What does a ransomware attack mean for your organisation?
A successful ransomware attack can have significant consequences for an organisation's financial bottom line and brand reputation. The top three ways a ransomware attack can impact an organisation are described below:
- Huge Ransom Payouts: In several instances companies that have fallen victim to ransomware have paid hundreds of thousands, if not millions of US dollars to cyber-criminals. In many of these cases, the organisations have simply lost the money, as in the criminals have taken the money and not returned access to the data or systems. Some known payouts include:
- Significant Operational Impact: Importantly, ransomware attacks can have severe operational impact on a business including but not limited to interrupting operations in hospitals and bringing oil transport to a complete halt.
- Colonial Pipeline Ransomware: Colonial Pipeline, an American oil pipeline system that originates in Houston, Texas, and carries gasoline and jet fuel to Southeastern United States suffered a ransomware attack. The cyber-attack impacted the IT (also called OT or operational technology) that manages the pipeline. Consequently, the company stopped all pipeline operations. It is alleged that Colonial Pipeline paid about $4.4 million US dollars to the cyber criminals.
- Travelex: Travelex was the world’s largest foreign exchange bureau until it was hit by a cyber-attack on 31st December, 2019. Within a short span of 4 months, this mammoth of a business went up for sale, with its parent company, Finablr, preparing for potential bankruptcy. The deadly concoction of a ransomware payout of $2.3 million and COVID 19 jeopardised a 40-year old business.
- Brand Reputation Damage: The list of companies that make the headlines could fill hundreds of pages. Here are just a few:
- Maersk: Although not a ransomware, Maersk was at the receiving end of one of the most advanced cyber-attacks. The malware spread and very rapidly caused physical outages, globally.
- Colonial Pipeline Ransomware: Colonial Pipeline, operator of the largest fuel pipeline system in the U.S., had to put its systems offline as it suffered a massive ransomware attack. The intention of the hackers was simply of "making money", but the damage to Colonial Pipeline was far greater than just financial.
To the Top
How a ransomware attack can destroy your organisation's brand reputation?
Most ransomware attacks have the following key impacts on a business:
- Service/Data Unavailability: Put simply, your organisation is NOT going to be able to conduct its business if it's hit by a ransomware attack. You may be wondering why? The ransomware will encrypt your data with a special key and hence deny legitimate access to the data. It's like someone changing the locks on all your doors and windows in your home and then asking your for money if you want the keys! Imagine the damage to your brand and reputation when your customers discover they are unable to place an order with you because you are being held ransom.
- Complete Digital Lockout: Similar to the above, in this case, the majority of all your digital services and devices are held to ransom. This can be especially painful if you are a digital-only business or heavily rely on computers for turning a profit. A complete lockdown could be likened to your house not only having its locks changed but with the additional twist of heavily armed guards denying any access without prior payment.
In summary, a ransomware attack often attacks the whole digital estate and can leave businesses with no digital collateral to service their clients. This type of catastrophic and total outage is bound to have long lasting and severe reputational damages to the business.
To the Top
Wait! Don't spend any money on ransomware protection until you read this
As part of our vCISO service and Trusted Advisory our clients often say things like "Just tell me which technology I need to buy to protect against ransomware" and "How much for ransomware protection?". The fact is no amount of technology can offer 100% protection against ransomware attacks or, for that matter, any cyber-attack.
To the Top
Cyber Criminals Fear these Technologies when it comes to Ransomware Attacks
One key point to remember. In most instances, cyber criminals need credentials (username and password) to 'enter' an organisation and after that they need the special key to actually cause the damage. Another way to explain this - Imagine you have two keys. One gives you access to your house and the other, the Privileged Key (we can also call it the master key) allows you access to your safe where the valuables are stored. To that extent, consider the below:
- Insist on 2 Factor Authentication (2FA): All IT staff and other key business users must use 2FA when logging into critical systems. 2FA is when you have a password and randomly generated digits that you have to enter after your password.
- Manage all Privileged Users: Don't allow IT users to login to do their daily chores with their privileged credentials. Put another way, you don't want to be walking with the keys to your safe on display when you are out and about. In addition, consider using a PAM solution to manage the privileged user.
To the Top
Responding to Ransomware Attacks: Practical tips on how to respond
to ransomware attacks
Considering the frequency of ransomware attacks today, chances are extremely high that your business could become a target of one. It is essential to take cognizance of this reality and be prepared to respond to the attack.
At Cyber Management Alliance, we firmly believe that Preparation is one of the best forms of Prevention and Protection against cyber crime. It is imperative to train your staff in Incident Response so that they’re capable of thinking straight and making sound decisions when ransomware crisis hits. You should also create a solid Ransomware Response Plan based on our Ransomware Response Checklist.
In addition, there’s a couple of things you can do mitigate damage in the aftermath of the attack:
- Don’t panic
- Seek the facts
- Avoid negotiating with the criminals
- Stick to your pre-decided strategy of how to communicate about the attack
- Download our Ransomware Response Workflow for an easy-to-follow, visual guide on how to respond effectively and contain the damage
Can a vCISO cybersecurity service help your organisation against ransomware attacks?
The simple answer is yes. Cyber Management Alliance’s vCISOs offer hands-on and full cybersecurity support to your business. This means that at no point will you be left grappling with the challenge of securing your business against ransomware attacks by yourself.
The vCISO will ensure that:
- You have all necessary cybersecurity policies and procedures in place and are fully ready to respond to a ransomware attack if/when the need arises.
- Any loopholes in your cybersecurity infrastructure that could be exploited by criminals are plugged quickly and effectively.
- Your backups are in place and the time to recover data from backups is minimal.
- You receive absolutely neutral advice on technology investments you need to make to prevent and protect your business from ransomware attacks.
Check out our vCISO resource page for the complete lowdown on what this ‘Security As a Service’ offering can do for you.
How to Prevent a Ransomware Attack?
There are several things an organisation can do to prevent ransomware from impacting their business continuity including implementing technological and process controls. The human, your staff, plays an important role in the prevention of ransomware attacks.
Here are some things you should consider: (Warning, please don't purchase any of these solutions without reading the rest of the information)
- EDR or Endpoint Detection & Response: Consider implementing an EDR solution for your endpoint computing devices (laptops and desktops).
- High quality Threat Intelligence: Imagine being warned about a deadly ransomware spreading in companies in your vertical. That type of intelligence is priceless. Caution, do your research before you pay for threat intelligence. There are several snake oil peddlers out there. We cover this topic in our UK Government, NCSC-Certified Cyber Incident Planning & Response (CIPR) training.
- Privileged Credentials: One of the most successful cyber-attacks was so impactful because the attacker got hold of the special credentials. (Our short blog details this.) Up to 85% or more of all attacks could be slowed if not stopped if privileged credentials were managed properly. Privileged credentials are like master keys - anyone who has them can shut down all your IT systems, delete all your back up, lock all your critical data. Basically the holder of the master key, the privileged user, can virtually destroy an organisation's systems, in many cases, beyond recovery. The NCSC-Certified training goes deeper into how to leverage privileged users.
- Multifactor Authentication: Following very closely from the above, ensure you have multi-factor authentication for all your staff. Yes, all staff members should not only have a password but must be challenged to enter at least one more uniquely generated code (this is often called 2FA or 2 factor authentication). If you cannot get all staff to adopt 2FA then you must enable this for all privileged users. You should do this now for your personal email and social media accounts also. One more thing! Do not use SMS as second factor for your authentication. Use Google's or Microsoft's authenticator apps.
- Backups, done properly: Backup and recovery technologies have seen considerable innovation recently and must be a key component of your ransomware protection strategy. However, a word of warning, simply having backup tech and backup processes can lead to a false sense of security. More on this here {further down}
To the Top
What is the best anti-ransomware software solution?
Following on from the technological controls, the best specific anti-ransomware software solution you should consider (Warning, please don't purchase any of these without reading the rest of the information and please consult your vCISO for further guidance.)
- Content Deconstruction & Reconstruction: A technology that literally deconstructs every file that enters your digital systems (especially email) , scans it for malware and ransomware, removes the bad stuff and then reconstructs the file before allowing it through to the staff member. CDR technology is fairly new and promises to be another effective tool in an overall anti ransomware software chest.
- EDR or Endpoint Detection & Response: Much more powerful than your regular anti-software products, a good EDR system can detect and interrupt malicious actions by ransomware. All this in near real time. It's important to point out that not all EDRs are the same so before purchasing it for your organisation, ensure you define your requirements clearly.
To the Top
Do Backups Protect Against Ransomware Attacks?
Short answer, yes. However, it's a bit more complicated than that. Please do not put absolute blind faith in backups as they, like any technology, can fail. Furthermore, human error, such as misconfiguring a backup tool or insufficient and irregular testing of the recovery process, is often a contributor to backup failures. Make sure you know how long it will take to recover from your backups.
To the Top
Why ransomware tabletop exercises can help in improving an organisation's ransomware response
Regular testing keeps the threat on top of the mind but more importantly, repetitive practice of plans, processes and procedure helps build subconscious muscle memory. Put simply, most car drivers are actually driving safely as a result of their muscle memory or subconscious taking over. There is a reason why new drivers are not allowed to drive alone as soon as they pass.
Conducting practice ransomware tabletop exercises (RTEs) is highly effective in building muscle memory amongst participants. More importantly, regular planning and testing can expose weaknesses before they become a serious risk. You can read more on the importance of Ransomware Tabletop Exercises in our blogs.
To the Top
5 Important Considerations before Conducting Ransomware Tabletop Exercises
A ransomware tabletop exercise (or RTE as we like to call them) is a highly effective method of practising your responses to a ransomware attack. A ransomware tabletop exercise is best conducted by a professional and experienced facilitator who has both - the experience of the technological aspects as well skills in engaging a varied audience with management and technical orientations.
Here are some important considerations for planning an effective ransomware tabletop exercise:
-
What are the objectives? Simple question but spend some time thinking about the answers to this question. Consider the following:
- Do you want to know if your technology is capable of detecting ransomware?
- Do you want to know if your staff are able to rapidly respond to ransomware attacks?
- Do you only want to raise awareness of the business impact of ransomware?
- Do you want to evaluate your technical team's ability to detect and respond to ransomware attacks?
- Do you want to evaluate each member's capability to respond to and manage the attack?
- Do you want to specifically test your audience's ability to recall processes and procedures?
-
Who is the target audience for the Ransomware Tabletop Exercise (RTE)?
- If it's technical, then make sure you introduce more technical context to the exercise.
- If it's management, then focus on the processes and communications.
-
Do you want your audience to remember key response actions?
- Do you want everyone to remember a specific number of key steps?
- Do you want them to remember a phone number/email after the session?
- Do you want them to review and read certain documents?
-
What are the takeaways from the tabletop session?
-
Do you want the participants to take the ransomware response exercise seriously?
-
Consider appointing an external and professional facilitator who can engage with both technical and management staff.
-
Ensure a good amount of time is spent in planning the session.
-
Validate the scenario to ensure that no one can challenge you on the day of the exercise.
To the Top
Should you Pay the Ransom?
The FBI's advice is 'Do not pay'. This is based on the common sense and evidential premise that you may never get your data back, as in the criminal may run away with the money. Although there is an unsubstantiated adage that's been floating around for ever that there is a code of honour or etiquette amongst thieves, there is way more substantial statistical evidence that more than 80% of victims who pay, do not ever see their data.
So, do you pay or not? In Kaspersky's recent global study of 15 thousand consumers, 56% have paid the ransom to get access to their locked data. Forbes' research shows that over 90% of victims did not receive their data back.
Don't get on the 'Suckers List' - there is the fact that if you do pay, the receiving criminal may put your organisation's name on what we call the 'Suckers list'. In reality, they will spread the word that you have paid, thus putting a target on your back and encouraging other criminals to target you.
The UK's National Cyber Security Centre (NCSC) clearly lays out the points and makes the following recommendations:
- Law enforcement does not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:
- There is no guarantee that you will get access to your data or computer.
- Your computer will still be infected.
- You will be paying criminal groups.
- You’re more likely to be targeted in the future.
- Attackers will also threaten to publish data if payment is not made. To counter this, organisations should take measures to minimise the impact of data exfiltration. The NCSC’s guidance on Protecting bulk personal data and the Logging and Protective Monitoring guidance can help with this (Original NCSC advice).
In summary, don't pay the ransom. If you are deciding to pay, be prepared to be deceived and be prepared for a higher chance of additional attacks.
To the Top
5 Things that will Increase Your Protection against Ransomware
If you only had 5 things to do to protect your organisation against ransomware what would they be? In no particular order, here are our top 5 recommendations:
- Protect the Endpoints: The laptop and other endpoints are the most exposed and at-risk computing devices today. This is more true than ever before as the working habits of staff change forever. The fact is that the majority of all cyber-attacks, including ransomware, begin at the endpoint.
- Two Factor Authentication (aka 2FA): We cover this here also. Put simply, cyber criminals, of all sophistication, despise 2FA as it severely lowers their chances of success.
- Manage the Privileged Users: Remember, most attackers, even the nation state threat actors, require access to privileged credentials to succeed. Consequently, you must manage Privileged Users, including but not limited to, central security and managing their credentials, ensuring one individual does not have too much 'power' and monitoring the activity of these power users.
- Backup the Backups: Ensure you have robust backup technologies that cover the cloud and your traditional storage devices. In addition, ensure you have either immutable storage and/or offline backups. Offline equates to NOT connected to the Internet always. It could be as straightforward as an external hardware encrypted USB hard disk or flash drive.
- Secure Configuration: Sounds dreadfully technical but it isn't. Put simply, ensure all your IT systems are configured securely from day one. Put another way, would you give access to your satellite, cable or Netflix to an eight-year old without enabling parental controls?
Wait! There are several more things you can do but remember, no technology, no control will ever afford you 100% protection against ransomware attacks. 100% security, 100% protection is a fallacy. However, focus on your foundational controls and in addition to the above to ensure you update your software regularly.
To the Top
Why Criminals Prefer Ransomware to other criminal activities?
Unless the cyber-attacker is a nation-state where money is often not the motivator, most individual and criminal gangs are absolutely in it for the money. There is a lot, and we mean, a lot of money in ransomware. Furthermore, the continuing meteoric rise of digital currencies that offer near-complete anonymity, will continue to fuel the scourge of ransomware attacks.
It's an important concept to understand and acknowledge.
- Globally, almost anyone can afford a decent laptop and 5G connectivity.
- Globally, anyone can accept digital currency.
- Consequently, anyone from anywhere can launch ransomware against anyone.
For most, it's a numbers game. Launch a million or two million ransomware attempts. All that is required is one victim who pays 10 or 20 Bitcoins.
To the Top
Why Hire an External Facilitator to Conduct Ransomware Tabletop Exercises?
One thing we have repeatedly observed in our experience of planning and conducting several Cyber Crisis Tabletop Exercises for ransomware and other threats is this - Most of our clients had conducted at least one or more of their own internal tabletop exercises before they engaged us. A majority of our clients felt that the internally hosted sessions had several issues such as the following:
- Internal politics and people dynamics meant that the actual tabletop session was not taken seriously. The age old bug of familiarity with the facilitator meant the audience could not see past their current contexts and relationships.
- Insufficient planning on internal exercises was another reason that clients opted for Cyber Management Alliance Ltd to conduct their ransomware tabletop exercises. We take a structured, formal approach to all our ransomware tabletop sessions. Our case study with Waverton Investment Management and Brentwood Council describes why clients choose to work with us.
- Highly engaging and interactive: Many clients have indicated the lack of interactivity in their internal tabletop exercises. Our facilitators are highly skilled in the art of engaging with a wide range of audiences including CEOs, CFO, Board members and deeply technical staff. We achieve this both in face-to-face and remote virtual sessions.
To the Top
How a Ransomware Attack Destroys Your Brand & Reputation
The reader may be wondering how paying a ransom, with a digital currency like Bitcoin, can impact the organisation's brand and/or market reputation. This belief is further compounded by the fact that the digital payment is near-anonymous and not many , if anyone at all, will know that the payment was made. Remember, there is no deficit of creative accounting skills in organisations.
There is a certain and sensible logic to the thought process. Pay the ransom quietly, recover the data and pretend nothing happened. However, there are a few challenges that come with ransomware attacks.
- Most ransomware attacks (not all) are indiscriminate and the attacker is often an opportunist with little patience.
- The indiscriminate approach means that often ransomware attacks can cause significant chaos that is impossible to hide from the clients, shareholders and the public.
- The resulting impact (of not being able to produce a product or service or operate your machinery) can have significant and damaging impact to your brand and reputation.
Note: You may get away with the advanced ransomware attacks, officially called Human Operated Ransomware. Basically, these are carefully planned attacks by patient and advanced criminals who will take months to meticulously plan their attack. They will first become persistent and then detonate the ransomware package. We are not endorsing that you pay the ransom or stay quiet. GDPR and other regulations mean you must disclose the ransomware attack, even if you have your data back.
We show you how to ensure you can detect and deny persistence to advanced cyber criminals in our UK Government, NCSC-Certified Cyber Incident Planning & Response (CIPR).
To the Top
The Different Types of Ransomware that can Cripple your Organisation
The reader may assume that ransomware criminals will only lock access to the organisation's data (referred to as 'encrypting the data') with their special key and then demand ransom to release the unlock key (or the decryption key). That is true in many instances. However, there are other, some would say, more clever ways to make the money and all of them still involve a ransom.
- Option 1: Encrypt the data and then ask for a ransom before (if you are lucky) the criminal releases the decryption key.
- Option 2: Steal the data before encrypting it and then ask for a ransom before (if you are lucky) the criminal releases the decryption key. If you don't pay or even if you pay, the criminal comes back for more money threatening to release the data. A double whammy. More painful than having unreadable data in this instance as your data could be shared with the whole world.
- Option 3: Steal the data and demand a ransom for not disclosing the data.
To the Top
Do you Negotiate with the Ransomware Criminal?
Our clients often ask us if they should try negotiating with the cyber criminal who has launched a ransomware attack. Our simple advice - NO. Read the more detailed section on this. There are, however, instances where negotiation has succeeded.
To the Top
Help! I have been Hit by a Ransomware Attack!
- Don't panic: Really. Panic causes reckless actions.
- Don't pay: That’s the first thing you may want to do. Don't pay.
- Don't Negotiate: Negotiating will let the criminal know you are going to pay!
- Don't use Email or Corporate Chat apps: In most situations these may not be available. Regardless, do not use corporate channels.
- Visit the No More Ransom site (or ask a techie to do it) to help you decrypt your locked data.
- Invoke the IR Plan: Review your Incident Response plan to check you are taking the right actions.
- Use the Crisis Communication App: Use the crisis comms app and call all the key stakeholders.
- Contact the Authorities: In the UK, get Action Fraud UK involved.
- Think Privacy, Think GDPR: Depending on the data and other facts, you may have to involve the ICO (in the UK).
- Talk to IT: Get the facts. How long will it take to recover?
- Gather the Facts: Ensure you know everything. How long. How bad. etc.
- Is it really? Where the criminal is threatening to expose confidential data, ensure that the data is yours and that it was stolen from you.
- Contact Clients: Start messaging clients to let them know of the situation. Be as transparent as you can. Don't try to spin it.
- Evidence: Remind everyone NOT to delete any evidence. Ask them to store all evidence. Create timelines.
Download our Ransomware Response Checklist.
To the Top
How Do you Remove Ransomware from your PC or Mac?
The answer is not as straightforward in this case. There are some ransomware that can be removed but there are other types of ransomware attacks that are different (see here).
- My data is encrypted by a ransomware: In this case, the first thing you should do is visit 'No More Ransomware' (Opens in a new window).
- Someone is threatening to expose my confidential data: In this type of ransomware attack, there is no way to remove the ransomware. Your first aim must be to determine or validate if the criminal does in fact have your data. Why? The criminal may use publicly available information to threaten you, hoping you pay the ransom when in fact they may not have your particular set of data.
To the Top
Are you Prepared to Deal with a Ransomware Attack?
Most organisations have no idea about their ransomware readiness. What does this mean? Put another way, do you know how ready your organisation is when it comes to protecting against, detecting, responding to and recovering from a ransomware attack? Cyber Management Alliance Ltd offers its existing and new clients a ransomware readiness assessment to help them gauge their preparedness to deal with a ransomware attack.
How do we conduct a Ransomware Readiness Assessment?
At Cyber Management Alliance, we conduct a high-level Ransomware Readiness Assessment by evaluating your security investments, trying to gauge the gaps in your technology & understanding specific processes and procedures.
The objective of this assessment is to help you understand if your ransomware readiness policies, procedures & technology investments are adequate and if they align well with your specific threats and threat actors.
At the end of the assessment, you will receive an executive summary report which will detail specific recommendations on technical aspects & processes to boost detection and response capabilities. You'll also be able to identify potential cost savings on current and future spends.
To the Top
What Causes Ransomware Attacks?
Ransomware attacks can succeed because of many reasons. Some of the reasons why ransomware attackers succeed include:
- Phishing emails: One or more members of the staff open an email with a malicious attachment. The malicious file encrypts your data and starts spreading to infect your laptops.
- Poor or little cyber awareness: Where staff is not made aware of the dangers of cyber attackers, of phishing, of ransomware and more.
- Poor or weak foundation controls: This is also referred to as poor cyber hygiene. Weak passwords are another reason why ransomware attackers can succeed.
Can a Cybersecurity Consulting Firm Protect You from Ransomware Attacks?
The simple answer is - YES. Cybersecurity consulting companies have the expertise and knowledge to ensure your organisation is protected and prepared to respond to all types of ransomware attacks. Cyber Management Alliance Ltd is one such globally-acknowledged cybersecurity consultancy and it offers its clients ransomware protection services with different options based on their maturity and budgetary requirements. You can check out our Cybersecurity Consultancy page for more information.
WARNING: Not all consultancies are created equal. Before onboarding a cybersecurity consultant or cybersecurity consultancy firm, please do review our guide on choosing the right Cybersecurity Consultancy to understand how to select the best cybersecurity consultant for your business. This cybersecurity consultancy resource page has additional guidance and tips on how to define your requirements and more.
To the Top
Ultimate Resource Page on Ransomware Attacks
No amount of data and content on ransomware attacks is sufficient today. This is because ransomware is becoming more complex and widespread than ever before.