Cyber Risk Consulting Leader, Marsh Asia
Part 1 of Ransomware Focus Series
What is Ransomware?
More and more companies are hit by cyber-attacks. Is it real or just fake news? Let us delve into the facts of ransomware and its modus operandi.
Do not be lulled into a false sense of safety; an analysis of data leaks and information on the Dark Web, including notification of breaches on password management tools, reveals that organizations are definitely falling victim to these attacks but trying to hide them from the public. Furthermore, it is common for affected companies to pay millions of dollars to cybercriminals to regain data access. To be clear: the fact that other companies choose to pay the ransom is no indication that it is a recommended course of action.
A ransomware or a ransom-malware is a type of malicious software commonly known as malware. The most common one encrypts systems or files and requests ransom payments to recover access. Recently, cybercriminals are also multiplying the pressure by threatening to leak confidential data. They can do that through their initial attack vector.
Therefore, a ransomware attack nowadays might not only be simply a business interruption cybersecurity incident but also be associated with a data breach or theft.
Traditionally, a ransomware attack begins with spam or phishing emails sent to a target organization’s employees, or a popular vulnerability through an open Remote Desktop Protocol (RDP) port . In the case of the phishing emails, they contain a file embedded with malware. When an employee opens the file, the malware gets installed and downloaded. It then scans the system, deliberately bypassing certain folders and files to prevent the system from booting up while encrypting other files and creating files with strange extensions.
Ransomware has been around since the 2000s, originally targeting individuals. Varieties have since evolved for spreading, evading detection, encrypting files, and pressuring users into paying ransoms.
You could also become a double victim. Some "file recovery" companies actually negotiate a lower ransom with criminals, pay that lower ransom, and charge the affected organization the ransom and a margin that can be significantly higher than the ransom value.
Expectedly, nothing is guaranteed when it comes to cybercriminals: some of them have destroyed the data while asking for a ransom!
Why Does it Succeed?
A common misconception about ransomware is that it only happens to others. Current advanced evasion techniques allow cybercriminals to build customized attacks circumventing security controls.
Cybercriminals are not only using various techniques to avoid detection, they are also targeting specific individuals to increase their chances of infection.
Thus, anti-viruses, firewalls, or other security tools might not be enough to detect and block ransomware attacks. Evasion is not a new phenomenon. There is literature starting in the 1990s about simple evasion techniques and attackers using them to bypass network security devices. Cybercriminals can also penetrate devices, resources or networks weeks or months before the main attack.
Simply put, cybercriminals have a plethora of methods to ensure their attacks’ success.
Hit by Ransomware: What's Next?
For affected organizations, it is not uncommon to be caught off guard and experience a “paralysis” that lessens the effectiveness of their response. The proliferation in attacks — involving higher ransom payments and increased downtime — has significant financial and operational impacts.
In a case of ransomware attack, an organization might have three basic approaches to recovery:
In all cases, the approaches are labour- and time-intensive, and do not guarantee data recovery.
Ransom: So, Do You Pay?
Despite the harrowing cases mentioned, it is important to clarify that, sometimes, files are recoverable and some companies offer honest file recovery services. Those, however, are rare and do not guarantee recovery.
In general, paying ransom is not recommended as it is considered financing criminals. However, as per the latest findings, the majority of companies falling victims to ransomware attacks do pay the ransom. In many cases, paying the ransom will be cheaper than recovering resources otherwise.
Ransom payment is under regulatory scrutiny in many jurisdictions. Thus, it is critical to obtain a documented position or perspective from external cyber counsel on the potential legal implications of paying a ransom demand to a cyber threat actor. For example, the following two legal frameworks related to international funds transfer may be relevant:
How Do You Recover Access to Resilience?
When dealing with cyber criminals, an organization is never sure of the outcome. However, if a particular criminal group became known for deleting the data, they would not have more “customers”.
Ransom might be quite expensive reaching $40 million or more. This definitely requires full attention, and a clear decision from the company’s decision makers.
The greatest danger of cyber attacks is damage to brand reputation and customer trust, hence the need to prioritize defenses and rethink strategies to manage the fall-out of successful attacks. Look out for our next article detailing different attack scenarios and the effective measures against this ever-evolving threat to you and your organization’s data.
Cyber Risk Consulting Leader, Marsh Asia