United States: Ransomware Risk Is A Fact Of Life—Preparation Is Key

In the past six months, we have seen companies facing more frequent and complicated types of ransomware attacks, leading to lengthy business interruptions and, in many cases, irreparable losses to data and systems.

Remote working environments are opening up more opportunities for threat actors to compromise security, while ensuring that victim companies are more vulnerable to business interruption. Driven in part by the widespread availability of insurance coverage for this risk, ransom demands are increasing, often with the ransom demand reaching several millions of dollars. The likelihood of companies across various business sectors being targeted at the same time has also increased as more of these attacks are staged by groups offering ransomware-as-a-service that provides a scalable platform for large scale campaigns. The bad actors are often organized crime groups, and with the rise of remote work and concern regarding COVID-19, there are unfortunately more opportunities than ever for the bad actors to launch ransomware attacks.

Ransomware is primarily a type of malicious software through which criminals encrypt data on the victim's network, resulting in disruptions of many or all IT systems unless the company is able to restore the system from backups or pays a ransom to receive the decryption keys from the criminal hacker. In addition to the traditional locking of files on a computer system, criminals using ransomware are now also attempting to exfiltrate sensitive data from victim's network. This allows the bad actors to selectively leak some of the company's information publicly, most often on Twitter. While the data exfiltration and being locked out of the computer system alone often puts enough pressure, this selective early leaking of data creates additional pressure and anxiety for the victim, with the goal to push for faster payment of the ransom.

Most ransomware attacks are initiated through phishing emails that may appear to come from a legitimate person or company the recipient would trust. For example, Ryuk (a well-known group of threat actors) recently was able to start with a simple phishing email and was able to compromise an entire domain with ransomware inside of five hours.¹ The speed of these attacks emphasizes the need for a clear incident response plan that can be initiated quickly and effectively. Another common method involves using misconfigured software that may permit the attacker to log into a network and pass themselves off as a system administrator, after which they begin encrypting network files as well as backups.

Reducing the risk of a successful ransomware attack requires a comprehensive approach involving technical measures, such as effective backups, effective up-to-date cyber-training for all users, an effective incident response plan that is well practiced, and having the resources— forensic and legal—ready to respond within hours of an incident. Incident response is also becoming more complex—whether dealing with law enforcement or the increased need to consider whether paying the ransom may create other liabilities for the victim company as government enforcers are cautioning that such payments could implicate risks around money laundering and sanctions, an issue we have previously noted ( OFAC Makes Paying Ransoms to Cybercriminals Much Riskier).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.