The Knowledge Hub of IMD
Share
FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email
ransomeware

Technology

Ransomware attacks are on the rise. Are you battle ready? 

Published 29 June 2022 in Technology • 9 min read • Audio availableAudio available

Cybercrime is booming and growing in sophistication. Business leaders need to ask themselves some searching questions before their organization is exposed to a potentially crippling assault.

 

The warning came in an email that sat, unopened and overlooked, in a spam folder. It was worrying when computer applications weren’t working and documents couldn’t be opened on an average Monday morning. Then, the picture started to sharpen focus.

An email, written in broken English, addressed to a German business owner by name, demanded ransom to decrypt his company’s files but no cash sum was specified. At an elite racehorse farm in Southern Germany, this was how a 2014 ransomware episode began. It resembles many other emergencies and offers lessons in how to manage.

Without data backup and unprepared, the farm’s owner accepted the situation and arranged for settlement, paid in Bitcoin, negotiating to lower the price but ultimately regaining control of its daily operations. However, that was a different era. The extortionists even sent a thank you note after receiving payment and unlocking the network systems.

But Ransomware Inc. and its 2022 releases are seeing new levels of market segmentation with brands of practitioners known globally almost like band names: REvil, Conti and Lockbit. Complex and escalated attacks on big-money corporate targets represent the high-end strategy. Other groups, and wannabes, prefer quick-hit, lower-paying, and faster volume by encrypting data of smaller companies and organizations – satisfied by regional or local acclaim.

So much of the ransomware industry is self-reported and anecdotal that it is difficult to prove statistical trends or patterns from year to year. Every target organization is different, with unique financial constraints, operational limits and definitions of how much loss – of clients, sales, capital or data – can be tolerated. Some organizations mistakenly say that cyber-insurance will handle it, but that fast-growing market for selling insurance is also changing as expenses and risks proliferate.

As risks multiply, so do insurance premiums. Coverage limits are shifting and several major insurers, including AXA, may no longer cover ransom payments as insurable, only the cost of lost business. An increasing number of attacks are classified as state-funded – such as the 2017 NotPetya attacks that cost billions in losses – meaning that some insurers are attempting to classify them as acts of war which frees them from liability. These fast-moving and rapidly evolving threats require adaptations plus sharing of best practices to keep pace.

The following questions will help protect your data and your organization.

The power issue

From CXOs to Gen Z activists, our experts examine where the real sway lies. In Issue VII of I by IMD, we explore the shifting centers of command and how leaders can inspire, empower and wield influence for good.

The business case for a criminal enterprise

  1. Limitless global addressable market of repeat, mostly quick paying customers at rising price points. 
  2. Entire business operation can be outsourced “as-a-service” to reduce risk or liability and can operate tax-free from anywhere, with no office expenses.  
  3. Payments in cryptocurrency are near instantaneous. Your brand may not be popular, but anonymity and flexible work-from-anywhere schedule makes up for absence of personal recognition. 
  4. On the negative side, there is stiff competition from rival brands and the potential for interruption by the FBI or Europol. 
  5. Past returns are no guarantee of future performance. 

How fast? 

The REvil ransomware gang needed only two hours to install software on Kaseya servers in 2021. And reach, along with speed, is only increasing. Kaseya is IT management software, resold to cloud and outsource computing providers, serving a downstream audience of hundreds of thousands of users. The rise of managed services with cloud resources and computing-on-demand by third party companies has complicated matters. Service providers offer targets for attacks that can cripple hundreds of their downstream clients, increasing pressure to pay ransomware demands quickly or risk affecting huge networks of organizations.

What is the process and response team needed for answering a ransomware threat? Your chief information security officer (CISO) should have a legal, IT, finance and management “go team” that has prepared for responding quickly to a threat scenario. Too often, each of these specialties believes it is leading the response when a combined approach is more effective.

How soon can a business move critical data to a backed-up server that is safe from hackers so that it can continue operations? Can a crippled system be hived off rapidly to avoid a spread of encryption or malware? Are these numbers proven or guesses?

“The REvil ransomware gang needed only two hours to install software on Kaseya servers in 2021.”

What timeframe and approvals are needed for obtaining a specific amount of Bitcoin – or other cybercurrency – and what steps need to be taken?  If it takes time to obtain the coins before transferring them, the delay could give the targeted company valuable negotiating space.

Ransomware is a combination of political and for-profit hackers who are increasing the frequency, ransom prices and complexity of attacks. Delays when victims seek police or IT help may be punished by wiped data or denial-of-service escalation. In addition, hacker teams now focus on finding and disabling back-up or response plans as part of attack strategies.

Using encryption to paralyze IT systems for ransom has been around since the floppy disk era of the 1980s, but it has grown from mischief to moneymaker. Ransomware accelerated along with the Internet’s growth as software downloads grew commonplace and, after 2010, with the popularity of cryptocurrencies that are now the standard ransom payment platform. In the US alone, the frequency of ransomware attacks has risen by 200% between 2019 and 2021.

How much? 

Has your response team or board consulted with owners, local executives or global HQ about how much they can afford to lose (or to spend) on attacks? Are you measuring down-time in hours, days or gigabytes of data? Will cyber-insurance cover loss or disruption?

On average, only 8% of the organizations that paid a ransom recovered all their data and about 63% of respondents retrieved around half. Some organizations that are identified as payers, receive repeated attacks or a second, greater ransom demand from the initial attackers. These uncertainties make responses difficult without serious preparation.

Ransom payment is only part of the cost. Lost productivity and sales, data recovery and reputational damage are among other possible consequences. These are multi-dimensional challenges that affect decision making in both short-term crisis discussions and the longer-range vision for the organization.

Different offices or national locations will have unique vulnerabilities and price-sensitivity. There is no one-size-fits-all, even within the same industry or company.

Have we done this before? 

One industry estimate is that 58% of data backups fail during a restoration attempt. So, having a tested, proven response for IT systems allows for greater confidence in negotiation with hackers. When the German farm was hit again by an attack in 2021, it refused the ransomware demand thanks to offsite and secured data backup. Also, the General Data Protection Regulation had taken effect since the first incident, outlining company responsibilities in the event of a data loss or breach.

Has your organization been targeted before? The Verizon 2021 Data Breach Investigations Report suggests that 85% of successful cyber attacks use social engineering – via text, phone call and website, not just email phishing. These weakest links are humans deceived into revealing confidential data that may not be used until much later when combined with other details. Do your people share these experiences and know how to avoid this manipulation?

What has your experience been with law enforcement or peer organizations? Attacks can be investigated more effectively when officials have access to information and similar incidents and the cooperation of managers and executives. What is your company’s policy about disclosure to partners, customers and authorities – local and global? 

 

Just because you have seen other attacks or heard stories from partners, your experience is unique. Speed of response, cost of recovery, people and cash resources are specific to your situation. For example, you need to know the difference between a “wiperware” attack that intentionally destroys data and a hostage-taking ransomware that demands payment. Failure to pay in a “simple” attack (encryption) can lead to escalation (wiper) or destructive (XXXXX), so responses should be measured, cautious and have an outcome goal.

Are we prepared? 

Despite massive investments in cybersecurity, many organizations now operate differently than they did before the COVID-19 pandemic with remote teams, responding with reduced headcount and other factors. Senior managers often focus investments in prevention capabilities, meaning that response and recovery are still potential weaknesses. Every organization should know its risks and response just as it does for a fire drill, weather emergency or other possible disruption.

Preparation also means understanding future requirements, not just looking backwards. There are local cultural issues, for example the law in Singapore that allows small companies to hire “data-protection-as-a-service” to comply with that nation’s personal data protection law.

In Australia, a bill for mandatory ransomware reporting was submitted in early 2022. A similar bill, called the Cyber Incident Reporting Act (CIRA), was approved by the US Senate as part of a sweeping Strengthening American Cybersecurity Act of 2022. If approved, the plan would require companies to report ransomware attacks within 72 hours and notification of a ransomware payment within 24 hours.

One industry estimate is that 58% of data backups fail during a restoration attempt. So, having a tested, proven response for IT systems allows for greater confidence in negotiation with hackers.

Knowing your industry’s standards and collaborating to set expectations among customers and partners is another aspect of being prepared. Actively managing your clients and partners best interests can make a difference strategically in today’s ransomware maelstrom. Some companies have made a culture of cyber-defense with examples that range from “gamified” participation with prizes to recognition for individuals or departmental teams. Quarterly contests are used to identify and report the greatest number of attacks, worst or funniest attempt at “phishing” emails or threats.

Sharing the message of security and care with partners and suppliers can help to create a community response that looks out for each other. And be in no doubt that spending on cybersecurity to avert ransomware threats will continue to grow as the criminals’ methods evolve. This surely means job security for those playing defense in corporate cybersecurity.

Answering the questions posed in this article and arming yourself with a properly resourced plan will quicken your response time in an emergency, while also reducing uncertainty and eliminating duplication of efforts.

Authors

Oyku Isik IMD

Öykü Işık

Professor of Digital Strategy and Cybersecurity at IMD

Öykü Işık is Professor of Digital Strategy and Cybersecurity at IMD, where she leads the Cybersecurity for Managers program. She is an expert on digital resilience and the ways in which disruptive technologies challenge our society and organizations. Named on the Thinkers50 Radar 2022 list of up-and-coming global thought leaders, she helps businesses to tackle cybersecurity, data privacy, and digital ethics challenges, and enables CEOs and other executives to understand these issues.

Philipp Leo

Philipp Leo is a partner at Leo & Muhly Cyber Advisory and a lieutenant colonel in the Swiss Armed Forces Cyber Command.

Fabian Muhly

Fabian Muhly is a partner at Leo & Muhly and a criminology researcher at the University of Lausanne.

Related

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

You have 4 of 5 articles left to read.