Is negotiating with cybercriminals our new normal?

By Kevin Reed, CISO, Acronis

Demands from ransomware attackers are at an all-time high, reaching astronomical sums. In 2021, Accenture faced a US$ 50 million ransom demand and Campari a US$ 15 million ransom demand. While many people are well aware of the threat of being locked out of their own data, ransomware attackers also threaten to release information. For companies with valuable user data, intellectual property and critical infrastructure information, the release of data can be even more damaging than its loss.

Companies are responding in different ways to ransomware attacks, and governments worldwide are seeking ways to apprehend these criminals. Unfortunately, despite protections and prosecutions, many companies end up facing the question of what to do when they are attacked. Is it sensible to hire a ransomware negotiator, report to the authorities, or give in to the attackers’ demands?

Ransomware targets everyone, everywhere

Any organization can be susceptible to ransomware attacks. Just as businesses come in many sizes, there are many sizes of hacking groups looking for different types of targets. In the United States alone, seven ransomware attacks take place each hour, a total of 65,000 annually. Attacks have been on the rise since 2018, according to Statistica, with a 68 per cent increase in 2021.

Moreover, given the availability of toolkits that can be acquired on the dark web — including tools to look for weak links, outdated software and terminals that aren’t using appropriate third-party security and backup software — it’s never been easier for cybercriminals to spread ransomware. Companies must be proactive and take all the necessary precautions to prevent these increasingly prevalent low-cost attacks.

Should you report ransomware attacks to the authorities?

Reporting a crime to the authorities has its own risks. While the FBI and other agencies have experience in dealing with cybercrime, they don’t necessarily share the priorities of the company making the report, nor are they able to assess the risks involved in every situation.

Typically, authorities will advise companies not to negotiate with ransomware attackers, given that there’s no guarantee that paying the ransom will unlock a business’ encrypted data — but this advice isn’t always practical. For example, if a health care organization’s data is misused, this could compromise people’s lives. In other cases, the cost of managing the downtime and restoration of the data could be much higher than the ransom itself.

Public companies have a fiduciary and regulatory requirement to report to the authorities when any customer data is compromised. Smaller companies should follow suit to make sure they comply with regulations, but they may have to take the advice of the authorities with a grain of salt. Handling a ransomware attack is an important internal decision for a company, whether or not they reported the information.

Assessing the costs of ransomware attacks

When your company faces a ransomware attack, before taking action, you need to make a careful assessment of the potential costs of not complying with the ransom demand. The risks to your organization will vary depending on how prepared you are, the nature of your business and the data compromised in the attack.

There are three types of damage typically incurred in ransomware attacks.

  1. Damages due to data loss or noncompliance

Data loss may force you to temporarily shut down operations and limit your ability to serve customers. Depending on the type of data, an attack could even pose a risk to human lives. If, however, you have a high-quality backup and restore plan, you may not face any data loss. If the ransomware breach was due to negligence, your company may also be subject to hefty fines and even prosecution for noncompliance with HIPAA and other regulations or data sovereignty laws.

  1. Damages due to data leaks

Even if your data is backed up, attackers could still leak it. Leaking client data can bring on lawsuits and fines that can be quite serious. Competitive information, vendor pricing and intellectual property leaks can cause serious damage to an organization as well. For utility companies and organizations in the security space, data leaks can be extremely costly and potentially dangerous.

  1. Damages due to public relations exposure

While this is not a direct cost of data loss, companies can suffer tremendously from the public relations fallout following ransomware attacks. In some situations, ransomware attackers have launched public relations campaigns on social media to threaten their victims, smearing their reputations. Negative media coverage can also lead to loss of reputation with clients and lost business, which can come at a high cost to the company.

Cybercrime: Leaking vs. stealing information

For many companies and small businesses, simply having a data backup that relies on the 3-2-1 backup rule will offer protection from data loss. However, ransomware perpetrators can also threaten to expose intellectual property, financial information, or customer data to the public. Organizations holding sensitive data will require an additional layer of security beyond basic backup software.

The ransomware industry: Who are the cybercriminals?

The ransomware industry is enormous. Professional ransomware syndicates like REvil, Twisted Spider and Lockbit Gang are significant players within the industry known for targeting large organizations that can afford to pay high ransoms. Individual hackers may work based on an affiliate association with these syndicates or operate independently using hacking tools.

Just as with any multibillion-dollar market, there are companies that serve the needs of hackers. For example, an organization called BulletProofLink provides complete phishing toolkits for hackers. The service provides templates and creates fake websites to associate with the campaigns. With just a few hundred dollars, computer-savvy individuals can become professional criminals using these types of software.

The most vulnerable targets are those who don’t even take the basic precautions. For that reason, every computer and server needs to be protected with modern software that integrates cybersecurity and backup and restore capabilities.

Common tactics for ransomware attacks

The majority of ransomware attacks are carried out using social engineering tactics such as phishing emails. Even the most hardened environment can be subject to penetration if the people within the organization fall prey to fake emails, texts or malicious links on websites.

Software vulnerabilities are another important entry point. Today’s software vendors work hard to patch issues as they appear, and most businesses also use a variety of third-party security software to defend themselves against cybercrime.

Cyber protection from ransomware

With the proliferation of ransomware attacks, every company needs to shore up its security to protect themselves. While it may seem costly to invest in security, being attacked is far more expensive. 

The following are the proactive steps everyone should be taking to prevent ransomware attacks:

  • Ongoing security education: It’s essential to keep the dangers of phishing and social engineering top of mind. Beyond initial training, consistent reminders and short videos can keep security focused and prevent employees from inadvertently causing a breach.
  • Regular software upgrades and patch implementations: Simply setting all devices up for automatic upgrades goes a long way toward preventing the common forms of attacks. 
  • Testing and auditing of company systems: The IT team should routinely test for vulnerabilities. Third-party software and consultants can play an important part in hardening the corporate environment.
  • Backup and restore software: Using the 3-2-1 backup and restore rule will prevent disruptions in service and downtime. The best third-party backup software allows companies to restore their entire systems within a matter of hours, even minutes.
  • Password management: Everyone in a company should be using a password management software with unique and secure passwords for all logins.
  • Plan for security incidents: Having an incident response plan in place can save a lot of agony. The attacker may tell you not to contact a ransomware negotiator after the attack. However, if you’ve contacted the negotiator beforehand, you can have everything you need on hand to manage an incident. Consult with security experts in advance and put together a plan that will serve you in case the worst does happen.

Whether or not you decide to negotiate with cybercriminals, your goal as a business should always be to avoid having to make this decision in the first place. This is where cyber protection solutions come in.

Cybercriminalsnew normalsecurity
Comments (0)
Add Comment