It’s no secret that ransomware is an acute threat facing organizations across sectors. From storied corporate institutions to small businesses, no organization is immune. Up until recently, companies could adopt a linear approach to the “pay or no pay” question around ransomware threats. Primary considerations focused on the impact of the operational disruption, the viability of backups vs. the need for a decryption key, and the scope of cyber insurance coverage.
However, the significant shifts we are witnessing in today’s ransomware landscape and threat actor tactics are putting increased pressure on organizational leadership to re-evaluate not only their decision-making process around ransom payments, but also how they mitigate reputational risk surrounding these issues.
These significant shifts in ransomware include:
- Increase in data exfiltration. Data exfiltration now occurs in approximately half of ransomware attacks, often involving data breach notification requirements and reputation management considerations that accompany public disclosure.
- Prevalence of leak sites. A growing number of threat actor groups – Conti, Egregor, Maze, etc. – have created public leak sites to pressure companies to pay or otherwise risk having their data posted in a public display of “naming and shaming,” which can be reputationally damaging.
- Regulatory and industry influence on payment decisions. In October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) warned U.S. organizations, including insurance providers, of potential “sanction risks” for facilitating ransom payments to threat actors. In addition, New York State Department of Financial Services (NYDFS) issued guidance in February 2021 to the insurance industry recommending against ransomware payments because they “fuel the vicious cycle of ransomware.”
- Unreliability of threat actor promises. Several threat actor groups – including Sodinokibi – have been known to fall back on their promises around data leaks and/or re-extort companies even after receiving an initial payment.
- New extortion tactics. In the last few months, we continue to see threat actors evolve their tactics to involve double-extortion strategies including DDoS attacks and voice calls to media and victims’ business partners.
Best-practice incident response preparedness must extend beyond a single or simple tool or solution.
Organizations should adopt a comprehensive approach to building ransomware resilience by incorporating the following:
- Risk assessments and mitigations across multiple layers of security. Organizations should proactively assess their risks by performing enterprise-wide gap analyses not only of their data security practices, but also across the organization’s personnel and physical security infrastructure to best protect against both internal and external threats.
- Pre-established relationships and resources. The middle of a ransomware attack is a sub-optimal time to inquire about critical external partners and resources. In advance of an issue, it’s important that companies explore cyber insurance coverage, as well as establish relationships with external cyber law firms and strategic communications partners. By building familiarity with these teams, policies and processes on the front end, companies will spend less time working to establish this rhythm in the midst of a crisis.
- Employee education and internal awareness building. Organizations should invest in proactive education, awareness building and training for their employees around critical data security risks to both mitigate risk and better prepare their organizations for how to identify and escalate issues. It’s also important to remind employees about media and social media policies as a regular course of internal communications to limit the risk of public leaks during a ransomware event.
- Scenario-based incident response plans. Incident response preparedness that is highly focused on scenario-based communications plans is critical to mitigate reputational risks. Best-practice incident response communications plans for ransomware should contain strategic communications considerations, stakeholder engagement considerations and communications materials across key ransomware scenarios – including prolonged operational disruption and data leak/exfiltration. For publicly traded companies in particular, it is important to pre-identify criteria and guidance for potential financial disclosures.
- Training and tabletop exercises for leadership teams. The best-laid plans can often go to waste if they are left to collect dust. Tabletop exercises, trainings and crisis simulation exercises for incident response teams and C-suite decision makers are imperative for identifying gaps in preparedness and for building muscle memory for effectively responding to ransomware threats.
There is every indication that ransomware threats will continue to increase in velocity and impact, and stakeholders will expect that organizations have plans in place to address these issues. It is incumbent upon senior security leadership to invest the time now to thoughtfully prepare their organizations to address and mitigate the operational, legal, financial and reputational risks associated with this increasingly complex and, in many ways, inevitable threat.