Zamani Ngidi, Client Manager: Cyber Solutions at Aon South Africa
Ransomware is, by multiple measures, the top cyber threat facing businesses today, with damages caused including downtime costs and recovery time.
Current incident statistics are sobering:
- Every eleven seconds, a company will be hit by a ransomware attack in 2021.
- The average ransom demand in 2020 was $178,000 (R2.7mil)
- The largest 2020 ransomware demand made to French construction firm, Bouygues was €10mil(R150m).
- Predicted damages from ransomware are expected to be $20 billion (R600bn) in 2021.
What is Ransomware?
In a ransomware attack, threat actors gain unauthorised access to company networks and files using malicious software or malware. After gaining access, these cybercriminals encrypt files making them inaccessible, and demand a ransom payment in cryptocurrency in exchange for the digital key code(s) to decrypt the files. Ransomware attacks have become more advanced in their approach, including pre-emptive measures intended to coerce ransom payment such as targeting and destroying data backups to prevent restoration, and stealing data prior to encryption with the threat of public release. This leaves many victims with the difficult choice of either permanent loss of data and extended business disruption or paying a ransom to regain access and restore operations.
The Payment Conundrum
The South African Cybercrimes and Cybersecurity Bill (B6–2017) criminalises cyber extortion in section 10 of the bill. But at present the legal route is often a lengthy one which most companies do not have the time to venture down, explaining why many ransomware victims opt to pay the ransom to recover critical files or restore the operation of critical systems.
For most victimised entities, their decision to pay the ransom is based on whether it makes business sense to do so and, if so, how to both engage with the threat actor to negotiate and navigate the often-unfamiliar cryptocurrency landscape to facilitate payment. Post-payment, the most difficult issue facing a victimised entity is the time-consuming and technically taxing decryption process.
At present, many ransomware victims handle aspects of the incident response investigation themselves, including root-cause analysis of the incident, the scope of the intrusion and restoration of the business. The inherent challenge that comes with handling such a matter internally, is taking up a responsibility that the team may not be adequately equipped or sufficiently experienced to handle, which is why transferring that risk to an experienced cyber risk expert is crucial to save on time and costs.
Risk mitigation strategies
At its core, cybercrime is committed by sophisticated and motivated threat actors, who are actively trying to gain access for financial gain. Better protection inherently translates into sensitive, ergo valuable, information being guarded, which could be leveraged against a company during a ransomware attack. The recent SolarWinds debacle highlights the fact that billions of Rands of IT security can be undermined by one weak entry point, an example of the ingenuity of criminal attackers and their methods to obtain access.
Aon offers seven tips to help mitigate the risk of falling victim to ransomware and better prepare for a ransomware incident:
- Be proactive – Being victimised by ransomware is a jarring experience. It tests an organisation’s emotional responses to crisis, escalation procedures, technical prowess, business continuity preparedness and communication skills. Ensure that the Incident Response (IR) Plan/Playbooks, and/ or Business Continuity Plan/Disaster Recovery Plan has been recently assessed, reviewed, and updated. But, most important, these plans and playbooks must be tested through simulated practice across realistic scenarios to help improve resilience.
- Educate employees on cyber security and phishing awareness – Phishing is still a leading cause of unauthorised access to a corporate network, including being the entry point for ransomware attacks. Training users to not only spot a phishing email, but to also report the email to their internal cyber security team is a critical step in detecting a ransomware attack. Phishing awareness is a critical cornerstone to such a cyber secure culture.
- Employ multi-factor or “two-step” authentication – Multi-factor authentication (e.g. a password – something employees know, plus an authentication key – something employees have) across all forms of login and access to email, remote desktops, external-facing or cloud-based systems and networks (e.g., payroll, time-tracing, client engagement) should be a requirement for all users. Multi-factor access controls can be even more effective if coupled with the use of virtual private network (VPN) interaction.
- Keep systems patched and up-to-date – The rudimentary cyber hygiene activity of system updates and patching often falls by the wayside, especially as operations and security teams are stretched, systems and endpoints age and move towards legacy status, and new systems, hardware, and applications are introduced as businesses grow, mature, merge and divest. Attackers can identify a vulnerable system with a simple scan of the Internet using free tools, looking for exploitable systems on which to unleash ransomware and other cyberattacks.
- Install and properly configure endpoint detection and response tools – Tools that focus on endpoint detection and response can help decrease the risk of a ransomware attack and are useful as part of incident investigation and response. Properly configured security tools give a much greater chance of detecting, alerting on, and blocking threat actor behaviour.
- Design your networks, systems and backups to reduce the impact of ransomware – Ensure your privileged accounts are strictly controlled. Segment your network to reduce the spread of adversaries or malware. Have strong logging and alerting in place for better detection and evidence in the event of incident response. Having a technical security strategy that is informed by industry experts that know the latest attacks and adversary trends is important, as is the use of continuous threat intelligence monitoring in open source and on the dark web.
- Pre-arrange your third-party response team – An effective ransomware response will often include all or some third-party expertise across the disciplines of forensic incident response, legal counsel, crisis communications and ransom negotiation and payment. As time is of the essence, it is critical to pre-vet and pre-engage a team of professionals to monitor and be ready to respond to a ransomware attack when it happens.
While the complete risk of ransomware is unlikely to be fully mitigated when considering your brand’s reputation and goodwill as well as legal repercussions, it is crucial for organisations to consider risk transfer options by obtaining appropriate cyber insurance coverage. In doing so, organisations should review how coverage addresses indemnification for financial loss, business interruption, fees and expenses associated with the ransom and incident response, as well as considerations for service providers, such as the ability to work with incident response providers of choice.
The process is best undertaken with the aid of an expert broker to address every eventuality in its entirety.