Ransomware attacks are seizing headlines, but the reality is even darker. Most victims never appear in the media, since they quietly pay to make the problem go away. The danger is intensifying as threats multiply, their sophistication rises, and the ransoms hackers demand become higher and higher.
What would you do if tomorrow hackers breach your systems and lock you out of your own data and systems? They can hold hostage assets such as your customers’ credit card numbers, or critical business processes on which your operations depend, or sensitive data that you are bound by law to protect. The hackers have increasingly used a 1-2 punch by saying: pay up to get your data unlocked and/or pay up or we release all your data on the internet. A permanent lockout could cripple your operations. A public release could harm your customers, poison your brand and provoke regulatory scrutiny and heavy fines.
You can reduce the risks, but you need to act now. Here are four things you need to know about the new dangers.
There’s a cold, hard fact about ransomware: it often pays off. As a result, it’s attracting highly sophisticated cybercriminals and criminal organizations. They’re investing time and money to choose the most lucrative targets and assess how to overcome defenses.
What will make your company a target? Ransomware criminals look at three factors. First, they consider your ability to pay. They often run financial analyses (just as a Wall Street analyst might), research your top executives’ salaries (yes, they know how much you earn) and try to determine if you have cyber insurance. Second, they assess the quality of your defenses. They may probe your cybersecurity for months before finally deciding on an attack. Third, they consider how much pain they can cause you quickly. If they can rapidly cripple your critical operations, they know that you may have no choice but to pay a larger ransom.
The anything-as-a-service model works for criminals too: there are at least 12 well-established “service offerings” where ransomware developers lease their malware in exchange for a share of the criminal profits — typically ranging from 25% of small ransoms to 10% of those over $5 million. It’s even possible to measure market share and profits for Ransomware-as-a-service (RaaS) providers, who may advertise their services to hackers and offer their criminal clients help desks for support.
RaaS lowers the barrier to entry, since cybercriminals no longer need to develop their own malware. Many specialize instead in spreading through your IT environment and deploying the leased ransomware at scale.
Ransomware actors are finding new ways to monetize your data. Many now download (“exfiltrate”) data from victims’ systems, encrypt these files and announce their action on public leak sites. They then set a deadline for paying ransom. If you refuse, they publish this stolen data. The threat of damage to your customers, your brand, and your regulatory compliance may oblige you to pay heavily to get your data back.
What’s more, ransomware hackers increasingly practice double extortion. They demand ransom twice: first they demand money for a digital key to unlock files so you can access your data again. Then, they ask for even more money in return for a promise to destroy their copies of the stolen data. The latest development is offering to sell advance information about a planned breach to investors who can then short that company's stock.
The highest ransom demand paid to cyber criminals in the US, Canada, and Europe doubled to $10 million in 2020, and average payments jumped 171%. The record was broken in March 2021 when a $40 million ransom was reportedly paid out on a $60 million demand. The average ransomware payment rose 43% in the first quarter of 2021.
Many ransomware criminal groups operate with at least tacit protection of their home government. It’s all too common for US law enforcement authorities to identify, sanction and indict ransomware criminals in other countries — only for these countries to then refuse extradition.
There are attempts to end this impunity. The Ransomware Task Force, for example, is recommending the dismantling of payment systems for ransoms and exerting pressure on nations to crack down on ransomware actors. The Colonial Pipeline ransomware attack, which threatened US fuel supplies, may encourage the US government to act more firmly against countries that protect ransomware perpetrators.
But for now, you have to assume that some of the most dangerous ransomware actors believe — correctly — that they can attack you with impunity.
Ransomware criminals will choose the most lucrative and softest targets, so it’s wise to harden your defenses and encourage hackers to look elsewhere. Make your cybersecurity top-notch, with multi-factor authentication on all accounts (including VPN access), robust patching and vulnerability management, up-to-date antivirus and intrusion detection systems, and remote desktop protocols (RDP) that are either disabled or not accessible from the internet.
Understand where your critical data is located, the implications (including regulatory requirements) of any breach, and what you would need to recover in order to create a ‘minimum viable company.’ Create and check offline backups, along with a robust restore procedure. Define and test how much disruption you can tolerate, so if an attack does succeed, you can make the right decision about paying ransom.
If you are hit, having a plan ready can cut your losses and get you back up and running quickly. Having segregated full and incremental backups available to restore can help you get back in business and reduce operational impact. Otherwise, even if you pay a ransom, recovery may be slow and costly, since IT environments are complex and information about critical systems may be unclear. After ransomware criminals return data and provide decryption keys, it’s all too common for companies that lack a plan to face a long and slow recovery: ransomware tools may have corrupted data and IT teams may not have the needed decryption skills.
Develop and exercise today incident response and crisis plans. Test these plans for a catastrophic ransomware scenario, where common security and IT tools may be unavailable and recovery efforts could require weeks or months. Make sure you have the technical expertise to respond to the attack by determining its cause, investigating its extent, containing the breach and expelling the attacker from your environment.
Ransomware is a major and growing danger, against which you must strengthen defenses and develop a response plan, right now. Ransomware criminals are multiplying, attracting new cyber talent, innovating malware, and acting with impunity. To reduce the risks, your defenses and incident response plan must be both top-notch and continually evolving. The right defense plan will also be unique to your organization: it will consider your critical needs, your current and potential defenses, your vulnerabilities and your organizational ethos.
Global Cybersecurity & Privacy Leader, US Cyber, Risk and Regulatory Leader, PwC US