Is your organisation ready for the next ransomware attack?
Paul Wright, Associate Director, Forensics, KPMG Lower Gulf, on how to combat the menace of ransomware
Ransomware is one of the most prominent cyber threats in the Middle East region, with cyberattacks becoming increasingly more sophisticated as cyber criminals modify their attack methods for even bigger rewards. In the first half of 2019, ransomware saw a 38% increase in the UAE compared to the same timeframe of 2018, according to research from Kaspersky.
Ransomware assailants typically demand that victims pay a ransom in order to recover their data. Affected companies must ask themselves whether they should continue to tangle with cybercriminals, which could result in them having to pay a bigger ransom, or to just pay up and go back to business as usual.
They should also consider the cost-benefit, bearing in mind the severity of the security breach, the magnitude of the ransom, and the projected cost of recovering data without the cybercriminals’ assistance. Repeatedly, as in the case of public utilities or healthcare providers, interruption of services can have effects far larger than simple financial harm.
Despite this, there is a danger that paying the ransom, even when financially practical, may result in certain external risks. For example, with successful payments, cybercriminals can continue to mount larger or more determined attacks. Moreover, there is always a risk that the cybercriminals can simply take the ransom and neglect to remove the encryption. There have been examples where, upon being paid the funds, cybercriminals simply commanded a second ransom. And finally, once the word gets out that there is big money to be made in ransomware attacks, it is likely to inspire a new wave of cybercriminals to engage in this form of blackmail.
The average payment more than doubled from just over $40,000 to nearly $85,000 in 2019. For 2020, the besieged infiltration of business networks will continue to rise and in due course give way to two-stage blackmail demands. In the first instance, cybercriminals will deliver a devastating ransomware attack, forcing victims to get their data back. In the second instance, cybercriminals will target the recuperating ransomware victims again with a second extortion attack, but this time they will threaten to divulge the sensitive data stolen during the initial ransomware attack.
Organizations can become victims of opportunistic cybercrime where the ransomware attack is propagated through user-initiated actions, such as clicking on a malicious link in a spam e-mail or visiting a malicious or compromised website. On the other hand, directed cybercrimes can take place when the victim is a target of choice, or post an opportunist attack, when the cybercriminals realize that the victim has more value. They will then explore the network to identify the most critical data, seek to escalate privileges, while also identifying and targeting data backups, so that the victim cannot easily regain control of the network or restore their files.
Attackers may give up and move on to another target very quickly if they are not achieving their objectives, unless the organization is a target of choice. In most instances, they may be more successful by conducting a high volume of attacks against poorly protected organizations that may only provide small wins rather than one big success that hits the news. This means that those at greatest risk are generally organizations who feel they may never be targeted and thus ignore the threat.
In case of a ransomware attack, the targeted organisation should try to understand how the ransomware got there, what it is doing, the extent of the intrusion, and how to stop future infections, as well as the dangers of not paying the ransom.
Should the ransom not be paid, the end result could well be personally identifiable and sensitive information being offered for sale or posted free for all to access.
This recently happened to Brooks International, a worldwide professional services company that has clients across business sectors. They refused to pay the criminals who were operating Sodinobikibi (aka REvil) ransomware and subsequently, for the purchase price of just over two dollars, 12GB if their information was made available via a hacker forum.
Data has been sold in hacker forums so it can be utilized in other cybercrime attacks. Nefilim Ransomware launched a site called “Corporate Leaks”, to dump data from victims who do not pay a ransom. CLOP Ransomware has also released a leak site called “CL0P^_- LEAKS” that they are using to publish stolen data for non-paying victims.
Cybercriminals are taking this to the next level, and unless otherwise proven, victims need to assume that the attackers have accessed everything within the organization and there is a risk of it being sold or disseminated to others for free. In response to this, the sustained publication of data obtained as a result of a ransomware attack on leak sites has to be treated as a data breach.
To prepare for such attacks, organizations should put up their policies, procedures and processes for review and testing. Organizations should be adding these to their strategic planning, along with keeping technology up to date, adopting cyber insurance to protect their businesses from such events, and training employees to spot the risks.
C-level management can be well suited to help quantify the financial and reputational impact ofcybercrime and ensure that countermeasures are appropriate. To do so, they need to implement comprehensive strategies, not only to help the organization stay in good stead with stakeholders, the board, regulators, and interested third parties, but also provide them with an outline of what to do in the event of an incident.
In general, organizations do not have a team of internal first responders – or first aiders – that can ensure the initial response to an incident does not cause the loss of intelligence and/or evidence. Then if required and proportionate to the circumstances, specialist investigators can be brought in to provide the decisive capability to contain, remediate and eradicate the problem, with the goal of minimizing losses, reputational damage, and downtime. Proactively, this specialist team will consult with the right points of contact within the organisation to provide guidance and insight and create plans to prevent and respond to an incident in the future.
The extent and the scale of cybercrime occurring today may indicate that criminals are profiting and constantly evolving their modus operandi. This is particularly pertinent at this time when Interpol is warning people about fraudsters who are exploiting the anxiety and uncertainty around the COVID-19 outbreak to commit cybercrimes. An Interpol alert on 4 April warned of cybercriminals using ransomware to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and systems until a ransom is paid.
Instead of playing ‘catch-up’, organisations need to understand how they can close the gap. To do that, C-level management need to assess the security of their businesses to see if their capabilities are ‘fit for purpose’. The risk of no action, in this case, is greater than that of acting.