This month, a significant amount of media reporting has focussed on cyber security threat forecasts for 2021. Unsurprisingly, the continued rise and complexity of ransomware features heavily in almost all of these predictions, with the major forecast being that these attacks will most likely increase this year.
This likely increase is not only due to the attractive profits that can be made, but also because the crime is being driven by an emerging ransomware-as-a-service model which allows the less capable cyber actors to hire malware from those more capable and experienced.
Interestingly, at the start of 2020, the number of ransomware attacks was actually going down as cyber criminals shifted their early ‘business model’ from targeting multiple individuals and asking for smaller ransoms of (roughly) £200 to £400 a time, to targeting larger corporations and asking for £multi-million ransoms. As an example, this time last year Travelex were taken offline by an attack from the REvil ransomware group and the company reportedly paid $2.3 million to restore their systems and gain assurances that the attackers would not leak stolen data (it’s important to note that the original demand was $6 million).
We also saw fitness tracker/GPS technology company, Garmin affected after a demand of $10 million was made. Security experts have widely reported that Garmin did pay a ransom to restore their systems, but there has been no official report of how much they actually paid).
Are attacks still increasing?
There are two key reasons the number of attacks crept back up in 2020, the first is because ‘double-deal’ ransomware has proven to be a very successful method of guaranteeing a ransom payment, and the second is that the COVID-19 outbreak provided a number of new attack opportunities for cyber criminals; people’s thirst for information on subjects such as the spread of COVID-19, Furlough Schemes, Zoom updates, Netflix and so on, provided criminals with a vast array of topics that they could use as a lure in ransomware-infected spear phishing messages.
Wait! What is ‘Double-Deal’ Ransomware?
As a result of organisations taking heed of security advice around ransomware protections, an increasing number of victims have been able to recover from attacks without having to pay the ransom. Clearly this isn’t good for criminal business, so a new model of ‘double deal’ (aka double extortion) ransomware has emerged.
Before encrypting a victim’s data, double-extortion attackers also exfiltrate (i.e. steal) victim data and threaten to publish it onto social media and via ‘leak sites’. This is a very important evolution because, even if the victim has adequate backups to mitigate a conventional attack, for many businesses the threat of reputational damage can be leveraged to force them into paying the ransom. Similarly, the threat of the attack becoming public knowledge also has potential legal and compliance implications for the organisation which may compel them to pay. It effectively gives the criminals two cracks at the extortion and we expect more of the attacks in 2021 will be of this nature.
How do I protect my organisation?
The traditional mitigation steps still apply:
- Patching your systems – Make sure you have a regular patching regime in place to keep software versions up-to-date with the latest security patches (the reason the NHS was so badly affected by WannaCry ransomware in 2017 was because they had not patched their Windows systems to the latest security updates which would have protected them from WannaCry).
- Back up your critical data – Ensure that your organisation makes regular backups of critical data so it can be restored without having to pay a ransom if a ransomware attacker manages to encrypt your data or network.
- Staff awareness – Educate your staff to prevent infection in the first place (people are the weakest link in the cyber security chain and it is estimated that around 90% of cyber-attacks start with an employee clicking on a link/attachment they shouldn’t).
Dealing with double extortion threats
When it comes to double-extortion, prevention is critical because this approach effectively nullifies the option for victims to restore their data and systems without having to pay a ransom. Organisations can help deal with the vast majority of potential attacks by ensuring they have a cyber aware workforce who can identify and address suspicious phishing emails, alongside enforcing that online accounts should require two-factor authentication to access them.
The big question: Should I pay?
The official advice remains for victims not to pay. Not only does it feed the proven business model and reward criminals, but there is no guarantee the criminals will restore access to your data or delete any stolen data they may have. However, there is reporting that some victims are choosing to pay ransoms as it can actually be cheaper (and much quicker) to pay to restore access rather than stand firm and try to restore systems using Incident Response teams and purchasing and configuring new IT equipment, etc.
Another key factor in this decision is whether the company actually has a cyber insurance policy that covers them for ransomware attacks. We do not recommend any particular product or policy to clients, but we advise that organisations should carefully consider cyber insurance as there are many ongoing cases where victims have tried to claim ransoms on their policies but the insurance firms are refusing to pay for contested reasons. One noteworthy case is Zurich Insurance who are refusing to pay out a $100 million insurance claim to a US food conglomerate Mondelez because the NotPetya attacks that adversely affected the company have been deemed an act of war. Insurance can provide a degree of reassurance against ransomware attacks, but policies should be carefully chosen depending on the available budget and specific organisational requirements.
For more information on current ransomware trends and the best practices to mitigate risk, download the latest Ransomware Report below.
Learn about our Complete Cyber Security solution
Want to talk to someone about ransomware prevention? Contact us here