How to develop resilience against ransomware

Ransomware is a term that’s been firmly in the news this year with several high-profile attacks hitting the headlines. The ransomware attack on the Waikato District Health Board in May took the DHB months to recover from and had a major impact not only on its IT infrastructure but also on its ability to deliver crucial health care to patients.

The attack was a timely lesson for all organisations on the perils of not having robust cybersecurity systems and polices in place.

What is ransomware?

Ransomware is a type of malicious software (malware) that encrypts an organisation’s files and stops you from being able to access them. Ransomware criminals usually demand payment (often in the form of cryptocurrency) to unlock files and systems.

These attacks are incredibly common. According to Cybercrime magazine, by the end of 2021, ransomware attacks are expected to target global businesses every 11 seconds.

Global insurer Marsh warns ransomware is on a meteoric rise, increasing in frequency, severity, and sophistication. Jono Soo, Head of Cyber Specialty for Marsh in New Zealand, says it’s currently the most common cyber threat.

“Ransomware has become the go-to method of attack for a lot of cyber criminals. The reason is that’s where the money is,” he explains.

Soo says there’s a sophisticated underground economy of cybercriminals. Tools to carry out attacks are available on the dark web and there are whole companies offering ransomware as a service.

Effects of an attack

Ransomware attacks present a double threat to businesses. First, there’s the operational issues associated with not being able to access files and computer systems; it affects your ability to do business at a basic level.

The second threat is what’s known as data exfiltration; the unauthorised copying or transfer of data.

Soo says data exfiltration is a powerful lever for extortion.

“Whether it’s personal information from your customer database or confidential client information; really anything which is valuable to you as a business, they’ll steal it and say ‘you pay us X amount of money or else we’ll sell this to the highest bidder on the dark web’.”

Data exfiltration can present a serious threat to a business’ reputation. Soo points out that updates to the Privacy Act last December made reporting data breaches mandatory, both to the regulator and to affected individuals.

Vulnerability

No sector or business is immune to ransomware attacks. Small- and medium-sized businesses are increasingly common targets. Globally, the healthcare sector, professional services and financial services account for more than half of ransomware incidents.

The covid-19 pandemic, and the changes it has forced on the way businesses operate, has also opened the door to cybercriminals. The shift to remote working has created wider ‘attack surfaces’ and generally less secure systems; these are a boon for the perpetrators of ransomware attacks.

“I think the mindset used to be, well, who’s going to bother attacking me? I’m just a small business in New Zealand doing my thing. We don’t have anything valuable,” Soo explains.

“I think we’ve seen from this pandemic that actually, it’s not just the value of your data or what you do. It’s the connectivity. If we’re all working from home; if we can’t access our network, what are we going to do? And if that’s down for any amount of time it can be really, really disruptive.”

Prepare and protect

The most prudent approach for businesses to take is likely an “if, not when” one when it comes to ransomware attacks. This should be top of mind for boards and management. Assume you are going to be attacked at some point and have systems and policies in place.

Establishing ransomware readiness means carefully considering how your organisation would fare in a ransomware event and formulating a plan for this.

The basics of the plan should include prevention strategies such as employee awareness and education, backup policies and procedures, and IT controls such as two-factor authentication, incident logs and software updates.

It should then comprehensively cover how the business will respond in the event of an attack. That means considering everything from how your business would continue to operate during an attack, to managing subsequent communication and reputational issues. It will need to include all stakeholders including legal counsel, police, cyber insurance carriers and security experts. It should establish roles and responsibilities and give response guidelines.

Government cybersecurity authority, CERT NZ, has detailed guidance on formulating an Incident Response Plan for cyberattacks available on its website.

Experts like Soo also recommend practicing a response via drills – just like fire drills - in order to stress test the plan.

If the worst happens

Should your business be hit by a ransomware attack, having a well-practiced plan in place means an organisation can respond quickly.

There are likely to be decisions that will need to be made at board level. This might include whether to pay the ransom. Here again, developing a policy and running through potential scenarios is likely to be a valuable exercise.

“It’s a conversation a lot of boards need to have well in advance of something potentially happening,” advises Soo.

“It ties into your incident response. Ransomware is the most common [cyberthreat] to potentially happen. So drill that. Discuss it. Figure out what your stance is on whether you would pay or not.”

To pay or not to pay

Opinions are divided on the wisdom of paying ransoms. Overseas law enforcement agencies such as the FBI recommend against it. “Paying ransoms emboldens criminals to target other organisations and provides an alluring and lucrative enterprise to other criminals,” its guidance states.

Business.govt.nz and CERT NZ also warn against paying ransoms. And Soo agrees.

“At the end of the day, the ransom payments are encouraging this criminal behaviour,” he says.

However, the payment of ransoms is still happening regularly. It’s unregulated as yet, and may be a business’s best option in some cases.

Boards need to consider what the consequences would be of paying up, Soo says.

“I think the discussion needs to go further than just the ransom. You need to start thinking of the consequences to your reputation if you were to pay or not to pay. And obviously if you were not to pay, what the impacts in terms of operations and everything else are. Each business has a different type of risk… there’s no one-size-fits-all solution, unfortunately.”

Should we have cyber insurance?

A relatively new form of insurance for business, cyber insurance is a growing area of coverage.

“The uptake traditionally has always been low,” Soo says. “But we’re seeing a huge surge in demand at the moment.”

Cyber insurance can assist with the costs involved in recovering from ransomware attacks, including forensic investigators, breach counsel and other support. It can also cover ransom payments, though Soo notes this is a rapidly changing area of coverage.

Preparation is the best form of defence from ransomware attack, Soo stresses. And at a broader level, a unified approach to discourage cybercriminals is needed.

“The real solution at the end of the day is that we do have to work as a collective to stop paying these criminals. It needs to be a joint effort between governments and the private sector around the world to stamp out this behaviour.”

In the meantime, it’s important for boards to have the conversations around protecting their data, networks, customer information and reputation.