Over the past 6 months I have been researching ransomware, and not even from the technical angle (which would very tempting and no doubt, enlightening in it’s own right), but from a strategic perspective.

This approach resonated with many, and I was invited to after speak with the International Conference on Emerging Trends in Information Technology (ICETIT-24) on October 7th in Vancouver. My full research paper will be published shortly, and in the meantime, given all that has happened this past year with ransomware incidents likely breaking records with respect to number of incidents and costs, I thought it was time to share some of the findings.

You see, the fact is that ransomware incidents and breaches eventually impact everyone in some way. Whether it’s your personal data that has been leaked, or supply chain impact to a store you shop at, it’s effects are everywhere. I felt this first hand while in the middle of my research.

One day in July I received this email from Ticketmaster, indicating my PII, and encrypted credit card number complete with plain text expiry date were compromised.

The first question a lot of people had was “Why are they even allowed to store that?” This is a great question, as according to PCI DSS standards they shouldn’t even be keeping that information…unless… there is a legitimate business need to. The legitimate business need is likely for the processing of refunds, however the convenience of that task does not seem to warrant the risk in this case. I would not be surprised if there were a class action lawsuit in the future.

Another example was right in front of me the same month. Co-op (where many of us in Western Canada shop for Gas and Groceries) was hit with an attack that resulted in stores being closed and cardlock (fuel pumps) being offline for days.

Even after their payment systems were restored, supply chain issues persisted for a month. This is what I saw first hand:

Seeing this impact really highlighted, to me, that something needed to change with respect to how we have bee dealing with ransomware for years…

A Fork in The Road

Companies have essentially had two possible choices to make when dealing with a ransomware incident. Either pay in hopes of receiving the key from the attackers to unlock precious encrypted data, or restore services from a backup.

Taking either one of these approaches requires a careful consideration of downtime, legal ramifications and long term impacts to the business.

Some companies may even find themselves in a position where a hybrid approach is possible where they pay for some assurance, while otherwise restoring systems.

This is because attackers, in addition to encrypting data locally, may also exfiltrate data and threaten to release it later. In these cases, paying the ransom is done in agreement with the attackers that the data will be deleted and not released. This comes down to trusting a screen shot intended as “proof” that the data was actually removed and no longer “breached”.

If plain text data is also accessed, as in the case of PII or PHI, the sensitive nature of that data can be used to launch further attack campaigns. These additional approaches are commonly referred to as “double” and “triple” extortion, and they carry all kinds of long term ramifications.

Findings

Once I started doing some basic statistical analysis on the incidents, a distinct trend began to emerge. Companies that paid the ransom were back in business more than twice as fast, as those who did not.

With an average downtime of 5.6 days, for companies that paid the ransom, versus 11.9 days for companies that refused and restored operations on their own, paying the ransom appears to have a large benefit for businesses.

This is where things get really concerning…

Ramifications of Making Payments

One strategy that some businesses have taken is to pay the ransom demand, and then try and recoup their losses (including the ransom payment) by filing an insurance claim through their Cyber Insurance Policy.

However, this type of risk transference has it’s own set of pitfalls:

• Many policies exclude coverage for cyberattacks deemed to be acts of war or terrorism. If an attack is attributed to a nation-state or terrorist group, the claim may be denied.
• Fines imposed by regulatory bodies (e.g., GDPR penalties) are often not covered, though legal defence costs might be.
• If the ransomware attack occurred because of known vulnerabilities that were not addressed (e.g., unpatched software), the insurer may deny the claim based on negligence.
• If it’s determined that an insider intentionally caused the attack, or if employee negligence (such as ignoring company security policies) led to the ransomware incident, the claim might be denied.

Beyond that, if claims are paid out they essentially create an economy where ransomware attacks are profitable. This is such a concern that it is becoming a top priority for governments.

Disaster Recovery

When businesses take the approach of restoring operations on their own, the findings clearly show that an average downtime of nearly two weeks is going to be very hard to swallow for many. During my research I heard from several business owners and managers that the main reason disaster recovery is either not implemented or tested, is due to time and cost.

However, it will be the only choice for businesses going forward if legislative actions is taken to make ransomware payouts illegal. It’s time to get comfortable with restoring form backups and fail over between sites, but beyond that, it’s really time to start looking into immutable systems, ephemeral use cases and ultimately, the scope of data collection to begin with.

Conclusions

The Rate of Ransomware Incidents will Continue to Accelerate

Zero Trust Models tell us that we should assume breaches. Meaning, “Assume attackers are already in your network, working to establish persistency, and that a breach WILL happen, it is only a matter of time…”

This certainly holds true for some of the incidents I’ve analyzed. In some cases, businesses did not know for a full year or more, that attackers were in their networks and actively exfiltrating data. In other cases, the full scope of a breach is not known for several months and after a lengthy investigation.

Still, only about 44% of small and medium businesses say they are making security a priority, and many cite reliance on legacy systems as the reason for not upgrading and patching, leaving themselves vulnerable. We’ll likely see the trend of ransomware attacks targeting SMBs continue in the future due to this.

Shifting to The Cloud

Many businesses will shift to the cloud, where availability and resiliency can be leveraged to deal with incidents, and immutable infrastructure can become the backbone of the business.

The shared responsibility model is also very appealing here, and can greatly reduce risks to a business.

That being said, there are always going to be vulnerabilities, and shifting to the cloud needs to also mean shifting left from a security perspective. Securing the cloud will be the number one operational security challenge for businesses over the next 5 years.

*** This is a Security Bloggers Network syndicated blog from Berry Networks authored by David Michael Berry. Read the original post at: https://berry-networks.com/2024/10/20/ransomware-rising-understanding-preventing-and-surviving-cyber-extortion/