“What is ransomware other than extortion?” asks Quentyn Taylor, our Director of Information Security. He is fundamentally correct, of course. However, the ever-present, constantly changing and global nature of ransomware makes it the kind of complex threat that strikes fear into the hearts of senior business leaders.
In this ‘Expo Talks’ webinar, Quentyn, speaks to three leading cybersecurity experts. Sjaak Schouteren, the Cyber Development Leader at Marsh, Jenny Radcliffe from The People Hacker and Javvad Malik, a Security Awareness Advocate at KnowBe4. Together, they discuss where they see ransomware going in the future and the big question – is paying ever the right thing to do?
Why is ransomware growing?
Javvad sums this up in three points. Firstly, and most obviously, technology, “the advent of asymmetric encryption gave rise to it, and we have the delivery channels to deploy ransomware in a very effective manner that isn't reversible,” he explains Secondly, cryptocurrency has made it really easy for criminals to take money in a way that is currently almost anonymous and untraceable. Finally, and perhaps most importantly, data is now so valuable to us, if access to it is removed, we are willing to pay to get it back. Sjaak adds that Ransomware as a Service has opened it up as an option for criminals, leading to a significant rise “In our last claims report, we saw 32% of the cyber incidents were related to ransomware.”
What can we expect of ransomware attacks today and in the future?
“If they can increase dwell time on the network, once they're already in there, then the first thing that they do is they look for anything that they can use,” says Jenny. This is particularly concerning in that they are also hunting for your response plan – so that they are one step ahead of you when they finally attack with what Quentyn describes as the “triple threat”:
- They encrypt your data – whether that’s commercial, private or intellectual property – and threaten to sell or release it.
- Business is significantly interrupted, which is the biggest financial impact of any attack.
- They will then look at the companies to which yours is connected and subject them to the same attack.
“Even if ransomware isn’t the objective, it’s sometimes applied to ‘torch the building’ on the way out,” says Javvad. “It’s also a way to advertise ‘we were here, and you were compromised’”. So, it seems that cybercriminals consider their reputations too.
What do you do if you’re compromised?
“If you haven't prepared for it, it's too late,” says Sjaak. You should already have a plan in place for business continuity and disaster recovery. Sjaak also recommends that you have hardcopies of your plans and policies, legal documents and details of your incident response team at your cyber insurance company. It is critical to have a clear, printed policy – that is tested regularly to make sure that it works, is up to date and the entire response team understands their role. This moment of realisation is familiar territory to Jenny. “Don't respond to them and check that they're no longer there is the very first thing. Because the minute you respond, the clock sort of starts ticking.” A final recommendation is that you will need to have access to liquid capital in order to engage additional support. “You need money to mobilise everything and get your plan in place.”
Never forget that this is businessRansomware attacks understandably provoke strong emotions, but all agree that this is not a time for fury, it’s a time for action and negotiation. “If you put emotion at a negotiation, you've lost already,” explains Jenny. Ransomware gangs effectively operate like businesses themselves and, as Quentyn points out, do not call their targets ‘victims’, they call them ‘customers’ and the majority of ransomware will take the ‘customer’ to a tour site in order to open negotiations. But these are not your standard talks. “In some ways, it does look the same,” explains Jenny. “But there are no models or ethical rules for anyone step into.” Which leads the group into the potentially (multi) million-dollar question…
Is it ever ok to pay?It’s all about perspective, says Javvad. “It reminds me of my kids asking whether it's okay to have ice cream for dinner. Generally, I'd say no. But then there are circumstances where I'd say yes.” “Can you handle two days of business interruption? Five days? Two weeks?” asks Sjaak. “IT people are very against paying and I totally agree, but the follow up question for me is always ‘have you discussed this with your CFO?’” However, the decision to pay also comes with important moral and ethical considerations. “No one wants to fund criminal activity or terrorism,” says Jenny. “Imagine if there was a direct threat to life? Hospitals, fatalities, ambulances being redirected. CNI attacks can achieve this, and it becomes much more of a moral dilemma overall because your decision has got to be informed by how many people this might directly affect?”
Listen to the full discussion below, including Javvad, Jenny and Sjaak’s three top tips on dealing with a ransomware attack.