Cybercriminals have changed tactics, making ransomware attacks even more potent. Find out how to protect your organization.
Even though ransomware attacks have existed for many years and were one of the first cyber threats encountered for any company, a concerning new trend has emerged over the last few months.
It is commonplace to see organizations hit by so-called “traditional” ransomware attacks. These comprise unauthorized access to an IT system in order to encrypt data, shortly followed by a ransom demand. The criminals behind such attacks are largely motivated by financial gain and expect that organizations will pay the ransoms demanded either because they cannot restore data from backups or it is cheaper and quicker to pay.
However, a new form of attack has emerged that involves two stages: cyber extortion and, in case of failure, disclosure and whistleblowing.
Increasingly, organizations that have had the foresight to plan for such an event refuse to pay the ransom demanded following a ransomware attack. However, even they can then become engaged in a long and expensive process of remediation. This is only possible, at all, where organizations have undertaken extensive cyber risk assessments identifying, prior to the attack, the cyber risks they face and mitigating them with risk reduction and risk transfer strategies (through the purchase of insurance).
Furthermore, for organizations that fall victim to this new strain of ransomware attack, the remediation process is likely to be more complicated and expensive. The chances of those organizations succeeding — and their final cost — will depend on the thoroughness of their preparation and the protections they have in place.
This article discusses the new ransomware tactics organizations now face and gives consideration to how a company can reduce its cyber risk by emphasizing the importance of having an incident response plan. It also shows how the coverages included in an insurance policy can be activated to recover the costs and losses associated with a ransomware attack.
A two-stage attack leading with two different types of events
The new form of cyber attack that has emerged comprises a two-stage attack. Like in a traditional ransomware attack, cybercriminals access an IT system in order to introduce a cryptolocker that aims to encrypt the data it contains, and then they demand the ransom. The data are still on the IT system but the organization can no longer access them as they are encrypted.
What is now clear from this new tactic is that, prior to the encryption of the data, unlike in the past, the cybercriminals take a copy of the data for the purpose of threatening the organization with disclosure and whistleblowing unless the ransom is paid. The hackers not only threaten to disclose the data to the national authority in charge of data protection but also to the data subjects themselves.
Maze was the first group of hackers known for this kind of attack. Confident that they can act without impunity, Maze hackers have created their own website on which they disclose the list of organizations that they have targeted. They also use the website to highlight the ramifications for those organizations that don’t pay the ransom demanded.
In the case of those organizations that don’t pay, Maze can post the data they stole on the website too, in place of or alongside posting it on the DarkWeb. The purpose of this website is to encourage organizations to pay without delay and to make it easier for them to do so. Other groups such as Sodinokibi and DoppelPaymer operate in a similar way providing evidence that this two-stage attack is growing.
An organization hit by this form of cyber attack has a much harder choice to make than one faced with a traditional ransomware attack. Balancing the pros and cons of paying the ransom is not the only consideration — dealing with all the duties that arise from a data breach is another. As organizations need to deal with both, along with the fear of possible reputational and regulatory harm, this can add extra pressure upon them to simply pay the ransom. The cybercriminals prey on this additional pressure as they know it will encourage victims to pay and that they will succeed more often than by simply using a traditional ransomware attack.
In reality, this seems an impossible choice. First, because organizations cannot ensure that even if the ransom is paid, the criminals will not disclose the data anyway or return later with another ransom demand. Second, the data breach has already occurred, so even if the organization chooses not to pay the ransom it still has to fulfill all its duties to comply with data protection laws.
Therefore, the only real way to successfully avoid or remediate and reduce the costs of this kind of attack is to implement, prior to the event, a strong cybersecurity program that includes an incident response plan.
Reducing the risk of ransomware through a strong cybersecurity program
To limit the impacts of this new ransomware tactic (in fact, of any cyber attack), organizations should look to develop and adopt a “defense in depth” strategy that puts a repeatable structure in place for backups, updates/patching and network monitoring. Furthermore, the technical controls environment and people risk strategies must be fit for purpose and should be reflective of the cyber threat landscape facing the organization.
A key action to take to mitigate ransomware is to ensure that the company has up-to-date backups of important data and files. The investment in and protection of your backup strategy will work to ensure the organization can build from its latest backups and, provided this (backup) is performed frequently, may mean the organization can simply roll back and avoid having to pay a ransom.
Organizations should ensure a backup is kept separate from their network (offline), or in a cloud service designed for this purpose. However, cloud syncing services (like Dropbox, OneDrive, and SharePoint or Google Drive) should not be used as the only backup. This is because they may automatically synchronize after the files have been “encrypted,” meaning that the company may also lose any backup copies.
Additionally, some ransomware attacks are deployed by attackers who have gained access to networks through remote access software like remote desktop protocol (RDP). By implementing multi-factor authentication (MFA) and ensuring users connect via a virtual private network (VPN), companies can prevent attackers from using brute-force to access to their networks.
In terms of initial threat vectors, hackers will always look to exploit the path of least resistance, which typically is your workforce. Employees are only human, they can and will make mistakes. They can become complacent and often look for shortcuts. Hackers know this and will look to exploit our human vulnerabilities via a form of social engineering attack (through which ransomware can be deployed). Therefore, it is time to prioritize a people-centric strategy that focusses on understanding the actions and attitudes of the organization’s workforce environment to ensure employees do not become threat actors (largely unwilling and unintentional ones) who are placing the organization at heightened cyber risk.
Any strong cybersecurity program should include an incident response plan
By planning ahead, organizations can ensure a rapid response at the first sign of infection. By working to contain the spread early and implementing robust monitoring, response and recovery strategies already in place, organizations will have taken positive and practical steps to strengthen their business against such an incident. In turn, these should lessen the financial, operational or reputational impact on their business.
By accepting that it is likely that a cyber attack (including a two-stage ransomware attack such as the one discussed here) will hit your organization, plans and strategies can be discussed, developed and implemented in advance. Incident response and event management processes can be arranged and tested, ensuring organizations can continue to access their files, avoid any leakage of data and, ultimately, protect themselves financially and reputationally while limiting any business or operational impacts from an attack when it comes.
Does your cyberinsurance policy address this new trend?
For companies that have already decided to offset their remaining cyber risks with a dedicated cyberinsurance policy, this new form of ransomware will trigger a number of coverages. But prior to identifying all the coverages provided by a cyberinsurance policy that can be triggered, let’s first analyze the attack.
This new form of cyber attack is composed of five elements that will trigger certain coverages in bold below:
- An IT system breach: an unauthorized access to an automated data processing system
- An event that affects the confidentiality of the data: a data breach
- An event that affects the availability of the data: an introduction of an encryption tool
- A first cyber extortion: an initial extortion request to decrypt the data
- A second cyber extortion: a second request for extortion with threat of disclosure and whistleblowing
Coverages granted by a cyberinsurance policy that can be triggered
In order to remedy such an attack, the victim will probably spend a considerable sum of money. Obviously this depends on the amount of the ransom, the decision (whether to pay it or not), the size of the company, the geographical presence, and the amount and type of data that has been stolen.
When a company discovers that there has been an unauthorized access to an automated data processing system and encryption of data, the following costs can be incurred and reimbursed by the cyber insurers:
- IT forensics costs
- Legal costs
- Data restoration and reconstruction costs
- Decontamination costs
After a data breach, the following costs are usually covered:
- Legal costs
- Notification costs
- ID and credit monitoring costs
- Hotline service costs
- Dark web surveillance costs
- Public relations costs
- Defense costs and financial consequences resulting from a claim made by a third party
- Defense costs and legally insurable financial penalties levied by the data protection authority, which can vary from one authority to another
- Additional operating costs
- Business interruption
With regard to the two extortion requests, the following coverages are triggered by a cyberinsurance policy:
- The ransom (including whether paid in bitcoin or another cryptocurrency), funds, monetary instruments or the market value of assets
- Fees of a consultant whose task is to determine the origin of the cyber extortion and put a stop to it
- Fees for a qualified translator/interpreter
- Costs and interest for loans raised by the insured
- Travel and accommodation costs incurred by the insured during the negotiation process
In case the cyber extortion or attempted cyber extortion is made public by the perpetrators, cyber insurers may also cover the costs for:
- The definition and implementation of a communication strategy
- The coordination and response to be provided to the media
- The training of the insured’s directors who could be required to interact with the media
- The preparation of a reputation audit report following the cyber attack
Based on the analysis above, there is a good argument to say that being well prepared and insured is the best way to recover quickly from this new kind of ransomware. Companies should consider the importance of creating a full cybersecurity program before they are attacked. The program should include processes to ensure that all systems are updated/patched, data are regularly backed up, staff are properly trained and a full cyber incident response program is in place combined with cyberinsurance to protect against those risks that remain.