Ransomware attacks hit without warning, inflicting serious damage with effects that can linger for years. With strong crisis management capabilities, however, companies can mitigate the damage – and even grow trust with customers, deepening the connection to their values and purpose.
PwC UK Cybersecurity Partner Richard Horne joins Global Crisis Leader Kristin Rivera for a discussion about the alarming increase in ransomware.
Release date: January 2022
Kristin Rivera: Welcome to our podcast series, Emerge stronger through disruption. I'm Kristen Rivera and I lead Global Forensics at PwC as well as our Global Crisis Centre. I'm coming to you today from our gorgeous new offices in San Francisco, California.
In each episode of the series, we talk with our global colleagues about the challenges facing business leaders through disruption.
In our last two podcast episodes, we've explored the rise of disinformation and how it has become a professional criminal enterprise with devastating implications for its corporate victims. In this episode, we're exploring another facet of the increasing threats we're facing, ransomware, with my guest, PwC partner Richard Horne.
Welcome, Richard. Please share a little bit about yourself with us.
Richard Horne: Thanks for having me, Kristin. I'm a partner in the PwC UK cybersecurity practice. And I spend most of my time helping executive committees and boards either understand what they need to do about cybersecurity or respond to big cyber-breaches when they happen.
And over the last couple of years, that's meant a lot of working with organisations picking their way through responding to a ransomware attack.
Kristin: Delighted to have you today.
So, we all have an idea about what ransomware is, but it seems like I'm hearing about it more often. Based on my experiences with my clients, it seems like a few years back there tended to be relatively small, almost amateurish exercises.
And we were never quite sure if this was an idle threat or a real threat. But to me as an observer, ransomware seems much more prevalent today. The schemes are now bigger and it's also making the news more often.
In October, President Biden held a two-day meeting on ransomware, attended by representatives from more than 30 countries. And he addressed it as a global security threat for the first time.
So, Richard, when we say ransomware, what do we mean?
Richard: Yeah, so, that's a great point, Kristin, and we call it human-operated ransomware today, where you have attackers actively getting into an organisation. And once they're in that organisation, they have two real objectives.
One is to copy out as much data as they can from that organisation. And then two is to deploy a program, an executable, on every machine they can in the organisation, which they then trigger to run all at the same time. And when they detonate it, that program, it just encrypts all the data it can get hold of.
And usually they also include what's called active directory, which controls what can log on where in the organisation. And so the impact for the organisation is when it's detonated, suddenly nothing works.
So those two objectives of them taking data, copying out data, and then encrypting data is what they're all about.
And then what they do is they leave a “read me” note on every machine they've encrypted. And in that “read me” note, it says, “You've been attacked by the XYZ ransomware group. Please contact us via this web page in the chat channel, using this code. And we can talk terms about how we can help you recover your business.”
And then when organisations contact them, they essentially demand a ransom for two things. If you pay a ransom, then you get their assurance that they won't publish any data they've taken — obviously they’ve tried to take as much sensitive data as they could. And two, they will provide a decryption tool, which will allow you to decrypt the data they've encrypted all over the organisation.
And of course they're getting better and better at either disabling or decrypting or deleting backups. Their objective is to give them as little choice as possible to be able to recover other than pay the ransom. And as you say, it's on the rise. Like disinformation, it’s become a professional criminal enterprise.
You have different criminal groups, some who are great at getting the initial access, they then sell access to others who are great at getting the data out and deploying the executables. You have professional negotiators. They even have support desks. It’s a real criminal enterprise.
And we've seen the number of victims rise really rapidly the last few years — I think over 1,300 declared victims in 2020. The US treasury has done some really interesting research where they've looked at ransoms paid. And out of the US alone, they estimate — I think it's $519 million (source) have been paid in ransoms in the first half of this year alone, which is more than in all of 2020.
And it has geopolitical implications. President Biden, you mentioned, has declared it a national security issue, and it has the potential to create an impact on a nation. And that's the staggering thing, because it can stop critical services from functioning.
I think the last point I'd make is that we all are exposed to ransomware, even indirectly, because it's exacerbated by the interconnectedness of how we operate as businesses.
We see ourselves as standalone operators, but attackers can see us as an interconnected system where they can gain access to multiple companies through one entry point, and they can create an impact by attacking someone in our supply chains. So it can be an indirect impact as well.
So, it's evolving rapidly. It's unpredictable because of the way that the criminals are structured with this affiliate model, where they have essentially a supply chain of criminals attacking us, and they even call it ransomware as a service — where one organisation can provide service to a whole load of other criminal groups to conduct ransomware attacks.
Kristin: Wow, that is fascinating and terrifying. And there's a lot to unpack there, Richard. That last point is really interesting, because in our last episode, we talked about disinformation as a service. And so there seems to be a pattern here on the professionalism of criminal activity.
Let's dig into some of the things you said. Let's talk a little bit just about the evolution of ransomware. Maybe you can give us just a bit of a history lesson on how the threat is evolving.
Richard: So, 2017, we saw a really big destructive attack happen at the nation-state level. It was against organisations that had operations in Ukraine and spread across their global operations, and a number of organisations had their global operations wiped out through it.
And what we've seen since then is these criminal groups essentially take the same kind of attack technique and try to refine their approach to make it a money-making activity, not just a destructive activity — so, use it to disable systems and then demand a ransom to provide a tool to get those systems back up and running.
There's huge irony in the way they talk and maybe even think. They like to think of themselves as a reliable business partner. It's in their interest for everyone to know that if they pay a ransom, then they will follow through on what they say they will, because that will encourage more people to pay a ransom.
So, we've seen some organisations where they paid, they got a decryption tool and it didn't quite work, and they were put onto the support desk of that ransomware attack group to help them. And they even gave them a customer satisfaction survey at the end of it, to give their views as to how effective they were at helping.
They talk about their victims as clients, and they try to position themselves as doing good in the world by increasing security in the organisations that they attack.
Yeah, it's a real irony in the way they talk, but that's the way they think.
Kristin: I am literally cringing as you speak. It is really, really interesting, and quite frankly, hard to believe — and this theme, that if you've sort of industrialised fraud, then you have to have a framework to operate in. If you're running a business, you need structure — even when you're a criminal. It's almost reminiscent of organised crime or the mafia. And it seems lawless and random, but it sounds as if there's sort of an underlying code and structure. And I'm curious if that code helps you to track, prevent and respond.
Richard: I mean, let's not be in any illusion: These are brutal, horrible people who have no real ethics in terms of what they do or what they don't do, but they do have self-interest at heart.
So, you know, that self-interest drives them to behave reliably, wherever they can. So if organisations don't pay, then they do their best to publish data they've taken. And if organisations do pay, then they, at least as far as we know, they don't follow through with publishing data and they do provide, in general, tools that will enable those organisations to recover — albeit, it takes them weeks, if not months, to recover.
But the other thing that sort of comes from their self-interest is who they attack. They don't seem to wake up one morning and decide, “We're going to attack XYZ corporation.” What they tend to do is they tend to fire out their phishing emails, scan the internet for remote services that might have vulnerabilities.
That gives them access to organisations. And then they sort of look at the organisations they've got access to and ask themselves the questions: Who would be good for a decent size ransom? Who's got money in the bank? And who could we attack that hopefully would, from their perspective, would not attract a sort of a military response or create a huge national impact in terms of what they do?
So they do seem to sort of think through who their victims are, once they've got access to organisations.
Kristin: I think I've heard you refer to that in the past as the “pirates’ code of ethics” — and it rings true. There has to be almost a level of trust in this crazy environment. You have to trust that if you follow the instructions, your data will not be released. And also that if you don't — that there will be consequences. That's what underpins their business, criminal or not.
So, Richard, let's say that our audience is the CEO of their company and they've been attacked. Put our listeners in the shoes of the executive facing a ransomware attack. What would it feel like or look like in those first few hours? How would you even know you've been attacked?
Richard: So this is quite a fraught kind of situation for organisations to be in, because initially it's just total disorientation. Nothing works. You can't log on. If you're in the office you can't even pick up the phone in the office. So all you've got is your mobile phone and maybe some messaging services on there and the contacts that you've got in your phone.
And that's the sort of disorientation that many CEOs and executives experience. Our experience is that organisations will typically spend a couple of days just trying to get a grip, just establish command and control, just get the right people in the room or in a virtual room, and get the right kind of communications in place to be able to start to manage the crisis.
And then you often see a sort of a sense of optimism in terms of: “It's OK. We've got disaster recovery, we've got backups” — and then a week or two down the line, the mood changes when they realise that the attackers have either deleted their backups or encrypted them, and the ability to recover from backups isn’t there, as well.
And then you get the sort of the real head-in-hand moment of realising there is no viable path to recovery. And that's when organisations start to think about the fact that maybe they do need to engage the attackers.
And then you get a whole kind of ethical dilemma … trauma … in terms of, you know, no one wants to engage with the attackers. No one wants to consider that an organisation sometimes find themselves in a place where they feel they have no choice.
Kristin: Sounds a bit like waking up in a nightmare situation. I can imagine that executives, at least at the outset, might think that this is an IT issue purely. Is that the case, or are there ripple effects throughout the business?
Richard: One thing we observe is that when organisations think about ransomware, when they're not in the situation, they might often think of it as an IT problem. But organisations that have been hit by ransomware think of it very differently. They see it as a business crisis that’s been caused by IT. But actually they have a business crisis to deal with.
And a lot of the challenge is in getting command and control in place, getting communications working, working out how you're going to run your business for, say, four to six weeks without any IT — which is a huge, huge challenge. And it often takes a superhuman effort to put manual workarounds in place, to work out how to keep businesses, business processes functioning, and mapping all the stakeholders, working out how to get consistency of communications, picking your way through legal challenges.
And for all executives, I think the biggest challenge they face is that they have to make decisions and they have to communicate. But they have no data to deal with. If you think of a cyber crisis like this and how it's different to physical crisis — you know, if you have a flood or a fire or a hurricane heading for your county, then you can quite quickly get your arms around, “OK, there’s up to so many people impacted by it, there’s up to so many facilities impacted by it.”
But with this kind of crisis, you don't know how much data has been taken. You don't know how many machines have been impacted. You don't know how long it's going to take to get your systems back. You don't know if you have the ability to get your systems back. You just have no answers. And that's just so disorienting for executives who are used to making decisions based on facts.
Kristin: I agree. It really feels as if a ransomware attack is almost the iconic crisis of our era, because it does impact the company in so many ways, it happens so quickly, and in many cases, it's public, which is different than some other crises that start as a sort of slow burn and evolve, and then ultimately over time become something large that the public becomes aware of.
But ransomware attacks really do pack a very immediate punch, and therefore require really good crisis management response capabilities to address.
So, Richard, how can a company emerge stronger from a ransomware attack? What muscle gets built in the process so that this incredibly painful and unfortunate experience that you would not wish on your worst enemy — how can that become, ultimately, an opportunity to be stronger?
Richard: Yeah, and that's a great point. And I think any organisation that's been through a big ransomware attack will feel that they've had a cruel, brutal mirror held up to them in terms of the effectiveness of their governance, their ability to defend themselves and, as well, their information management. Often you'll see attackers have taken a load of information that that organisation believed they couldn't have taken because it wouldn't have been on those systems, surely.
And so, you know, there's that sort of very brutal reality check. And that tends to instill a real belief and action in the importance of building the right defenses and getting the right governance in place. But I think organisations that are well prepared and have thought through their response can deal with this far more effectively — and even grow trust with their customers and clients, grow trust in their values and their purpose.
And especially if they can show empathy. And a big challenge for organisations that have been hit by this kind of attack is the organisation feels like the victim. But they need to understand that actually their clients and their customers are the real victims, because they're the ones whose data has been taken and is at risk. And organisations that can kind of take that empathetic step in the way they communicate can really stand out and be different.
But there's no doubt, as well, that organisations that have been through this kind of attack, they bear the scars. I was talking with one CEO four years after he’d been through a ransomware attack. I said, “You know, it takes weeks or months to recover.” He just looked at me and he said, “Richard, you never recover from a ransomware attack.”
And I think there's an element of that in sort of the emotional impact on so many people involved.
Kristin: One thing we've seen in the pandemic is that it really put a lot of stress on companies’ IT infrastructure as they moved their operations from the office to a very dispersed network of workers working from home and other places.
Is there any correlation between companies that have experienced a ransomware attack and how they fared or how prepared they were for the impact of the pandemic?
Richard: One observation is that organisations that have been through a ransomware attack have a depth of understanding as to how their business depends on technology — that no one else has.
And the chances are they've also got a more efficient technology base because they had to rebuild it from scratch. And often you see the 80/20 rule apply, where an organisation recovers 80 percent of their systems, their applications, three months down the line. And then they kind of ask the question, “Well, why should we bother recovering the last 20 percent?”
And so they often take the opportunity to simplify and to get a more efficient technology base that then serves them well when other disruptive events happen.
Kristin: And that's one of the observations that we've made through our research in the Global Crisis Centre. It's that while you’d never wish a crisis on your company, it can be like going to the gym and building muscle. And when another type of crisis or another form of disruption comes around, that muscle that you built can serve you well and help insulate you from the impacts of future crises, even when they're of a totally different nature.
Richard: Yeah, I think that's absolutely right. This kind of crisis really highlights your systemic vulnerabilities. But also recovering from it gives everyone in the organisation phenomenal insight into how the organisation works, as I said earlier, because they've rebuilt it from scratch.
And that's just a huge undertaking, but as well gives you phenomenal insight into how the organisation works and how it can be improved, and gives you the ability to deal with other kinds of crises far more effectively.
Kristin: Richard. I think that's a perfect place to pause for today. Thank you for joining me. This has been a truly fascinating conversation.
Richard: And thank you, Kristin. It's been great to be with you.
Kristin: In our next episode. We'll continue our discussion on ransomware, but taking a different tack: how to build resilience for a better recovery after a ransomware attack.
In the meantime, remember to subscribe to our podcast series, Emerge stronger through disruption, wherever you get your podcasts. And don't forget to connect with Richard and me on LinkedIn. Until next time, thanks for listening.