During the past 12 months, there has been a significant evolution in ransomware attacks on businesses. Historically, the threat actor (TA) would encrypt some or all the data on a business network, then sit back and wait for the targeted company to make the ransom payment before unlocking the encrypted data. As businesses continued to move toward more robust and redundant backup solutions, the frequency of the payments diminished because businesses were able to recover their data from backups. The TAs started to see this trend and changed their modus operandi.
However, in many of these cases, cyber insurance can still play a critical role in protecting a business during the interruption of a ransomware attack, as well as help cover potential ransom payments and/or associated legal fees.
The Current Methodology of Ransomware Attacks
Threat actors are now shifting to the method of exfiltrating (stealing) the business’s data prior to the ransomware attack in order to ensure that they are paid the demanded ransom. The business may have a viable backup, but their intellectual property, confidential business data, client information and PII (personal identifiable information) or ePHI (electronic protected health information) has been stolen. In order to have some assurances from the hackers that they won’t publish their data on their shaming or auction sites, the business often opts to pay the TA for the removal of their information from the hacker’s servers. This new methodology presents an entirely new set of risks and costs associated with a ransomware attack.
Another shift we have experienced firsthand is the contacting of the victims’ employees. In two recent attacks, the hackers contacted executives and employees by email and phone demanding payment. These emails and voice calls threatened the victims with the release of the data, identity theft and contacting news channels.
How should a business proceed if faced with this predicament? What are the potential impacts of paying or not paying the ransom?
An Analysis of Ransomware Risks
Let’s analyze each aspect of the attack and understand the risks associated with them. The first is the encryption of the data by the TA. When a ransomware attack is executed, and the primary impact to the business is the encryption of the data, there are a few things that must be considered.
First, what is the status of the backups – are they viable? How long will it take to restore the data from the backup? The next thing to understand is: what is the depth and scope of the attack? Are all or most of the workstations and servers impacted? If so, how long will it take to rebuild the machines? If the backups have either been destroyed, are unrecoverable or are incomplete, the only option may be to pay the ransom. If this is the case, insurance may play a vital role in helping the business recover from the interruption of the attack, i.e., lack of business continuity as well as the ransom payment and legal fees. In many cases, the entire network may need to be rebuilt because the attack damaged computers and the TA deployed additional hacking tools on the network. Also, due to the nature of the attack and the financial impact of business interruption, a decision may be made to pay the ransom as a way to help the business recover in a shorter period of time than by trying to recover from backups.
Ransomware Case Study
Let’s look at a case where the TA not only encrypted the network environment but also exfiltrated the victim’s data. In this scenario, let’s assume that three weeks prior to the IT resources detecting the attack, the TA gained access through a vulnerability in the network, gained lateral movement throughout the environment and exfiltrated most of the business’s confidential and proprietary data. After the successful exfiltration, the TA initiated the ransomware attack that encrypted all servers’ workstations.
The business is now going to have to deal with the “what if” scenario regarding the posting or sale of their data on the TA’s shaming and auction site. As part of the initial investigation, typically performed by a Digital Forensics and Incident Response (DFIR) firm, a decision will be made as to the likelihood of exfiltration. If it appears that the data has been stolen, the business, legal counsel and DFIR will work through the proper course of action to best protect the business and clients.
This course of action may include the payment to the TA even if the business has a viable/complete backup. Some businesses may not have enough insurance to cover the expenses associated with a ransom and extortion event and will have to accept that the TA will publish all of their exfiltrated data to their shaming and auction site. Keep in mind that for many businesses, there will be additional legal and compliance issues that they will have to deal with as a result of the release of this data.
How to Protect Your Business
What must businesses do to properly protect themselves? The answer is multifaceted and not simple, especially for businesses that deal with confidential and regulated information. Can your business afford to be down for two or more weeks as the result of a ransomware attack? In most cases, regardless of the size of the business or the types of backup solutions in place, the business must make plans for being down for two weeks. Let’s look at some of the root-cause issues and make recommendations to help minimize the chances of an attack.
First, most small- and medium-sized businesses do not have any type of Incident Response plan in place to deal with a cyber event or even a disaster. When an event occurs at a business, there is often panic and chaos as a result of poor planning. A disaster and incident response plan will help guide the business through such an event by providing a detailed methodology for dealing with the situation, speeding up the recovery process.
IR plans should include:
- Legal and insurance contacts;
- Contacts for business stakeholders;
- Software license information;
- Vendor contracts;
- Backup strategies;
- IT contacts;
- Emergency contacts for building maintenance; and
- An Incident Response firm.
The Importance of a Security Risk Assessment
The second root cause for many ransomware attacks is the lack of analyzing risk for the business. Most businesses have not conducted a thorough security risk assessment executed by a cybersecurity company. They have no idea of the size or scope of their attack surface, and the business often “feels good” about what their IT company has put in place. Without understanding where the business has risk, they cannot address it. A security risk assessment helps the business identify risk and put processes and technology in place to mitigate and reduce it.
A business should also be investing in security technology and training for its employees. Businesses are typically hit in one of two ways – their people or their technology. Having a formalized cybersecurity awareness training program helps mitigate social engineering scams.
Other steps such as threat hunting, external and internal vulnerability management, penetration testing, EDR/XDR software, multi-factor authentication, comprehensive and off-site backup and third-party risk assessments will significantly reduce the attack surface and bring to light risks the business was not even aware of.
Implementing effective risk management strategies and combining it with cyber coverage is the best approach to mitigating the impact of an attack against a business.