[BreachExchange] Ransomware Attacks Are Spiking. Is Your Company Prepared?

[Audrey McNeil]

https://hbr.org/2021/05/ransomware-attacks-are-spiking-is-your-company-prepared

With the migration to remote work over the last year, cyberattacks have
increased exponentially. We saw more attacks of every kind, but the
headline for 2020 was ransom attacks, which were up 150% over the previous
year. The amount paid by victims of these attacks increased more than 300%
in 2020.

Already 2021 has seen a dramatic increase in this activity, with
high-profile ransom attacks against critical infrastructure, private
companies, and municipalities grabbing headlines on a daily basis. The
amount of ransom demanded also has significantly increased this year, with
some demands reaching tens of millions of dollars. And the attacks have
become more sophisticated, with threat actors seizing sensitive company
data and holding it hostage for payment.

Who’s behind the recent surge in attacks? And how should companies respond
to this increased threat? In this article, I’ll outline how ransomware
attacks have evolved and what actions companies can take now to protect
themselves.

How Ransomware Attacks Have Changed

A few years ago, the majority of ransom attacks involved only the
deployment of ransomware. Hackers would gain access through a phishing
email that would deploy malware when an unwitting employee clicked on a
link. The malware would then encrypt company servers, and the extortionist
would offer decryption keys in exchange for a ransom — typically in the
five or sometimes six figures.

Many times, the threat actors didn’t even gain access to company
information — and sometimes they didn’t even know which company would be
the ultimate target. They merely looked for systems to exploit and waited
for the pay day. Once the ransom was paid — via Bitcoin or other
cryptocurrency — the hackers would send decryption keys to gain access to
their servers and even promise not to target the company again.

The game has changed more recently — and has become a massive business for
those who perpetrate these acts. According to Hiscox, Ltd., 43% of the more
than 6,000 companies it surveyed had suffered a cyberattack in 2020 — up
38% in the 12 months before — and one in six of those attacks was a ransom
attack. In 2020, the amount of ransom demanded grew to the mid to high
seven-figure ranges, At the end of 2020 and into 2021, we have seen some
ransom demands reaching into the tens of millions of dollars.

In addition to the higher demands, the methodology has changed. Attacks are
focused on exfiltrating company information — and the more sensitive, the
better. These threat actors, who are often highly organized criminal
organizations in eastern Europe and elsewhere, have done their research.
They understand the company’s financial picture, the industry in which it
operates, and how to exploit the company to maximum effect. In addition to
deploying malware to encrypt company systems — targeting even the backup
systems that are in place — the threat actors conduct reconnaissance of
company files, ultimately exfiltrating large amounts of data, a terabyte in
many instances.

The threat actor then follows up with a “pay up or else” ultimatum,
contacting the company with an extortion demand, to be paid in
cryptocurrency, to obtain the decryption keys and to keep the company’s
data private. The company is warned that should they choose not to pay,
their sensitive information will be posted on the dark web on a “wall of
shame” with others who were hacked and didn’t pay the ransom. Journalists
who monitor the dark web can pick up this information and report more
widely on the attack, sometimes causing damage to a company’s reputation or
exposing valuable intellectual property or other confidential information,
including customer and employee data.

The company is left between a rock and a hard place — either pay millions
of dollars in ransom to criminals or have sensitive and valuable
confidential information publicly exposed.

Notably, there does appear to be “honor among thieves” in the system. These
extortionists depend upon companies believing that if they pay, all copies
of the stolen files will be destroyed and/or the decryption keys provided.
And the attackers do keep their word. In fact, some of these organizations
are downright customer-service oriented, for example, accommodating the
preferred cryptocurrency of the extortionee (with a small percentage
upcharge to do so). We have even seen a threat actor “throw in” the
decryption keys as a goodwill gesture, even though the company had already
negotiated a lower ransom based upon the fact that it didn’t need the keys.

What Should a Company Do If Attacked?

In the event of a ransomware or other cyber extortion event, companies
should follow their written incident response plan, in particular notifying
senior management and the legal department. Looping in an attorney from the
start will ensure that the investigation is protected by attorney-client
privilege and the attorney work product doctrine, reducing the risk of
exposure in any class-action lawsuits or other legal claims that may be
brought in the wake of the data breach.

The company’s insurance carrier also must be notified at the outset so that
it can determine whether there is coverage under the applicable cyber
insurance policy. The offer to pay ransom must be pre-approved by the
insurance carrier prior to any communication to the threat actor.

The decision whether to pay a ransom rests with senior management and often
the board. Every ransomware or cyber extortion event must be assessed
individually as to whether to pay or not. Keep an open mind: Often,
companies lose precious time as decision makers unacquainted with ransom
attacks vow on day one that the company will “never, ever” pay, then come
around to the realities of the situation, the availability of insurance
money, and the need to protect stakeholders before ultimately deciding to
pay. In addition, keep calm and buy time. Threat actors try to create
urgency and panic with their demands. Slowing things down is helpful in
making the right decisions for your organization. Key questions to consider
when deciding whether to pay ransom include:

How sensitive is the information that has been accessed or exfiltrated?
Does the company have back-ups of the information, or does it need the
decryption keys?
Do the costs of refusal, such as business disruption, the impact to systems
or customers, negative publicity or reputational harm, exceed the ransom
demand?
Is the threat actor is tied to a company that is on the U.S. Treasury
Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity
list? (If so, it may be illegal under U.S. law to pay the ransom.)

Depending on the severity of the incident and other factors, at the least
most companies will file an online report with the FBI reporting the
indicators of compromise (IOCs) involved in the attack to assist law
enforcement in tracking these threat groups and hopefully someday bringing
them to justice. So far, indictments in this area have been nearly
non-existent and American companies have been left largely on their own to
thwart these attacks, despite good intentions from law enforcement.

How Can Companies Reduce the Risk?

There are a number of steps that companies can take to reduce the risk of a
ransom attack, as well as the risk of damage if an attack occurs. These
include:

Review your company’s incident response plan to be sure that in the event
of an attack, it’s clear who is responsible for what actions.
Review your company’s cyber insurance policy and be sure that ransom is
covered and that the level of coverage reflects the current reality.
Be sure multi-factor authentication is enabled on all company accounts,
including service accounts and social media accounts, and that strong spam
filters are in place.
Establish a communication channel on a secure texting app so that senior
management can communicate in the event of a cyberattack that takes down
company email systems.
Train your employees to identify phishing emails and educate them on the
modus operandi of threat actors seeking to dupe them into clicking on links.
Identify high-risk employees, such as those with administrative rights to
systems, who might help perpetrate an insider attack.
Assess the need for a prophylactic threat hunt by a reputable forensic firm
engaged by counsel for privilege. For example, many companies treated the
migration to a work from home environment as a “data security event” that
would warrant a threat hunt of the system.
Assess the cybersecurity programs and protocols for your key vendors —
particularly any entity that handles sensitive or critical company data.
Test back-up systems regularly and make sure they’re segregated from other
company systems.

These are unprecedented times in the world of cybersecurity. Most audit
committees and senior management who have to make decisions around a ransom
attack say they never imagined they would be in a discussion on whether and
how much ransom to pay to hackers who are holding the company hostage. With
good preparation and cybersecurity hygiene, and a plan in place, your
company will reduce risk and be better prepared to deal with the
unthinkable.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210520/874efe41/attachment.html>