Ransomware – Prevention is Better Than Cure

As ransomware incidents increase, the debate on whether to pay ransom to the perpetrators or not has intensified. The best approach is to have safeguards in place to prevent attacks in the first place. Ransomware attacks almost doubled between 2020 and 2021, according to research by cybersecurity provider, Check Point. The number of incidents in the first half of 2021 was up by 93% on the same period last year. [1] In Mimecast’s “State of Email Security 2021 Report”, 78% of respondents in the UAE admitted to having a business impact caused by a ransomware attack in the past 12 months. [2] The average downtime period was six days.

The attack on the Colonial Pipeline, which disrupted a major fuel supply to the East Coast of the U.S. for approximately a week in May 2021, was one of the most serious and prominent examples of a ransomware attack. "DarkSide", which is a group of hackers based in Eastern Europe was considered to be responsible for this attack. [3] As drivers queued for petrol and prices at the pump began to rise – both of which were, in fact, probably more the result of panic buying – the incident magnified the seriousness of the threat posed by ransomware attacks. 

In the Colonial Pipeline case, the company paid $4.4 million to the hackers. Its CEO told the Wall Street Journal that he agreed to the payment because he wasn’t sure of the extent of the attack, and it wasn’t clear how long it would take to bring the company’s systems back online.[4]

Ransomware threat actors are increasingly looking beyond a single victim and shifting their focus towards attacking whole supply chains to amplify their impact. In July 2021, the REvil hacker group launched an attack on Kaseya, a U.S. software provider, thereby not only impacting Kaseya's clients, for whom they run IT systems but also, in the next link on the supply chain, Kaseya's clients' clients. [5]. Another very unwelcome trend is what is known as double extortion. Here, rather than simply encrypting the victim’s data, the hackers export the encrypted data to another location where it can be leaked or shared with other criminals more easily. Ransomware attacks are increasingly becoming a business service. Rather than waste time creating their own code, hackers can now license it with Ransomware as a Service (RaaS). [6]

Ransomware attacks have ramped up recently and so has the debate about the wisdom of paying. Some organizations have the view that paying ransom will allow them to resume business activities quickly and efficiently while minimizing unhelpful publicity. On the other hand, some CISOs and their teams take a moral view or are simply concerned that payment won’t have any effect, and that they’ll simply suffer demands for more ransom. Therefore, they refuse to pay. 

"The State of Ransomware 2021", which is a report by anti-ransomware consultancy, Sophos, revealed that the number of organizations that decided to pay a ransom demand rose to 32% in 2021, up from 26% the year before. However, according to the report, those that paid the ransom got back just 65% of the encrypted files, while 29% of respondents reported that only half or less of their files were restored, and only 8% retrieved all of their data.[7]

“The FBI does not support paying a ransom in response to a ransomware attack”, says the bureau on its advice page. “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity”. [8] The good news is that detection rates are improving. Following the Colonial Pipeline incident, for instance, the U.S. Department of Justice announced that its Ransomware and Digital Extortion Task Force was able to recover around 64 of the 75 Bitcoins paid to the hackers. This process involved identifying the address of the hackers’ digital wallet and then getting a court order to seize the funds it contained, with the FBI, it is reported, providing the digital key needed to open the wallet. [9] 

Whether paying a ransomware attack demand is an effective “cure” is highly debatable. What is beyond doubt, as the number of attacks continues to rise dramatically, is the importance of “prevention” in the form of proper cyber security controls. This involves both technology and culture. Patches, anti-virus, anti-malware, EDR (Endpoint Detection & Response), and threat intelligence solutions should be set to update automatically. Backing up data frequently and storing copies remotely in the cloud or physically elsewhere reduces the potential damage caused due to the hackers’ encryption. 

Ransomware attacks usually start with social engineering tactics such as a malicious email being sent to employees of a target organization. Employees can be identified from social media platforms such as LinkedIn, as an example. Ensuring that staff is trained on what to look out for when a malicious message drops into their inbox is very important. Artificial Intelligence (AI) and Machine Learning (ML) can be used to identify suspicious and unusual activity – even amongst employees themselves – that might lead to an attack. Threat intelligence and proactive threat detection and monitoring solutions can help here too. Organizations should be wary of insider-related threats and should also perform vulnerability assessments and penetration tests on a regular basis.

All employees should be aware of the risks posed by ransomware attacks. As the volume and sophistication of ransomware attacks continue to grow, combating them, by setting up safeguards like other aspects of cyber security, should be considered an organizational-wide culture rather than an occasional activity. 

[1] Check Point Research: "Cyber Attack Trends - 2021 Mid-Year Report" (29 July 2021). Link: "research.checkpoint.com/2021/check-point-softwares-mid-year-attack-trends-report-reveals-a-29- increase-in-cyberattacks-against-organizations-globally/" 

[2] Mimecast: "The State of Email Security 2021 Report". Links: "www.mimecast.com/state-of-emailsecurity/?utm_source=industry_site&utm_medium=press&utm_campaign=soes_2021" "www.itp.net/security/mimecast-why-the-rise-in-ransomware-spells-the-end-of-business-as-usual" 

[3] The New York Times: "DarkSide, Blamed for Gas Pipeline Attack, Says It Is Shutting Down" (8 June 2021). Link: "www.nytimes.com/2021/05/14/business/darkside-pipeline-hack.html" 

[4] The Wall Street Journal: "Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom" (19 May 2021). Link: "www.wsj.com/articles/colonial-pipeline-ceo-tells-why-he-paid-hackers-a-4-4- million-ransom-11621435636"

[5] Sophos News: "Kaseya VSA supply chain ransomware attack" (2 July 2021). Link: "news.sophos.com/en-us/2021/07/02/kaseya-vsa-supply-chain-ransomware-attack/" 

[6] UpGuard: "What Is Ransomware as a Service (RaaS)? The Dangerous Threat to World Security (1 November 2021). Link: "www.upguard.com/blog/what-is-ransomware-as-a-service" 

[7] Sophos: "The State of Ransomware 2021". Link: "secure2.sophos.com/enus/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf" 

[8] FBI - Scams and Safety: Ransomware. Link: "www.fbi.gov/scams-and-safety/common-scams-and-crimes/ransomware"

[9] The United States Department of Justice: "Department of Justice Seizes $2.3 Million In Cryptocurrency Paid to the Ransomware Extortionists Darkside" (7 June 2021). Link: "www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside"

© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.