2021 is shaping up to be a year of data breaches caused by ransomware, and not just the ones making headlines like Ireland's NHE and the US Colonial Pipeline.
Ransomware variants called DoppelPaymer, Sodinokibi, Hades, Ryuk, and Conti are the top five ransomware variants witnessed in the first quarter of 2021, according to the Ransomware response and recovery report from Accenture.
These ransomware variants are causing significant business impacts such as business disruption, data loss, reputational damage, remediation costs, and legal costs.
Former Director of the US Cybersecurity and Infrastructure Security Agency, Christopher Krebs, says, “You've got to start with what really matters the most and then you work out from there. So, from that perspective, ransomware is the biggest threat.
Make no mistake, ransomware is not going away. According to the report, there are three major challenges in dealing with ransomware.
Challenge #1: Ransomware operators are ramping up attacks
Ransomware creators and operators are trying everything to increase their profits from existing and new opportunities.
Because the barriers to entry are low and ransomware tools are readily available, criminals are drawn to ransomware's low-risk, high-reward appeal, the report notes.
According to Accenture's Cyber Investigations - Forensic Response (CIFR) team, there was a 160% year-on-year increase in ransomware events last year.
Organisations should focus on understanding business and operational risks, followed by planning and defence efforts.
Challenge #2: Ransomware operators are honing their disruption skills
It's a simple premise: The more disruption they cause, the larger ransom they will ask for.
"Operators keep innovating, first using ransomware in a targeted way, against key assets, then combining that with data leak extortion. Now, there are indications that certain operators are increasing their ability to interfere with operational technology (OT) processes and refining other means to pressure payment, including layering distributed denial-of-service attacks with encryption and data leakage," the report notes.
In December 2020 ransomware operators stole 100GB of data belonging to one of the world's largest manufacturers, deleted up to 30TB of backups. The ransom demand? US$34 million.
Challenge #3: Businesses need to be more resilient
When ransomware strikes, it can cause a denial of access to vital, everyday resources such as internal and customer communications and platforms, as well as operational or production systems.
"Ransom demands are growing and becoming more customised—with threat actors assessing who is more likely to pay. If ransoms are paid, it can open the door to further criminality. Also, some ransomware operators have been sanctioned, potentially placing a ransom-paying victim in further legal jeopardy," the report notes.
So what can businesses do to protect themselves from ransomware?
The first step is to assume that every organisation has already been breached. The next step is to focus on resilience across every link in the value chain.
The report goes into more depth about how to go about improving resilience, but here are the basics: Maintain security hygiene. Implement a holistic backup and recovery strategy. Understand the threat landscape. Put a crisis management and incident response plan in place. Train employees. Collaborate.
What to do in the case of a ransomware attack
1. Trace the attack: Use incident response, forensic analysis and threat intelligence to identify how the attack occurred and its impact.
2. Collaborate and report: Work with legal counsel to ensure incident reports are filed to authorities. Work with others to build greater threat awareness
3. Learn: Identify the financial and reputational impacts. Talk to the C-suite so leaders can prioritise cyber resilience.
4. Update risk mitigation plans: Evaluate current risk measurements and apply a mitigation strategy that includes controls deployment or security transfer mechanisms.
Are you ready for a ransomware attack?
Read Accenture's Ransomware response and recovery report here.