As remote working has become more common over the past year, ransomware attacks have gone up by 102% year on year globally. India is the most impacted country with 213 ransomware attacks per organization every week, up by 17% year on year, as per industry reports. While ransomware attacks target all sectors; in India, IT / ITES remains a more vulnerable sector due to global network connectivity with overseas clients, along with government, finance, healthcare companies that deal with large volumes of sensitive and personal data.
Ransomware attacks are typically carried out via phishing emails, social media posts, Malvertising etc., using malicious software to infect the target systems thereby encrypting files, databases, or virtual datastores. Threat actors which may include organized cybercriminals, cyber terrorists, insiders, state-sponsored threat agents etc. often use “double extortion technique” which means data is exfiltrated prior to encryption. Threat actors demand a ransom in exchange for decryption or deletion of the exfiltrated data or for not publishing stolen data in the public domain. The demand for payments can be in thousands of dollars in cryptocurrencies. This may impact many companies which are under various regulatory obligations to ensure data protection and reporting data breaches. Paying for ransom is also not a straightforward answer due to money laundering and sanctions risks.
Other than leaving ransom messages on screens, threat actors also resort to different techniques like contacting vendors, clients, security firms, or threatening media leaks to add pressure for making payments. Many companies being part of international supply chains or having contractual obligations with clients or dealing with companies in countries having strict data protection laws, have compulsions for disclosing such attacks and breaches. As many companies have significant back-office operations in countries like India, Philippines etc., any ransomware attack resulting in a data breach or system compromise in the back offices or shared IT centers, may impact the other offices in countries like Europe, U.S., Singapore etc. having stringent IT and data privacy laws.
To identify the root cause behind any attack and ascertain potential financial, reputational damages, companies typically engage cyber forensic experts to analyze and dive deep into the investigation.
As technology evolves, the technical challenges in such investigations also evolve. Availability and integrity of data, backups and logs are one of them. Earlier, forensic experts used to recover deleted files from the hard disk, volume shadow copies by taking advantage of some loopholes in the ransomware encryption techniques. However, due to the advancement of ransomware using complex techniques for encryption, it becomes difficult to restore the data. Earlier, typically, the ransomware used to make a copy of the file, encrypt them, and then delete the original file, which allowed forensic experts to recover the deleted data to some extent but recently, ransomware encrypts the file in place making deleted data recovery ineffective. The volume shadow copies, which store a backup of certain files, are deleted. It encrypts both primary and backup MFT (Master File Table) which stores all the file information on NTFS (A Windows file system technology) on the hard disk which makes it difficult to recover the file system. The free or unallocated space is deleted or wiped by the ransomware which makes it difficult to recover the deleted files.
Most organizations do not store logs or store logs for a short period of time for the operating system, databases, or other network devices. Such logs contain valuable information for the investigator to perform root cause analysis or identify the activities that were carried out during the attack or what could have caused it. Without this information, experts are restricted to only analyzing available data and face challenges in tracing timelines of events.
Companies use security devices to detect and block ransomware attacks; deploy email filtering to block phishing emails, malicious files, and suspicious links. Solutions like Data leakage prevention set rules to prevent unauthorized data sharing. Reviewing Dark web forums can help identify where the data came from and preview the data for sale. However, only having technology doesn’t solve the problem, trained people to handle these devices and matured processes are important. A 24×7 Security Operations Centre (SOC) can be costly. An outsourced SOC operation or managed detection response can help keep pace with evolving threat landscape. The contracts with such outsourced vendors must be vetted by the legal team for built-in provisions of appropriate obligations according to applicable data protection and disclosure norms such as breach notifications timelines etc.
A common best practice is to backup and stores the important data in different locations including the cloud so that the data can be restored if ransomware hits. But this gives rise to the need for extra storage space increases the cost. Many cloud service providers and data center vendors insist upon signing standard contracts which makes it challenging for legal teams to negotiate provisions like indemnity in case of such attacks on infrastructure. Often, backups are not tested for restoration in such scenarios and occasionally, backups are also encrypted leaving organizations to either accept data loss or to negotiate and pay.
A question faced by many companies is around the legality of paying the ransom. Paying the ransom to the attacker is risky as the decryption key may not be shared, or the data will be sold despite paying the ransom amount. Where the ransom payment is the only option, many organizations lack experience in dealing and negotiating with threat actors. Professional negotiators/consultants having such experiences can help to front-end such dialogues. If the company has availed cyber insurance, it can come in handy in such situations to recover from loss, so informing the insurance company in a timely manner as per the agreement is vital. It is important to involve the legal team while purchasing cyber security insurance to understand and negotiate terms and conditions.
Even after negotiations, companies face difficulties around payments in cryptocurrencies. Consultants may help companies deal with crypto-currency brokers. After payment, cyber experts can help test decryption software/key on a small subset of backup images. It’s important to prevent any further attacks during the restoration phase as the decryption software may introduce another malware. Cyber experts can help make sure that the received software is safe, and any further attacks are prevented by undertaking cyber security due diligence and risk assessment of the network.
It is critical developing an incident response plan which defines the steps, a user or the incident response team can perform in case of a ransomware attack. If an organization discovers that it has been hit with a ransomware attack, the incident response, or the IT team along with the legal team should be immediately notified. Once the infected systems are isolated, a few tools developed by forensic experts by reverse-engineering the ransomware may be used for recovering the data. They can decrypt files to the original state, however, even after decrypting the files there can be traces of the ransomware on the system which can get triggered again, thereby encrypting the files or system. The other solution is to format the system but there are chances of the infection already spreading in the organization’s network if the system was connected to it. The IT / Security team should scan IT environment for any potential infections. Any data loss or any signs of exfiltration needs to be identified. As per applicable laws and regulations, the breach may need to be disclosed to relevant authorities.
Regular patch management helps to mitigate the known vulnerabilities and flaws in the systems. Department or sector-wise network segregation helps to avoid spreading the ransomware. Restrictions on privileged access, having a zero-trust policy and having the least amount of access points through which the ransomware can penetrate the organization help minimize such attacks. Implementing software asset management practices with whitelisting and blacklisting applications helps ensure unauthorized software products are blocked. Conducting security/penetration tests quarterly or periodically will help to ensure that the network/systems are not prone to any weaknesses. Regular training and user awareness campaigns like mock phishing tests should be conducted to make the users up to date on how to avoid or react to ransomware attacks
In today’s digital and connected world, the threat landscape evolves frequently hence it is better to proactively invest and implement techniques, tools, and recovery plans which will prevent ransomware attacks or will help in properly responding to a ransomware attack thereby avoiding any reputation or monetary loss.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.
Article reproduced with permission from CRN India.