Companies began migrating to remote work at the onset of the Covid-19 pandemic, and as a result, cyber-attacks have increased exponentially. We have seen more attacks of every kind, but ransomware surged by 150% in 2020. Nearly 2,400 U.S. based governments, healthcare facilities, and schools were victims of ransomware in 2020, and related transactions totaled $350 million.
The year 2021 also saw a dramatic spike in ransomware activity, as high-level attacks became commonplace against critical infrastructure, private companies, and municipal governments. Ransom demands have reached tens of millions of dollars, and the attacks have become more sophisticated. So, who are the threat actors behind these attacks? And what should companies do to respond? Let’s find out.
How Ransomware Attacks Have Changed
A few years ago, the majority of attacks only involved the deployment of ransomware. Hackers would gain access through a phishing email and deploy malware when an unsuspecting employee clicked on a link. The malware would encrypt company servers, and the hacker would offer an encryption key in exchange for a ransom — typically in five or six figures via Bitcoin or another cryptocurrency. Attackers simply looked for systems to exploit and waited for their payday. Today, it is a whole new ballgame with ransom demands growing to a high 7-figure range.
Along with higher demands, the methodology behind ransomware attacks has changed significantly. Attacks are more focused on stealing sensitive company information, such as intellectual property, trade secrets, and PII. Hackers, or threat actors, are often highly organized criminal organizations who have done their research. They understand the company’s financial position, the industry in which it operates, and how to make the most of its efforts. The threat actors also conduct investigations of company files, ultimately exfiltrating large amounts of data — up to a terabyte.
Once the hackers acquire a company’s sensitive information, they warn them that if they do not pay for it back it will be posted on the dark web. Journalists who monitor the dark web can pick up this information and report on the attack, sometimes causing damage to an organization’s reputation or exposing customer and employee data.
How Should a Company Respond If Attacked?
Companies should follow their written incident response plan (IRP), notify senior management and the legal department, and hire an attorney to protect the investigation with attorney-client privilege in the event of a ransomware attack. Companies should also notify their insurance carrier to determine coverage under the applicable cyber insurance policy. The offer to pay ransom must be pre-approved by the insurance carrier before communication with the threat actor.
Threat actors also attempt to create urgency and panic with their demands. Slowing things down can help organizations make the right decisions. Key questions to consider when deciding whether to pay ransom include:
- How sensitive is the information?
- Does the company have backups of the information?
- Does the company have decryption keys for the information?
- Do the costs of refusal, such as business disruption, negative publicity, or reputational harm exceed the ransom demand?
- Is the cyber attacker bound to a company in the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity list? (It may be illegal under U.S. law to pay the ransom if there is an association.)
How to Reduce the Risk of a Ransomware Attack
There are several steps that companies can take to reduce the risk of a ransomware attack, as well as the risk of damage if an attack occurs. These include:
- Review your incident response plan so that it’s clear who is responsible for what actions.
- Review your cyber insurance policy and ensure that ransom is covered and that the level of coverage reflects the current situation.
- Enable multi-factor authentication on all company accounts, including service accounts and social media accounts, and implement strong spam filters.
- Establish a communication channel on a secure texting app to allow senior management to communicate in the event of a cyber attack.
- Train your employees to identify phishing emails and educate them on the strategy of threat actors seeking to mislead them into clicking links.
- Identify high-risk employees, such as system administrators, who might help execute an insider attack.
- Assess the cybersecurity programs and protocols for your vendors — particularly any entity that handles sensitive or critical company data.
- Test backup systems regularly and make sure they are separated from other company systems.
Stop Ransomware Attacks with Mindcore
Mindcore offers cyber security services in New Jersey and Florida to help companies protect their computer systems, networks, and software programs from being attacked by cybercriminals. We will assess your current infrastructure and create a customized IT security solution based on your specific needs, goals, and budget. Schedule your consultation with a member of our team today.