How to respond if your firm is victim to a ransomware attack
Of cyberattack cases reported to Kroll in 2020, over a third involved ransomware
The UK faced the second highest number of ransomware attack attempts anywhere in the world in the last year, according to Serbus. Despite high-profile global cases like Kaseya, Colonial Pipeline and the attack on the Irish healthcare system receiving large amounts of press coverage, many targets for ransomware are in fact small to medium-sized companies. According to Hiscox, 65,000 attempts to break cyber defence barriers are made daily on small businesses in the UK, with a successful hack every 19 seconds.
Of cyberattack cases reported to Kroll in 2020, over a third involved ransomware, making it the biggest cyber-threat for businesses in the UK. Some of the highest profile threats are coming from the likes of Conti, REvil, Ryuk, LockBit and GoldenEye, but there are a large number of criminal cyber gangs currently operating.
These gangs are increasingly using innovative methods to force organisations to pay a ransom: double extortion - leaking data into the public domain; triple extortion - calling a victim's clients or suppliers to say their data has been compromised; and even Distributed Denial of Service (DDoS) attacks to highlight the grave situation the victim is in.
Should a firm fall victim to this growing wave of criminal action, the impact can be devastating. It is therefore vital to have a cast iron contingency plan in place.
Pre-planning
In cases of any cyberattack, the old adage rings true: failing to prepare is preparing to fail. All organisations need a Cyber Incident Response plan which details how the organisation will respond and where responsibilities lie for individual aspects of the response including forensics, restoration of services, communications and customer engagement.
The first means of defence is to create a secure backup for your data. A cloud-based backup can store your firm's data on a private network, should your network become compromised, although even that may not be enough.
See also: Irish health service missed several chances to stop devastating ransomware attack
Should the worst happen, organisations should be aware of what their ‘crown jewels' data is and, crucially, where it is. If information is critical to the business, or so sensitive that its disclosure could have dire consequences, then strong consideration should be given to retaining isolated copies of that data in air-gapped, well protected systems or in off-site, segregated and isolated backups, both of which can be used to form a wider, stronger back-up strategy. If the adversary cannot discover it, they cannot encrypt it.
This is a reliable measure, but by no means completely foolproof, as the 2nd of July attack on Kaseya this year proved. Over 1,500 businesses had their sensitive data ransomed to a total sum of $70 million, when hackers broke the defences of the US-based server provider. Ensuring proper vendor risk management processes are in place is key, particularly if your organisation has complex supplier/third-party relationships. Adversaries have shown time and again that targeting the smaller supplier can lead to them landing the ‘big fish'.
Another necessary, and effective precaution is training your employees to spot cyber risks, as they are often the root causes for vulnerability to ransomware attacks due to lack of knowledge or awareness. Kroll identified the leading cause of reported ransomware attacks in 2020 as phishing emails, with the second being other forms of human error. Adversaries still use tried and tested methods, yet organisations are often ill-prepared to highlight, alert or otherwise act on these threats.
In addition, employees will often place data in easy to reach locations as they seek to be more efficient and streamline processes. Over time, this can lead to non-sanctioned repositories of sensitive data on devices and email inboxes. We have seen an increasing trend in exfiltration ransomware where data is also stolen (exfiltrated), and then either the working data encrypted for ransom, or the victim threatened with publication of the stolen data unless the ransom is paid.
It is therefore prudent for organisations to lock down the ability to move restricted data outside of official repositories. Furthermore, placing stronger controls on the storage space available on portable devices, device management policies, Data Loss Prevention (DLP) and end-point security can also limit the risk of unauthorised disclosure by both staff and external parties.
Kroll has also witnessed a common theme across its ransomware cases with the presence of exposed and vulnerable assets on the internet. Ensuring that your organisation has a full audit of all systems, especially those that are internet-facing, is critical. You should also track the patch and update status of any such systems. If a vulnerable system is exposed to the internet for even a short space of time, there is a strong likelihood an adversary will find it and exploit it.
Point of discovery
Once you realise a device at your firm has been compromised by malware, you should engage your internal information security teams to act as quickly as possible in accordance with your incident response plan.
Ransomware will often duplicate and spread from one device to others in the network, so quarantining devices can lessen the severity of an attack. Furthermore, implementing automated playbooks can deliver faster responses, minimising the severity and impact of the attack. A cohesive, rehearsed response, can reduce the time and cost of a potential incident significantly and Kroll recommends that incident response plans are practised at least once a year.
Next, is the identification of the ransomware, this may require external experts, who work in incident response, to bolster internal resources. In order to formulate an appropriate defence for your firm, strong priority should be given to identifying the type of ransomware attack which has occurred, which can be differentiated into two main categories: crypto and locker ransomware.
In the first case, hackers will encrypt your firm's sensitive files whilst removing access until a decryption key is provided following ransom payment. With locker ransomware, rather than having their files encrypted, businesses are often locked out of their system or find certain functions inoperable.
With the rise in use of polymorphic ransomware, quick and clear identification can be a challenge. However, once the threat is identified, a well-trained cybersecurity team can build up a comprehensive picture of the incident. Other pieces of malware introduced into the system can be identified, as well as attack vectors and where actors may have possibly moved to, such as email accounts or collaborative platforms.
Worst case scenario
Officially, crime agencies in the UK and US do not endorse the payment of ransoms; however, it is not currently illegal to do so. Overall, regulators are taking a much tougher line around the payment of ransoms where the payment can ultimately be traced to a terrorist organisation or to organisations or individuals who are subject to international sanctions. Payments in these cases is illegal and potentially leave victim organisations facing further penalties at the hands of regulators.
Where it is deemed permissible, paying the ransom should be an absolute last resort as the only way to secure the data and continue operations as a firm. Even then however, evidence suggests there is no guarantee, with Sophos' State of Ransomware Report 2021, citing that the average amount of data reclaimed following payment was just 65 per cent, with only 8 per cent of firms receiving the entirety of their data.
Historically, specialist negotiators have gone hand-in-hand with well-orchestrated, successful ransomware responses. These parties have in-depth knowledge of the various threat groups and their usual negotiation tactics. However, there is a recent trend that certain threat groups have stated they will no longer deal with specialist negotiation firms and would move to sell or publish data rather than negotiate. Regardless of the stances of the varying threat groups this should not put companies off from engaging with people, the knowledge and tools needed to help your organisation in such circumstances.
When faced with the decision to capitulate to hackers' demands, a firm's options are limited, but a thorough investigation into the extent of a ransomware breach will allow management the best chance of choosing the right solution. Prior planning and active measures taken at the point of discovery will place a firm in the best position for this stage of the attack.
If an attack does occur, an effective breach notification strategy is essential, both from a compliance perspective and to manage any reputational damage which may arise from an incident. This should form part of an organisation's incident response plan and needs to cover how communications will be sent out to affected parties; whether this will be done in-house or through an external breach notification specialist; and how liaison will be managed with other stakeholders such as a legal counsel or a PR agency or communications team.
2021 has seen a significant increase in the ransomware threat and all organisations need to take steps to plan for and mitigate correspondingly against this risk.
Andrew Beckett is managing director and EMEA leader, cyber risk at Kroll