These are unprecedented times in the world of cybersecurity, with ransomware attacks up 150% in 2020 and growing even faster in 2021. Most audit committees and senior management who have to make decisions around cyberattack say they never imagined they’d be in a discussion on whether and how much ransom to pay to hackers who are holding the company hostage. With good preparation and cybersecurity hygiene, and a plan in place, your company will reduce risk and be better prepared to deal with the unthinkable.
With the migration to remote work over the last year, cyberattacks have increased exponentially. We saw more attacks of every kind, but the headline for 2020 was ransom attacks, which were up 150% over the previous year. The amount paid by victims of these attacks increased more than 300% in 2020.
Already 2021 has seen a dramatic increase in this activity, with high-profile ransom attacks against critical infrastructure, private companies, and municipalities grabbing headlines on a daily basis. The amount of ransom demanded also has significantly increased this year, with some demands reaching tens of millions of dollars. And the attacks have become more sophisticated, with threat actors seizing sensitive company data and holding it hostage for payment.
Who’s behind the recent surge in attacks? And how should companies respond to this increased threat? In this article, I’ll outline how ransomware attacks have evolved and what actions companies can take now to protect themselves.
How Ransomware Attacks Have Changed
A few years ago, the majority of ransom attacks involved only the deployment of ransomware. Hackers would gain access through a phishing email that would deploy malware when an unwitting employee clicked on a link. The malware would then encrypt company servers, and the extortionist would offer decryption keys in exchange for a ransom — typically in the five or sometimes six figures.
Many times, the threat actors didn’t even gain access to company information — and sometimes they didn’t even know which company would be the ultimate target. They merely looked for systems to exploit and waited for the pay day. Once the ransom was paid — via Bitcoin or other cryptocurrency — the hackers would send decryption keys to gain access to their servers and even promise not to target the company again.
The game has changed more recently — and has become a massive business for those who perpetrate these acts. According to Hiscox, Ltd., 43% of the more than 6,000 companies it surveyed had suffered a cyberattack in 2020 — up 38% in the 12 months before — and one in six of those attacks was a ransom attack. In 2020, the amount of ransom demanded grew to the mid to high seven-figure ranges, At the end of 2020 and into 2021, we have seen some ransom demands reaching into the tens of millions of dollars.
In addition to the higher demands, the methodology has changed. Attacks are focused on exfiltrating company information — and the more sensitive, the better. These threat actors, who are often highly organized criminal organizations in eastern Europe and elsewhere, have done their research. They understand the company’s financial picture, the industry in which it operates, and how to exploit the company to maximum effect. In addition to deploying malware to encrypt company systems — targeting even the backup systems that are in place — the threat actors conduct reconnaissance of company files, ultimately exfiltrating large amounts of data, a terabyte in many instances.
The threat actor then follows up with a “pay up or else” ultimatum, contacting the company with an extortion demand, to be paid in cryptocurrency, to obtain the decryption keys and to keep the company’s data private. The company is warned that should they choose not to pay, their sensitive information will be posted on the dark web on a “wall of shame” with others who were hacked and didn’t pay the ransom. Journalists who monitor the dark web can pick up this information and report more widely on the attack, sometimes causing damage to a company’s reputation or exposing valuable intellectual property or other confidential information, including customer and employee data.
The company is left between a rock and a hard place — either pay millions of dollars in ransom to criminals or have sensitive and valuable confidential information publicly exposed.
Notably, there does appear to be “honor among thieves” in the system. These extortionists depend upon companies believing that if they pay, all copies of the stolen files will be destroyed and/or the decryption keys provided. And the attackers do keep their word. In fact, some of these organizations are downright customer-service oriented, for example, accommodating the preferred cryptocurrency of the extortionee (with a small percentage upcharge to do so). We have even seen a threat actor “throw in” the decryption keys as a goodwill gesture, even though the company had already negotiated a lower ransom based upon the fact that it didn’t need the keys.
What Should a Company Do If Attacked?
In the event of a ransomware or other cyber extortion event, companies should follow their written incident response plan, in particular notifying senior management and the legal department. Looping in an attorney from the start will ensure that the investigation is protected by attorney-client privilege and the attorney work product doctrine, reducing the risk of exposure in any class-action lawsuits or other legal claims that may be brought in the wake of the data breach.
The company’s insurance carrier also must be notified at the outset so that it can determine whether there is coverage under the applicable cyber insurance policy. The offer to pay ransom must be pre-approved by the insurance carrier prior to any communication to the threat actor.
The decision whether to pay a ransom rests with senior management and often the board. Every ransomware or cyber extortion event must be assessed individually as to whether to pay or not. Keep an open mind: Often, companies lose precious time as decision makers unacquainted with ransom attacks vow on day one that the company will “never, ever” pay, then come around to the realities of the situation, the availability of insurance money, and the need to protect stakeholders before ultimately deciding to pay. In addition, keep calm and buy time. Threat actors try to create urgency and panic with their demands. Slowing things down is helpful in making the right decisions for your organization. Key questions to consider when deciding whether to pay ransom include:
- How sensitive is the information that has been accessed or exfiltrated?
- Does the company have back-ups of the information, or does it need the decryption keys?
- Do the costs of refusal, such as business disruption, the impact to systems or customers, negative publicity or reputational harm, exceed the ransom demand?
- Is the threat actor tied to a company that is on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity list? (If so, it may be illegal under U.S. law to pay the ransom.)
Depending on the severity of the incident and other factors, at the least most companies will file an online report with the FBI reporting the indicators of compromise (IOCs) involved in the attack to assist law enforcement in tracking these threat groups and hopefully someday bringing them to justice. So far, indictments in this area have been nearly non-existent and American companies have been left largely on their own to thwart these attacks, despite good intentions from law enforcement.
How Can Companies Reduce the Risk?
There are a number of steps that companies can take to reduce the risk of a ransom attack, as well as the risk of damage if an attack occurs. These include:
- Review your company’s incident response plan to be sure that in the event of an attack, it’s clear who is responsible for what actions.
- Review your company’s cyber insurance policy and be sure that ransom is covered and that the level of coverage reflects the current reality.
- Be sure multi-factor authentication is enabled on all company accounts, including service accounts and social media accounts, and that strong spam filters are in place.
- Establish a communication channel on a secure texting app so that senior management can communicate in the event of a cyberattack that takes down company email systems.
- Train your employees to identify phishing emails and educate them on the modus operandi of threat actors seeking to dupe them into clicking on links.
- Identify high-risk employees, such as those with administrative rights to systems, who might help perpetrate an insider attack.
- Assess the need for a prophylactic threat hunt by a reputable forensic firm engaged by counsel for privilege. For example, many companies treated the migration to a work from home environment as a “data security event” that would warrant a threat hunt of the system.
- Assess the cybersecurity programs and protocols for your key vendors — particularly any entity that handles sensitive or critical company data.
- Test back-up systems regularly and make sure they’re segregated from other company systems.
These are unprecedented times in the world of cybersecurity. Most audit committees and senior management who have to make decisions around a ransom attack say they never imagined they would be in a discussion on whether and how much ransom to pay to hackers who are holding the company hostage. With good preparation and cybersecurity hygiene, and a plan in place, your company will reduce risk and be better prepared to deal with the unthinkable.