Imagine the scene: A devastating ransomware attack has immobilized a large manufacturing company. It's not possible to ship or sell any products, or to contact the company's customers. The whole supply chain has been compromised. To make matters worse, two backup locations are also inaccessible. Unfortunately, this is not a what-if scenario. It happened, despite the best efforts of the company's security and business operations teams. Even though the organization had a Plan A and a Plan B, it wasn't enough to deal with modern-day ransomware.
Too often, a traditional response to a ransomware attack is focused solely on a technical investigation. However, the ripple effects of ransomware go far beyond a system reboot and security housekeeping. As our manufacturing company's predicament highlights, there's often a gap between what needs to be done and shared across the enterprise and current incident response plans. Organizations' leaders must recognize that ransomware is a business risk, not simply a cybersecurity problem, and they should take the right steps in the right order to handle any crisis.
Ransomware Motivations Evolve
Although ransomware has been around a long time, threat actor tactics and motivations have recently changed. Following Russia's invasion of Ukraine, threat actors on Dark Web Russian language forums — particularly ones associated with ransomware — are sometimes choosing targets based on political motives rather than just financial gains. The ideological divide has led many underground actors to call for the return of ransomware groups to the mainstream underground and to reinstate the targeting of Western entities, especially in the resources, government, banking, and critical infrastructure sectors.
New Tactics Open the Door
We’re also seeing new threat actors introducing fresh ideas and evolving tactics. For example, some attacks are more destructive than disruptive, involving deleting or damaging backups. This destroys Plan B and makes it harder for a compromised target to get back up and running. It can also damage a business's brand and reputation.
Making life easier for threat actors is access to "plug-and-play" tools, such as ransomware-as-a-service products that can be easily purchased on the Dark Web and just as easily deployed. And there is also the growing interest in network access sales — when cybercriminals offer sophisticated and accomplished threat actors a shortcut to a compromised network for a price. For example, in February the Accenture threat intelligence team found that an underground site user, "GodLevel," was advertising access to a subdomain belonging to an identified Ukrainian agricultural exchange. An attacker could potentially use compromised system access to elevate user privileges and make use of associated domains to obtain personally identifiable information (PII) and payment card data, resell exfiltrated data, and deploy malicious software such as ransomware.
When it comes to ransomware tactics, one of the new flavors is extortion, where threat actors initiate a public business disinformation campaign aimed at eroding confidence and public trust in a business.
We're even seen threat actors directly contacting individuals whose data has been stolen from a company when the company refuses to pay a ransom. So, while companies are trying to deal with cyber complexities and get their business back up and running, they may also have to defend themselves against an extended ecosystem of stakeholders.
Disruptive times have resulted in a surge in attacks, and it is possible that Russia's invasion of Ukraine could continue this trend. Recent analysis from the Accenture cyber-incident forensic response team, based on engagements conducted between January and December 2021, shows a year-on-year increase of 107% in ransomware and extortion attacks and 33% in intrusion volume from ransomware and extortion. These growing threats put pressure on a traditional crisis response and accentuate the vital role of coordinated planning and communications.
Closing the Communications Gap
When all areas of the enterprise work together — driven from the top — the whole business benefits. Here are some steps to consider to help close the gaps that open the door to ransomware and extortion:
- Lead with leaders: Cybersecurity professionals often run tabletop exercises, but they should evolve such exercises to include executive-level simulations. This enables organizations to test their defenses against a typical ransomware attack directly with business leaders — while simulating the risk and adrenalin of a "real-life" attack scenario.
- Avoid the domino effect: Taking an uncoordinated first step can lead an organization down a path that can hinder its recovery. By creating a playbook and having a clear plan for the whole business, overseen by the C-suite, organizations can avoid the domino effect of "wrong place, wrong time" actions.
- Report with rigor: The devil is in the details. To protect against ransomware, maintain standard cybersecurity patching hygiene practices and incorporate an intelligence-driven approach to vulnerability and attack surface management programs. To be resilient, organizations should better understand internal reporting obligations and act with full transparency, in a thoughtful and factual way.
By understanding — and preparing for — the full implications of a ransomware attack on an organization, recovery can be faster and easier. However, business leaders are often ill-prepared, especially when it comes to the essential communications needed to inform and instruct all stakeholders affected by an attack. It's time for business leaders to look with fresh eyes at how they handle ransomware and extortion. And the emphasis should be on prioritizing effective crisis management across the enterprise.