The unknown risk for D&Os - when cyber risks lead to personal liability
Will I have to pay a ransomware demand and how to prevent getting one
Ransomware is a threat that businesses can’t afford to ignore. You’ve read the headlines and heard the stats, such as the massive 230% increase in attacks since 2019 – but you probably have some questions of your own: “How do these attacks get into my systems?” and “If a ransomware attack happens, will I have to pay the ransomware demand?” We’ll be discussing these questions, alongside some useful advice and tips on how to prepare your organisation and prevent attacks from happening in the future.
What is ransomware?
What actually is ransomware? In the plainest terms, it’s a type of malicious software that will block and encrypt systems or files making them inaccessible and unusable. The attack is followed by a ransom request (or “extortion”) to have the files unlocked. These attacks can grind a business to a halt by stopping them from performing day-to-day tasks, like processing payments, accessing programs and client data, and even reading emails.
On the face of it, the only way to get access to systems again is to pay the ransom, which can range from a few hundred to potentially millions of pounds. The criminals perpetrating these attacks will often ask for payment in cryptocurrency (like Bitcoin or Monero) to avoid tracking. For a lot of individuals and organisations, these cyber-highwaymen seem to offer no alternative but to be paid. They can sit on a system for weeks or even months while a business withers on the vine. If they’re looking to really put the pressure on, they may leak data to speed up their goals.
Like most cyber threats, prevention rather than cure is recommended, and we’ve spent a long time developing our own tools and services to aid in the fight against ransomware. If you’re wondering just how serious the threat is, the rise in ransomware has contributed to a huge change in the cyber insurance market. And businesses that can’t effectively protect themselves from the threat may find that they’re unable to get coverage at all.
What are the different kinds of ransomware?
Now that we’ve spoken a bit about what ransomware is, it’s worth understanding the different kinds of attack so you know what you’re up against. Ransomware can be broken down into three main categories: single extortion, double extortion and triple extortion. All of them present a danger to companies, but as the level of extortion increases so does the damage.
Single extortion ransomware is the “classic” style of attack. Criminals gain access to a business’s systems and proceed to lock users out, forcing them to halt their operations. On the surface, it can seem like the only way to regain access is to pay the ransom. This kind of attack doesn’t require constant attention from criminals, and they’ll sit on a system as long as they want, waiting for their payday.
Double extortion takes things one step further. It’s the preferred method for criminals looking for a quick resolution and to profit from their attack. As with single extortion, a system is encrypted and businesses are denied access to the tools and software they need to work, and a ransom is demanded. The extra step, though, is that data is also stolen from the business – this can include everything from customer names and addresses, to payment details and valuable research or plans. Known as a “data breach”, this follow-on attack has far-reaching implications as customers may not wish to continue using a service that can’t ensure their data is secured. A recent report has found that 88% of customers wouldn’t use a business they couldn’t trust their data with.
The final and newest thread is triple extortion ransomware. It goes one step further than double extortion and it works like this: a ransom is demanded, the stolen data is published, and then the data is analysed to leverage further attacks on customers and suppliers. In effect, it is possible for criminals to destabilise a company and anyone who would associate with them. The results can be far-reaching – the trust and business lost can be difficult to recover.
The attack vectors (the path or place that criminals use to gain access to your systems) of ransomware are varied and often rely heavily on human error. Criminals are using more sophisticated methods to convince people to either part with useful personal information like log-in details or download malicious software. Social engineering (the practice of fooling people in an effort to gain information) and spoofing (creating false versions of company communications, email addresses or websites) are combined to convince organisations and individuals of an attacker's legitimacy. They may pose as a trusted company (either the company the target works for, or one that offers them a service, such as a software provider) and often attach a sense of urgency to their messages in order to try and force a decision by panicking the recipient. Common examples of avenues of attack include:
Emails & attachments
That’s not to say, of course, that there aren’t ways to mitigate this threat! We’re always keen to show the world how they might better alleviate ransomware attacks, and the tools we provide can make a real difference (more on that later!). The important thing to remember is that it only takes one mistake, by one person, to give criminals an “in”. They can then capitalise on this entry-point whenever they like. Bear in mind, criminals expect businesses to update software and check systems regularly, so they’re often inclined to strike sooner rather than later.
So we’re now in the worst-case scenario – a ransomware attack has been successfully carried out. As discussed above, a lot of organisations and individuals feel that the only viable solution is to give in to demands and pay the ransom, particularly when threatened with having their leaked data published. There are a few things we suggest considering though, as deciding whether or not to pay a ransomware demand is not something to be taken lightly.
The arguments for paying a ransom can be quite convincing. By giving into demands a company can get back to normality quickly and if paid successfully, downtime is decreased from days and weeks to possibly hours. It also means that with access to systems again, an organisation can begin investigating exactly how the attack took place and can start implementing new preventative measures. With the pressures on businesses to provide the best service possible in the face of so much competition, the decision to pay a demand outright is understandable.
However, it’s important to note that paying a ransom doesn’t mean the situation will automatically come to an end. While businesses might regard it as “the cost of doing business” criminals may mark down a paying organisation as a good target, and they could suffer attacks in the future. Importantly, if you don’t fix the reason it happened in the first place, it can be repeated. It’s also worth considering that there is no guarantee that data or systems will be restored after payment or that a criminal will be true to their word – data may have already been stolen and could have been published without an organisation’s knowledge. Even for businesses that have cyber insurance, in some cases, an insurer might refuse paying out for the cost of a ransom.
Looking at the other end of the spectrum, businesses choose not to pay ransoms for a number of different reasons. Some of them are strategic, for the considerations we’ve mentioned above: paying off a demand is no guarantee and even after paying, the attack might continue or data may have already been linked. There’s even a moral component to the argument: ransomware payments can be used to fund more sophisticated attacks against businesses in the future and some organisations don’t want to contribute to the growing levels of cyber crime. Additionally, from a legal perspective, it’s worth considering that in certain countries, like America, paying a ransom could represent a violation of legal sanctions. Citing the FBI data released in 2020, the US Department of the Treasury, through the Office of Foreign Assets Control (OFAC), has placed businesses on notice that payment of ransoms to certain cyber attackers could get a company in trouble under US sanctions laws and regulations for helping to finance sanctioned organisations - but we haven’t heard of anyone actually being prosecuted so far.
With all of this in mind, the decision to either pay or not pay a ransomware demand needs to be treated very seriously. Whichever route is taken, an investigation still needs to take place into how the attack happened, where it entered, and the full extent of the infiltration. This investigation should also lead to adopting preventative measures for the future, as this is the best defence against future attacks. Regardless of whether or not organisations intend to pay, these measures will help improve cyber health dramatically.
We firmly believe that in the case of ransomware (and every other kind of cyber threat), prevention is always better than cure, and there are a number of measures companies can take to protect themselves from the threat. In an ideal world, if the proper measures are implemented in advance this is a decision that will need to be made.
By preparing for an attack, a business can save themselves a lot of time and money. Although it might seem like a big step to take, especially if an organisation has never been attacked like this before, implementing an extra layer of security can save a business. What’s more, they’ll also help build cyber resilience inside a company and the below tips can help protect against more than just ransomware.
Closing vulnerable access to infrastructure
An overwhelming number of ransomware incidents involve criminals using unsecured, open “ports” or exploiting well-known vulnerabilities to gain deep access into an organisation’s infrastructure.
“Ports” are access-points into servers. They’re necessary for organisations to make services available to others; but ports which allow administrative (or similar) access to a server are an open door for criminals if not secured. It is a good practice to close any ports that are not actively needed or at least limit them to a local network. If necessary, you can make applications accessible remotely via a secure virtual private network (VPN). That way, the VPN must be attacked and bypassed first before the attackers get access into a vulnerable connection.
Known exploited vulnerabilities are used as simple ways to break into an organisation. For focus, we recommend checking your exposure to CISA’s Known Exploited Vulnerabilities Catalog, and keeping an eye on updates to this.
Education & training
Knowledge is power! Most people are surprised to hear that direct hacking isn’t the leading cause of a ransomware attack, rather, unwillingly giving criminals access to systems as a result of human error remains the most common cause. This is generally the result of phishing – the act of infiltrating a system, or gaining the means to do so, via fraudulent messages and emails sent by criminals that mimic genuine communications. Learning about what phishing looks like, understanding how to react to a suspected attempt and what to do if an infiltration occurs, are all key approaches to keeping an organisation protected.
With the right training, businesses can turn people into a “human firewall” that works as a first-line of defence, alongside other security measures. It’s so important, we actually offer a phishing simulator to supplement training, which is a real-world, easy-to-launch test to see if an organisation can spot and avoid a phishing attempt.
Keeping systems up-to-date
Unsupported or legacy (out-of-date) systems are a playground for criminals; they’re easier to exploit and criminals will have had more time to get acquainted with the vulnerabilities of older software. As evident in the example of the WannaCry attacks, outdated software can act as a backdoor to an organisation. Regular updates should become part of the workday, and downtime should be allocated across companies for these updates to take place. Plus, keeping software up to date can improve business efficiencies too, talk about a win-win!
Both email spoofing and domain spoofing are used in phishing attempts to make them appear more genuine. A spoofed domain will be designed to look like the real thing. For businesses, targeted phishing or “spear phishing” will direct members of your organisation to a site that looks like the real thing, with the aim of getting them to enter log-in details or personal information that can then be used by criminals. Aside from collecting data, these sites may also try to get team members to download malware; spoofed emails are the redirect point for these sites. These emails will also feature some of the hallmarks of a genuine company email to look more convincing. The best defence against spoofed emails is to stop them from reaching your business in the first place. When properly configured, traditional email security controls including those built into cloud-based email systems (e.g. Outlook inbound rules or paid options such as Mimecast and Proofpoint) will detect and quarantine emails that contain malicious links or attachments. Additionally, adopting email authentication protocols such DMARC (Domain Message Authentication Reporting), Sender Policy Framework (SPF) and other tools can be used to track any spoof attempts and give you time to prepare.
Back up systems & data
Backing up business critical data or systems means that even if an attack takes place, a business can recover. Being able to implement backups means organisations can circumvent the criminals’ aims, and access what they’ve encrypted elsewhere. These backups should ideally exist in separate segregated networks that few people have the unique credentials to access – this will make them less vulnerable to attacks. These backups should also be regularly scanned for malware and tested to assure their integrity.
Make a plan & test it
A business continuity plan isn’t just a paper exercise, it’s a roadmap for getting a business back on track in the wake of an attack. Getting one set up and implemented may take time, but it could save an organisation a lot of headache and money in the long run. You can supplement this plan by performing exercises or “fire drills'' that mimic a real attack, allowing businesses to test exactly how effective your plan is.
This is just a snapshot of the larger prevention plan that companies can and should develop. You can find a more in-depth look in our ransomware guide: https://www.kynd.io/news/ransomware/. The changing threat landscape has led many organisations, brokers and insurers to pay more attention to cyber risk than ever before. We hope we’ve been able to show that paying a ransomware demand isn’t the only solution, and the prevention of ransomware and other cyber attacks is now simpler than ever! We’d love to hear from you and show how KYND can help manage cyber risks like ransomware. Get in touch: https://www.kynd.io/contact/
How KYND helps the Insurance value chain tackle ransomware
Protecting your business is just one of the reasons why paying attention to ransomware has become so important. Cyber insurance is increasingly becoming a necessity for businesses of all sizes, and insurers are going to need to see evidence of risk management, particularly in relation to ransomware. KYND is here to help organisations manage risk the simple way. Our tools and services are non-invasive, easy to manage, and explain where exactly your risk lies and how to manage it effectively.
Insurers have been quick to recognise the threat of ransomware, and clients looking to attain cyber insurance will have to show evidence of good cyber hygiene in relation to mitigating the risk of an attack. But, are your clients prepared? This new shift has left many clients unsure of how to continue. We're here to offer a service that helps them see, understand and manage their cyber risk, while at the same time helping you shorten lead time to sell more insurance and reduce the chance of a rejected application. Check out how we’re helping brokers.
Ransomware has changed the way that cyber underwriting operates and checking how a business approaches threats like ransomware has become a key part of the process. As the work increases for underwriters under new, stringent guidelines, getting a clear view of the risks in a candidate’s organisation is more important than ever. KYND helps underwriters with a snapshot or in-depth analysis of every insured that’s being considered or already receives coverage, and can streamline cyber risk analysis.
Adding C to ESG: why cyber risk management is a critical ESG factor in your investment decision-making
PRESS RELEASE: KYND recognised as a global Top 100 InsurTech innovator for second year in a row