This post was written with contributions from Andrew Gorecki, Camille Singleton and Charles DeBeck.
May and June bring warm weather, backyard barbecues and, in recent years, an increase in ransomware attacks. Why?
“It’s possible that workers will be distracted because the sun is up and the kids are out of school,” said Charles DeBeck, former senior strategic analyst at IBM Security X-Force. Experts like DeBeck are monitoring the attacks to determine if the rise becomes an established seasonal pattern.
Ransomware is a serious threat, whatever the season. For more than three years, ransomware has been the most prevalent type of cybersecurity attack, as noted by the IBM Security X-Force Threat Intelligence Index 2022. The average cost of a ransomware breach is $4.62 million dollars, including lost revenue and response expenses, according to the Cost of a Data Breach report. This sum excludes the ransom itself, which can run into the millions.
While it’s essential to focus on prevention, businesses should also strategize in advance for a possible attack.
“A lot of organizations have response plans, but there’s wide variation in the quality of those plans and whether they’ve been properly tested,” DeBeck said. Reacting quickly and decisively to an attack can make a big difference in the amount of damage done.
This year’s Threat Intelligence Index breaks down five critical steps in an effective ransomware response plan. We asked three IBM Security experts for more details on what the preparations should include.
Step One: Urgent Action Checklist
The most effective response plan includes a list of actions to take immediately in the event of a crisis. Develop a step-by-step workbook for containing an attack, such as isolating hardware and shutting down services. Include steps for contacting management and law enforcement, such as the FBI.
“Cyberattacks are often carried out by organized cybercriminals and threat actors sponsored by nation states. For this reason, it is important to notify law enforcement of a crime against your organization,” said Andrew Gorecki, Global Head of Remediation for X-Force.
“The intelligence that victims’ organizations share with law enforcement and government agencies is imperative to help fight cybercrime and strengthen collaboration between private and public sector organizations,” he added.
Containing an attack quickly is key. Assuming the attack has already encrypted your data, it is essential to have a plan to restore data from backups safely. The longer you wait, the greater the impact on operations. Back up data frequently and test restore procedures often.
Step Two: Assume Data Theft and Data Leakage
Ransomware attacks used to be pretty straightforward. The attacker made your data useless through encryption, then promised to hand over a decryption key if you paid. Attackers today aim to enhance their payout amounts by threatening to release stolen data, such as:
- Sensitive material that commercial competitors may use
- Confidential messages that may embarrass executives or tarnish the company’s reputation
- Protected data, such as customer credit card information, which could result in legal liability or regulatory fines if leaked.
“Ransomware attackers have discovered that this kind of ‘double extortion’ tactic is extraordinarily effective, and we see it in almost every attack now,” said Camille Singleton, X-Force Cyber Tech Team Lead. Tidy.
The problem can be compounded if your business has data that belongs to someone else, such as a business partner.
“Attackers know that if they’re stealing data belonging to a different organization than the one they’re attacking, it gives them extra leverage,” Singleton said. Pressure from the victim’s partners and the threat of breaking a contract raise the stakes.
Step Three: Prepare for Cloud-Related Attacks
As enterprises increasingly rely on cloud environments, attackers are developing specific tools specifically designed to exploit common cloud-based operating systems and application programming interfaces. According to the Threat Intelligence Index, nearly a quarter of security incidents originate from malicious actors moving to the cloud from on-premises networks.
In fact, attackers are now focusing their attacks on cloud environments with new versions of Linux-based ransomware. About 14% of Linux ransomware in 2021 included new code, according to an analysis by X-Force Threat Intelligence partner Intezer.
Businesses need to harden cloud-based systems and ensure passwords comply with policies. A zero-trust approach — which assumes a breach has occurred and uses network verification measures to thwart attackers’ internal moves — makes it harder for cloud attackers to gain a foothold.
Step Four: Stay up to date on backup best practices
Traditional backups to old-fashioned tape drives, a possible line of defense against ransomware, can be very slow due to their mechanical nature. Tapes also wear out, which can increase the risk of data loss.
Gorecki recommends rethinking how to approach cyber recovery. Disaster recovery (DR) strategies are not effective in recovering ransomware. Instead, consider creating snapshots that are logically isolated from primary storage, providing immutable, incorruptible copies of data. Modern and efficient vault solutions offer data validation and verification. This new backup approach allows victims to recover faster from ransomware attacks.
Fifth step: decide whether or not to pay a Ransom
It is often said – and law enforcement agrees – that organizations should never pay ransoms. Still, some victims pay, especially if lives are at risk, such as in a hospital, or if a prolonged system outage threatens the viability of the business. Every organization should carry out practical exercises to think about what they would do in difficult scenarios.
Businesses must weigh the following before paying a ransom:
- The value of lost data
- The potential fallout from a data leak
- The quality of backups
- The opportunity to restore backups.
Paying a ransom does not guarantee that you will recover your data or that the encrypted data can be restored without corruption. Even if things go as planned, decryption can be a long process. A company that paid attackers millions of dollars in ransom in 2021 would have decided to restore its data from its own backups anyway. The attackers decryption tool was too slow.
“Whether you pay or not is ultimately a business decision,” Gorecki said. “Will the payment prevent damage to your brand or help you recover faster?” If you can quantify the potential damage in financial terms, you can compare it to the ransom price.
One final note: Protecting against ransomware is a long game that requires constant attention to both your infrastructure and industry trends. Attacker tools and tactics will continue to evolve, and organizations must rise to the challenge. Whether or not ransomware attacks pick up again, as they have in recent years, now is always a good time to plan ahead.