Ransomware: four major dangers you must know about and what you should do

Understanding threats, strengthening defenses, keeping action plan ready to counter ransomware attacks

Ransomware attacks are seizing headlines more often but the reality is even darker. Most victims globally never appear in the media, since they quietly pay to make the problem go away. The danger is intensifying as threats multiply, their sophistication rises, and the ransoms hackers demand become higher and higher.

In 2020, ransomware cases in Singapore surged 154% and as reported cases more than doubled in the first half of this year, against the same period last year, the Cyber Security Agency of Singapore (CSA) cautioned while noting, ransomware has evolved into a “massive and systemic threat”. The 16,117 cybersecurity cases in 2020 accounted for 43% of all crimes in Singapore. The real number of ransomware attacks in the country could be potentially larger, as many cases may not have been reported.The COVID-19 pandemic has sparked a further surge in global cybercrime cases, with 384 cases reported in Singapore in 2020 alone.

Has your company studied the threats, strengthened its defenses and made a plan in case an attack succeeds? What would you do if tomorrow hackers breach your systems and lock you out of your own data and systems?

Hackers can hold hostage assets such as your customers’ credit card numbers, or critical business processes on which your operations depend, or sensitive data that you are bound by law to protect. A permanent lockout could cripple your operations. A public release of your sensitive data could harm your customers, poison your brand and provoke regulatory scrutiny and heavy fines. Some of the commonly targeted sectors in Singapore are the Technology, Banking and Financial Services, and the Social Networking firms.

Four major dangers

To reduce risks, you must act now, keeping in mind these key danger areas:

1. As you read these words, ransomware hackers are researching your company.
2. Ransomware-as-a-service is enabling and multiplying sophisticated attacks.
3. New schemes are more lucrative for criminals - and more costly to you.
4. Ransomware hackers probably won’t get punished, even if they’re caught.

1. As you read these words, ransomware hackers are researching your company.

There’s a cold, hard fact about ransomware: it often pays off. As a result, it’s attracting highly sophisticated cybercriminals and criminal organisations. They’re investing time and money to choose the most lucrative targets and assess how to overcome defenses.

What will make your company a target? Ransomware criminals look at three factors. First, they consider your ability to pay. They often run financial analyses (just as a Wall Street analyst might), research your top executives’ salaries (yes, they know how much you earn) and try to determine if you have cyber insurance. Second, they assess the quality of your defenses. They may probe your cybersecurity capabilities for months before finally deciding on an attack. Third, they consider how much pain they can cause you quickly. If they can rapidly cripple your critical operations, they know that you may have no choice but to pay a larger ransom.

2. Ransomware-as-a-service is enabling and multiplying sophisticated attacks.

The anything-as-a-service model works for criminals too: there are at least 12 well-established “service offerings” where ransomware developers lease their malware in exchange for a share of the criminal profits — typically ranging from 25% of small ransoms to 10% of those over $5 million. It’s even possible to measure market share and profits for Ransomware-as-a-service (RaaS) providers, who may advertise their services to hackers and offer their criminal clients help desks for support.

RaaS lowers the barrier to entry, since cybercriminals no longer need to develop their own malware. Many specialise instead in spreading through your IT environment and deploying the leased ransomware at scale.

3. New schemes are more lucrative for criminals - and more costly to you.

Ransomware actors are finding new ways to monetise your data. Many now download (“exfiltrate”) data from victims’ systems, encrypt these files and announce their action on public leak sites. They then set a deadline for paying ransom. If you refuse, they publish this stolen data. The threat of damage to your customers, your brand, and your regulatory compliance may oblige you to pay heavily to get your data back.

What’s more, ransomware hackers increasingly practice double extortion. They demand ransom twice: first they demand money for a digital key to unlock files so you can access your data again. Then, they ask for even more money in return for a promise to destroy their copies of the stolen data. The latest development is offering to sell advance information about a planned data breach to investors who can then short that company's stock.

The highest ransom demand paid to cyber criminals in the US, Canada, and Europe doubled to $10 million in 2020, and average payments jumped 171%. The record was broken in March 2021 when a $40 million ransom was reportedly paid out on a $60 million demand. The average ransomware payment rose 43% in the first quarter of 2021.

4. Ransomware hackers probably won’t get punished, even if they’re caught.

It’s all too common for law enforcement authorities to identify, sanction and indict ransomware criminals in other countries — only for these countries to then refuse extradition.

There are attempts to end this impunity. The Ransomware Task Force, for example, is recommending the dismantling of payment systems for ransoms and exerting pressure on nations to crack down on ransomware actors. The Colonial Pipeline ransomware attack, which threatened US fuel supplies, may encourage the US government to act more firmly against countries that protect ransomware perpetrators. ASEAN Member States (AMS) agreed to move forward on a formal Cybersecurity Coordination Mechanism and to reaffirm the region’s commitment to a rules-based international order in cyberspace. In 2020. Singapore announced a collaboration with the United Nations to develop a checklist for implementing international cybersecurity norms.

But for now, you have to assume that some of the most dangerous ransomware actors believe — correctly — that they can attack you with impunity.

Protecting against these costly, sophisticated ransomware schemes

Your first defense: be better than your peers.

Ransomware criminals will choose the most lucrative and softest targets, so it’s wise to harden your defenses and encourage hackers to look elsewhere. Make your cybersecurity top-notch, with multi-factor authentication on all accounts (including VPN access), robust patching and vulnerability management, up-to-date antivirus and intrusion detection systems, and remote desktop protocols (RDP) that are either disabled or not accessible from the internet.

Understand where your critical data is located, the implications (including regulatory requirements) of any data breach, and what you would need to recover in order to create a ‘minimum viable company.’ Create and check offline backups, along with a robust restore procedure. Define and test how much disruption you can tolerate, so if an attack does succeed, you can make the right decision about paying ransom.

Small and medium enterprises and specific sector players be even more careful.

A closer look at ransomware trends in Singapore suggests, while most of the affected cases were SMEs, it was observed that hackers are particularly targeting large companies in the manufacturing, retail and healthcare sectors. 89 ransomware were reported to CSA, with cases hailing from the manufacturing, retail and healthcare sectors. This was a significant rise of 154% in cases over the whole of 2019.

Plan now to recover from an attack.

If you are hit, having a plan ready can cut your losses and get you back up and running quickly. Having segregated full and incremental backups available to restore can help you get back in business and reduce operational impact. Otherwise, even if you pay a ransom, recovery may be slow and costly, since IT environments are complex and information about critical systems may be unclear. After ransomware criminals return data and provide decryption keys, it’s all too common for companies that lack a plan to face a long and slow recovery: ransomware tools may have corrupted data and IT teams may not have the needed decryption skills.

Develop and exercise today incident response and crisis plans. Test these plans for a catastrophic ransomware scenario, where common security and IT tools may be unavailable and recovery efforts could require weeks or months. Make sure you have the technical expertise to respond to the attack by determining its cause, investigating its extent, containing the breach and expelling the attacker from your environment.

Bottom line

Much like other parts of the world, ransomware is a major and growing danger in Singapore, against which you must strengthen defenses and develop a response plan, right now. Ransomware criminals are multiplying, attracting new cyber talent, innovating malware, and acting with impunity. To reduce the risks, your defenses and incident response plan must be both top-notch and continually evolving. The right defense plan will also be unique to your organisation: it will consider your critical needs, your current and potential defenses, your vulnerabilities and your organisational ethos.