Recent ransomware attacks on our shores and in the US have brought into sharp focus the negative impact and overall level of disruption that can be brought about by cybercriminal activity. These recent attacks have involved cybercriminals inserting a piece of ransomware known as ‘Conti’ linked to a cybercrime group known as Wizard Spider. This malicious software typically infiltrates the target network through phishing emails, a firewall vulnerability or by gaining remote access to a desktop. Once the ransomware is installed and activated, a digital ransom note appears on the system.
Despite the growing sophistication of the cybercriminals and the technology they employ, there are preventative measures organizations can take to blunt their effectiveness and reduce the success rate of attack attempts.
Employee awareness of the growing threat of ransomware is the first line of defence. This awareness should not be taken for granted. A global 2020 survey by Proofpoint found less than one-third of working adults could explain the term “ransomware.”
Employees should be given guidance on how to detect suspicious emails and what to do when they encounter them. Education should also explain how ransomware can be spread through infected websites and other vectors. Particular attention should be paid to remote workers who need to understand that lack of precaution can enable attackers to use tools like Remote Desktop Protocol to penetrate an organization’s network and perpetrate a ransomware attack.
Marshal your defences
Backing up data is a basic defence against ransomware and other cyberattacks. However, many organizations store backup data on the same network as the one where the data normally resides. This makes the backup data equally exposed to attack.
Backups should either be placed in a segregated network or offline. This allows the organization to access essential data if the main network is shut down. However, it should be noted that it can take days or even weeks to restore systems even where a secure backup exists.
Good cybersecurity hygiene also includes patch management, hardened configurations and ongoing detection enabled by threat intelligence. It’s also important to apply updates for browsers and other pieces of software as soon as they are released.
Encrypting sensitive information is another way to defend against cybercriminals who threaten to release information publicly if a ransom isn’t paid.
It is also good practice to engage neutral third parties to conduct regular audits of their preventative measures for ransomware and other cyber breaches.
Many organizations also take out cyber insurance, but it is no substitute for good security. Indeed, insurers can refuse to meet claims if organizations do not have appropriate security procedures in place or failed to use the defences they had.
Quick detection and containment are of prime importance. Organizations should have incident response and recovery plans that are regularly assessed and refreshed. These plans should define clearly the responsibilities of all stakeholders involved in the response.
Legal advice should be sought the moment an attack is discovered. Lawyers can advise on conducting the investigation in a manner that will stand up to scrutiny in the organization’s operating jurisdiction(s) and staying compliant with the relevant notification requirements of data protection and privacy regulations.
Mounting the response
Responding to a cyber breach usually includes four parallel activities: investigation, containment, eradication and recovery. These activities are generally the same regardless of the type of attack. However, there are unique considerations when dealing with ransomware.
Evidence collection for the investigation needs to focus on how the attackers entered the environment, how malware was utilised, the potential path the attackers used and what data was taken or encrypted, if any. Attention should also be paid to systems which appear not to have been affected. Frequently, other malware or dormant ransomware is found hidden in those systems.
Regulatory notification expectations
Some jurisdictions have statutory notification requirements for almost any cyber breach. Organizations should ensure they fully understand the requirements of all jurisdictions in which they operate.
Organizations also need to understand if personally identifiable information has been affected. In the event of a potential breach, it’s critical to consult with legal advisers on whether it should be considered loss of data and subject to notification requirements the EU’s General Data Protection Regulation or equivalent regulations in other jurisdictions.
Unlike other cyber breaches, there can be an apparently simple way to stop the attack and decrypt files — pay the ransom demanded. EY does not recommend paying ransom demands for a variety of reasons. From a moral and ethical perspective, paying ransoms will only fund continued criminal activity. Payment could also expose companies to legal risk with no guarantee that the criminals will make good on their promise to supply a decryption key or other means of recovering data. In fact, a 2020 Proofpoint survey found that 29% of organizations never gained access to their data after paying ransom.
Law enforcement agencies throughout the world also advise against paying ransom. The No More Ransom website, which is supported by European police agencies, shares decryption keys and offers ways to report attacks to law enforcement agencies around the world.
Legal and compliance professionals can aid their organizations by understanding the potential regulatory and legal issues resulting from a ransomware attack. IT professionals aren’t the only ones who need to develop an effective response strategy for these often-crippling attacks — every stakeholder with a role to play in mitigating risk should do the same.
To learn more about Cybersecurity and how EY can support, visit our Cybersecurity page here.