Why are the effects of ransomware attacks rarely understood?
We’ve all read the national headlines and seen how ransomware is doubling or even tripling year-on-year. Ransomware is expected to attack a business, consumer, or device every two seconds by 2031, up from 11 seconds in 2021, according to Cybersecurity Ventures. And, according to the same research, global ransomware costs are expected to rise from US$20bn in 2021 to US$265bn by 2031.
Seeing the Bigger Picture
The sheer scale of the problem is quite staggering, and while ransomware attacks frequently hit the headlines the larger costs incurred by targeted or victim companies, and individuals, are often hidden beneath the surface. Senior leadership and boards will hear about ransomware attacks and their prevalence, but rarely understand how an incident plays out —from immediate triage to lingering business recovery. Not to mention the impact that this could have on customers, employees, and the wider public. Having worked in this industry for a long time, I know that impacted firms face reputational damage, regulatory fines, legal and security restructuring costs, loss of production and productivity through downtime. The list of consequences is extensive.
So while business leaders appreciate that ransomware is disruptive, the long tail of such attacks and true implications tend to be less understood. Likewise, most think about attacks and the impact on the victim organisation alone, and the restoration of their business-as-usual systems, but attacks also affect the victim’s customers, third parties and wider stakeholder ecosystem. Now, we must recognise ransomware as a systemic threat that can also lead to the disruption of ordinary peoples’ lives. Unsuspecting victims also suffer the consequences, such as layoffs, medical treatment delays, travel disruptions, the inability to access funds, and much more, according to BlueVoyant’s ransomware research.
The US Experienced 65,000 Ransomware Attacks in 2021
According to our ransomware research, the US saw more than 65,000 ransomware attacks in 2021, with one of the biggest — the Colonial Pipeline — leading to most of the petrol stations across the southeast being emptied. Colonial Pipeline paid hackers US$4.4mn for a decryption tool that restored oil operations, despite FBI and US Department of Homeland Security recommendations that companies should avoid paying ransoms.
Ransomware attacks put victims out of business, force hospitals to turn patients away, prevent access to critical services, cripple business operations and much more, according to BlueVoyant’s ransomware research. While each ransomware attack is unique, there are some commonalities to these targeted attacks with their disruptive activities, high payouts, and sometimes double and triple extortion techniques, which are becoming more commonplace as hackers look to take their victims for as much money as possible. Today, not only are organisations at risk of having their data locked and having to pay to get it restored, traditional ransomware, once attackers have touched the data to lock it, they are now exfiltrating it, double extortion. In triple extortion, hackers also ask anyone who may be impacted by the data stolen to also pay up.
This means that attackers are not only asking to be paid to unlock data, but they are asking to be paid to not release it on the web. Unfortunately, attackers are then approaching customers, partners, suppliers, and the extended ecosystem, and asking these organisations to pay to not release their data.
Making the Right Decisions
Vendor organisations face a range of decisions when responding to an unfolding attack. They may need to determine whether to cease operations, especially if they don’t know the extent of the attack, and are looking to prevent adversaries from advancing further into their systems. Decisions about how to respond may have to be escalated for higher authorisation. If a quick decision for a response isn’t made, attacks may well penetrate further across systems and networks before defensive responses are undertaken.
If the decision is taken to shut down or halt operations, or networks, this creates a domino effect for more decisions to be made. Company leadership is forced to determine how to move forward operationally without access to internal systems, and that’s before the company has determined whether it is going to pay or negotiate with threat actors.
Forcing a halt in operations means that some companies do move forward and negotiate with attackers. A 2022 Proofpoint study found 82% of British companies, which have been victims of ransomware attacks, paid ransom in order to retrieve their data. However, co-operation with attackers as I’ve outlined above can lead to further exploitation methods while leaders must also deal with remediation of any affected networks. If established security procedures have backed up pivotal information and systems, a company typically has more flexibility when facing criminal extortion, but this isn’t always the case.
Disclosure or Not?
Enterprises face critical decisions regarding their public communication strategy post-attack and managing not only the reputational damage, but also the longer-term loss of customer trust. If Personal Identifiable Information (PII) or sensitive customer data is breached, companies are typically required to publicly disclose this. Some organisations choose to walk the fine line of not revealing the breach and just pay the ransom to avoid embarrassment. However, this is a highly risky strategy to adopt and could lead to future issues and loss of customer trust.
In the period following an attack, organisations can also face legal, regulatory, and government scrutiny from the UK’s Information Commissioner’s Office (ICO). Immediately after an attack, regulatory growth is depressed from operational loss, and business recovery can include the cost of refactoring systems and processes, putting in place security improvements and business priority restructuring.
Expert Help is Required
Dealing with a breach brings a minefield of decisions, which can lead the organisation down a path that it would rather not tread. This is why it is so important to call in the experts and to ensure that the business is getting the right level of counsel and guidance. After all, you are dealing with criminals who often don’t have the same moral compass or ethics that we have come to expect in business.
Ransomware will remain prolific in 2022 and beyond, so it is not a question of if but when, and how prepared the business is to deal with both the incident and the aftermath.