March 17, 2022
Modern-Day Extortion

What Organizations Need to Do – Now – to Thwart Ransomware Attacks

When discussing ransomware – which, for good reason, has emerged as Topic A for cybersecurity – we should take a closer look at what happens during a typical incident. A ransomware attack starts when an adversary enters an organization’s cyber ecosystem, encrypts systems and data, and demands payment for decryption.

If the organization balks at paying, the adversary threatens to leak sensitive data and materials.

If the organization still refuses payment, the adversary may launch a denial-of-service (DoS) attack to bring down critical systems. In some cases, attackers may threaten to modify key files such as payroll documents or files containing essential source code.

All of which means we should be calling ransomware what it is – extortion. While the term “ransomware” implies that it’s all about weaponized technology, what we’re really dealing with is the criminal, malicious intention behind the weaponized technology.

To get a better sense of the frequency and impact of ransomware, CBI and Ponemon Institute recently released a research report, “The Cost & Consequences of Ransomware for Small to Large-Sized Enterprises,” for which 659 IT security professionals were surveyed. Following are some of the more revealing findings:

  • Eighty percent of companies surveyed have experienced a ransomware attack within the past year – up from 51 percent in 2017 – despite spending an average of $6 million annually to prevent, detect, contain and resolve ransomware. For staffing alone, organizations budget an average of $170,000 to pay for 14 employees to spend 190 hours containing and remediating the latest incident.
  • Of the 80 percent of companies that were compromised, 53 percent paid the ransom, which now averages more than $1 million. However, only half of these companies report receiving a decryption key from the attackers after paying. This means ransomware is not a business transaction. It’s extortion – expensive extortion at that.
  • Legal and regulatory actions account for the highest total costs resulting from a ransomware attack, more than productivity disruptions, technical support, reputation/brand damage and lost revenues.
  • Only 32 percent of organizations are confident in their security controls. Yet just 51 percent regularly conduct assessments to test their ransomware prevention and recovery practices, and just over a third evaluate their third parties’ security and privacy practices.
  • Just 30 percent are confident in their employees’ ability to detect social engineering lures which could trigger a ransomware incident, even though 61 percent provide continuous security awareness training for staffers.

Modern-Day Extortion

Clearly, organizations must take a proactive stance in responding to these developments. Relying on cyber insurance is not enough – two out of five companies are seeing decreases in ransomware coverage while still paying more than $17,000 annually in average premiums. Companies should also implement industry best practices into their ransomware detection/prevention/mitigation strategies:

Understand the anatomy of common attacks

As defenders, we know the general approaches – the tactics, techniques and procedures (TTPs) – of these criminals. They usually gain entry via phishing or insecure web applications. Once inside the network, attackers move laterally using relatively common techniques in search of valuable targets, all the while escalating privileges to increase their capacity to harm. With an understanding of the established, proven anatomies of the adversaries’ TTPs, companies can better align their detection, alerting and prevention tools and procedures.

Develop a comprehensive ransomware playbook

In addition to anatomy-based tools and procedures, organizations need a ransomware playbook that addresses how the organization will respond to everything from data leakage and DoS attacks to compromised systems integrity. A playbook should include legal and compliance considerations, as well as policies and procedures for third-party security assessments and employee training.

Acquire total visibility of potentially targeted assets

While backing up data is a highly recommended practice, it’s no longer enough as a mitigation strategy – backups won’t stop hackers from leaking sensitive files or going after critical business dependencies such as microservices and software as a service (SaaS) integrations. Given this reality, security teams should strive to gain comprehensive visibility over all digital assets that are likely targets, putting them in a much better position to protect those assets.

Reach out for support where needed

Once compromised, companies often make the mistake of immediately deciding whether to pay the ransom or not, without considering the possible consequences of each path. Most are inexperienced in ransomware negotiations, where saying the wrong thing can result in attackers increasing the ransom demand. What’s more, a sense of panic can result in bad decisions. Involving third-party experts who specialize in ransomware incident response will ensure incidents are dealt with in a measured, strategic way. Seven of ten companies, in fact, are hiring third-party experts to remediate ransomware incidents, up from 59 percent in 2017.

All in all, ransomware is a modern form of extortion, an offense perhaps as old as humanity. Today, cybercriminals use ransomware to forcefully extract huge payouts from organizations – but the good news is, companies don’t have to be defenseless. Armed with the right knowledge, preparation, tooling and third-party expertise, companies can get ahead of adversaries before they strike – to minimize if not eliminate their capacity for damage.

About the Author
CBI - Shaun Bertrand
Shaun Bertrand
Chief Services Officer
Shaun Bertrand is the Chief Services Officer at CBI. Shaun brings over 20 years of experience in the information security field with a core focus of providing penetration testing and vulnerability assessment services to enterprise organizations. Shaun has been CISSP certified since 2004 and is proficient in several technical services including AV obfuscation, social engineering, exploit development, critical systems protection, endpoint security, event management, incident response, intrusion detection, ICS/SCADA, and malware prevention. Shaun has taught security classes at the University of Michigan and Eastern Michigan University and is a frequent speaker at security conferences and local hacking groups.
I Need To...