Ransomware threats - are we ready to respond?

Blog
3 minute read
September 30, 2023

In the 2023 Digital Trust Insights survey, which had more than 3,000 respondents across 65 territories, 45% of respondents with a tech role selected ransomware as an increased threat in 2023 compared to 2022. This is consistent with other threat intelligence reports that have been tracking cybercrime trends over the years.

Ransomware, which is a type of malware that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off, can be a very profitable attack vector from a cybercriminal’s perspective. Orange Cyberdefense, which has been tracking data leak sites in the dark web run by ransomware groups since January 2020, have noted that the group LockBit has dominated the ransomware criminal ecosystem in 2022, accounting for almost half of all victims (more than 800 victim organizations from about 60 different countries). Another group called BlackCat (ALPHAV) has hit closer to home, and allegedly stole up to 1TB of sensitive data from the Central Bank of Gambia which included sensitive financial documents and internal information.

In addition to attacks from organized cybercriminal groups, cybercriminals without the necessary skills to launch sophisticated ransomware attacks can subscribe to Ransomware-as-a-Service (RaaS) services and pay for customized malware to launch a successful attack. Alternatively, cybercriminals who manage to infiltrate an organization’s network can act as access brokers and sell this access to cybercriminal groups. This widens the threat landscape for organizations, but especially organizations within the Financial Services sector which continues to be a priority for cybercriminals.

TAs financial service providers continue to digitally transform and offer more innovative digital solutions such as biometric verification and registration, digital wallets, and mobile finance management tools, the risk of ransomware attacks cannot be understated and requires specific strategies as a response. Some of these strategies include patch management, vulnerability management, improving incident detection and response capabilities, business continuity planning, network segmentation and third-party risk management.

However, in the event that an organization does experience a ransomware attack, the following steps have proven to be helpful:

Once a ransomware incident has been identified, the Incident Response Plan should be executed to ensure pre-planned procedures and communications plans are implemented. In case there is no incident response plan, all senior management should be informed, the key point of contact identified, public communications coordinated, and the next steps followed.

Most ransomware will attempt to spread from the initial entry point, “Patient 0,” by spreading through any connections it can make, such as domain services and network shares. This leads to the spread of the malware across a network and all its connected endpoints. In order to contain the encryption, the machine should be cut off from all its prospective connection points immediately.

If a machine is suspected to be infected, it should be immediately disconnected from the rest of the network and investigated, even when not currently showing any indicators of compromise.

The common attack vectors for Ransomware are Remote Desktop Protocol (RDP), phishing, and Server Message Block (SMB) attacks. All ports to the Internet that do not have a business requirement should be closed immediately, regardless of how secure they are believed to be.

Administrative credentials should be assumed to have been compromised. All Administrator sessions should be terminated and administrative credentials should be reset.

Containment and network hygiene should be prioritized over restoring from backups. Automated backups on affected systems should be halted to ensure infected files are not going to overwrite clean files.

The relevant regulatory authorities may need to be informed, to advise on the next steps.

Digital evidence should be collected as much as possible for analysis in the following response investigation if it does not severely hinder attempts to secure the environment.

Of course, the above steps assume that the organization has already invested in some basic information security controls and infrastructure, and is willing to do what it can to recover data without paying a ransom. There have been many circumstances where organizations chose to pay the extortion fees in order to resume business operations. While this is ultimately a business decision, the organization will continue to contribute to cybercriminal operations and advertise to other cybercriminals that they are a paying victim.

Based on these observed trends, all organizations should assume that they are targets and begin making relevant decisions to prepare for the inevitable. At the bare minimum, every organization should have an answer to the prime question: “Are we sufficiently prepared for a ransomware attack?”

Contact us

Golder Kamuzora

Senior Manager | Risk Assurance Services, PwC Tanzania

Tel: +255 (0) 22 219 2322

Peter Ojekunle

Senior Manager | Consulting & Risk Services, PwC Uganda

Tel: +256 (0) 312 354 400

Hide

© 2010 - 2025 PwC. All rights reserved. PwC refers to the PwC network and/or one or more of its member firms, each of which is a separate legal entity. Please see www.pwc.com/structure for further details.