averted. Companies can also try and educate their staff about the modus operandi of threat actors.
- High-risks employees, such as those who have administrative rights to systems, have the highest chance of unknowingly helping threat actors to carry out an insider attack. Such employees can be identified and kept on high alert to avert an attack.
- Back-up systems need to be regularly tested and checked. They should be segregated from other systems being used in the company.
- Companies should also try to know what cybersecurity programs and protocols their key vendors are following. This is particularly important for those vendors that handle critical and sensitive company data.
Going by the recent growing number of cyberattacks, these are unprecedented times for cybersecurity. That is why it becomes all the more important for companies to keep themselves prepared for a ransom attack.
Having systems and procedures in place prevents precious time from being whiled away in taking decisions during a ransomware attack. Adequate preparation and planning along with following proper cybersecurity hygiene, can reduce the risk of a cyberattack and save companies from being held hostage.
We at nQuery can help you protect your organization from becoming a victim of a ransomware attack. Our cyber experts step in and handle all your cybersecurity for you and your team. For more information you can speak with an IT & Cybersecurity expert today! (305) 910-2324