Impacts vary, but in many cases, ransomware disrupts businesses for significant periods or even forces them to suspend operations or close.

By Clive Brindley, security lead at Accenture in Africa

A growing population of highly capable cyber extortionists is developing a new means to counter defences and increase the level of disruption they can inflict constantly. Threats are widespread and extend across industry and the public/ private sector, affecting large and small businesses alike.

Threats can disrupt production, delivery, customer services, or a loss of sensitive commercial data and protected information. There can be direct costs of remediation, recovery, or potential ransom payment, as well as costs associated with litigation. Further, there is a high risk of legal and regulatory sanctions and reputational damage.

Security leaders must understand and counter new ransomware challenges, strengthen defences across people, processes, and technology and demonstrate why security is critical to the business strategy. In short, security leaders need to help their organisations gain ransomware resilience fast.

Challenge #1: Successful ransomware extortionists are ramping up attacks

Established ransomware operators are upping their game, focusing on new monetisation opportunities, and seeing no limits to potential profits. At the same time, the barrier to entry is low; ransomware tools and supporting operations are readily available through various markets and affiliate networks.

The population of extortionists is growing as new cybercriminals are drawn to the low-risk, high-reward operations. To plan for resilience, organisations should focus on the business and operational risks presented by the threat across their unique value chain and prioritise planning and defence efforts accordingly.

Challenge #2: Ransomware operators are constantly improving their ability to disrupt

The incentive for cyber extortionists is to develop ever-more disruptive ways of working. The more disruption they can inflict, the larger the ransom they can demand. Operators keep innovating by first using ransomware targeted against critical assets and then combining that with data leak extortion.

There are indications that certain operators are increasing their ability to interfere with operational technology (OT) processes and honing other means to pressure payment, including layering distributed denial-of-service attacks with encryption and data leakage.

The commodification of the skills and services required enables and rewards the development of new, more disruptive techniques. This includes initial access brokers and intrusion
specialists to ransomware-as-a-service models with partners and affiliates and specialist negotiator middle-men. In December 2020, extortionists targeted one of the world’s largest manufacturers, claimed encryption of 1 200 servers, realised the theft of 100GB of data, deleted 20TB to 30TB of backups and demanded a $34-million ransom.

Challenge #3: Business growth and service strategies lack resilience

Downtime (business standstill or minor non-availability) from ransomware is still growing. Coveware explains that firms experienced on average 23 days of downtime in the first quarter of 2021 up from 21 days in the fourth quarter of 2020.

Encryption can deny access and interrupt essential resources, including internal and customer communications and platforms and operational or production systems. Long periods of downtime can affect tens of millions of people. The theft and publication of data give attackers new extortion opportunities. Ransom demands are growing and becoming more customised – with threat actors assessing who is more likely to pay. If ransoms are paid, it can open the door to further criminality.

Additionally, some ransomware operators have been sanctioned, potentially placing a ransom-paying victim in further legal jeopardy.

Five steps you can take now

Operate under the assumption that you are already breached and focus on resilience across the end-to-end value chain.

Focus on the basics:

* Keep security hygiene up to standard; maintain controls and continue patching; ensure visibility into and protection of crown jewel data.

* Implement a holistic backup and recovery strategy with situational awareness of the current threat landscape.

* Have a crisis management and incident response plan that’s in line with the current pandemic-driven operating environment.

Prevent and protect:

* Increase confidence through continuous validation and testing of your defences.

* Train and test employees frequently.

* Ensure adequate visibility and coverage across the attack surface – use tooling, controls and telemetry to enhance your defence posture across layered prevention, detection, and agile response.

Know your operations:

* Model the threat against your operations and end-to-end value chain.

* Understand how to backup and restore critical data at speed and scale across the business.

* Be clear on policies and procedures – the response playbook is often the first thing regulators and litigants ask for after a breach.

Make it personal:

* CISOs should collaborate and prepare with Legal, Communications, senior management and external service providers, so everyone knows how to work together during an event.

* Conduct crisis management and table-top exercises to test relationships.

* Meet regularly with authorities, incident response partners and outside legal counsel to bolster support.

Prepare, prepare and prepare again:

* Threats are agile, and you should be, too.

* Use planning and validation as an opportunity to constantly measure and improve resilience or adjust your course over time.

* Pressure-test for when things go wrong.

So, you’ve been hit – what’s next?

* Trace the attack: Use incident response, forensic analysis and threat intelligence to identify how the attack occurred and build a comprehensive understanding of the intrusion and measured impact. This is critical during and after the incident to inform defence posturing, comprehensive take-back planning in a domain compromise, and safe recovery of business operations.

* Collaborate and report: Work with legal counsel to ensure statutory obligations are fulfilled by reporting an incident to the appropriate authorities. Collaborate with industry partners, consortiums and law enforcement for greater threat awareness.

* Learn from the experience: Quantify the financial and reputational impacts and identify metrics and resources to meet the C-suite’s expectations for cyber resilience going forward. Talk to the C-suite so that business leaders can prioritise and oversee the measurement of cyber resilience, secure funding for improvements and incorporate it into business resilience plans.

* Update risk mitigation plans: Evaluate current inherent and residual risk measurements and work with the business to identify any beyond acceptable levels. Apply an appropriate risk mitigation strategy that includes aspects such as controls deployment or security transfer mechanisms.

* Strengthen defence posture: remediate identified vulnerabilities, update operating systems, deploy compensating controls, refine inefficient processes, harden the environment (across network, endpoint, and identity), improve cyber hygiene, enhance the efficacy of threat detection and response operations, address weaknesses in recovery processes and drive the necessary behavioural changes required to strengthen cybersecurity defences.