Held to ransom
As hackers deploy new tactics to pressure organisations into paying ransomware demands, how should businesses protect against an attack and prepare themselves if the worst happens?
Malware to infect computer systems and lock files is on the rise. The Hiscox Cyber Readiness Report 2020 reveals that losses from ransomware attacks reached £291 million globally, with more than 6% of targets paying the ransom demands. And in 2020, Hiscox UK is seeing more ransomware attacks and payments than ever, with the number of incidents to date in 2020 already reaching the year-end figure for 2019.
The first recorded example of ransomware was in the 1980s,* utilising similar phishing techniques to those used today but finding their way onto computers through floppy disks. Hackers then began to exploit remote desktop protocols and added layers of intelligence to phishing scams, including individual profiling through social media accounts. And in 2009 bitcoin arrived, making dark web transactions even easier, with all ransom demands being made in cryptocurrencies.
Businesses are recognising the growing prevalence of ransomware and according to the Hiscox Cyber Readiness Report 2020 have increased their cyber security spend by 39% in the past year. So with businesses spending more on security, why is ransomware still effective?
For Eddie Lamb, Cyber Education and Advisory at Hiscox UK, the answer is simple: “Hackers are good at their job.” Just as we were beginning to learn how to combat the threat from ransomware, hackers responded by evolving their tactics. The start of 2020 ushered in a new type of attack that involved stealing highly sensitive data prior to triggering the ransomware. “We’re talking about low volume, high value data – basically anything the business would prefer not to be in the public domain because it would damage their reputation,” explains Eddie. “People are being pressured into paying the original ransom because there’s now two forms of leverage.”
Another tactic – one that Eddie says could explain the increase in ransom payments – is putting businesses in a vulnerable state to reduce their negotiation options. “I reviewed a case recently where the hackers had deleted all the last known back-ups prior to initiating the ransomware, so when they came to ransom the business, the business was hugely vulnerable and couldn’t recover their data – and that was exactly the leverage they were looking for to encourage the victim to pay.”
Would you pay up?
While all this might look like the makings of a bleak future, “there’s plenty that we can do” according to Eddie. Businesses can put checks in place that monitor networks in order to mitigate these types of attacks, including filtering emails and inspecting attachments. In particular, detecting any encrypted content (information that’s been converted into an unreadable code, which can only be deciphered by authorised parties) that’s found its way onto the network. Hackers routinely use encryption for their attacks, making them harder to spot, so if a business can’t see inside the encryption, they can’t see what the hackers are doing.
As important as mitigating an attack is, being prepared in the event that one breaches your defences is crucial. “So many boards I talk to today haven’t had that conversation, the philosophical question: would you pay the ransom?” says Eddie. “Generally, you’d require board consensus to make a £2 million ransom payment, and if that conversation hasn’t been had in advance, you’re already on the backfoot. Hackers are going to be time-pressuring you, with threats of increased data loss or the ransom going up over time.”
Eddie suggests that board members ask themselves one question: in what circumstances would they consider paying a ransom? “That gives you the threshold; if it’s under a certain amount but we can’t get our data back, or it’s under a certain amount but they have some embarrassing photos. On what grounds would you consider paying, and on what grounds would you categorically not? That’s your bargaining position. That’s knowing your hand.”
While Eddie says that awareness of cyber security is higher than it’s ever been during his 21 years in the industry, he is keen to point out that no business is immune, regardless of size or sector. You’re a target if a hacker or syndicate decides you’re a target, which is where insurance comes in, offering expertise, instant access to forensic services and covering the financial losses during the period of an attack. “Who’s going to work out what happened and rectify the problem? Who’s going to get you back on your feet? The insurer,” says Eddie.
*https://digitalguardian.com/blog/history-ransomware-attacks-biggest-and-worst-ransomware-attacks-all-time#:~:text=hurt%20the%20user.-,The%20First%20Ransomware%20Attack,and%20targeted%20the%20healthcare%20industry. (external link)