The migration to remote work over the course of the pandemic has been a tough adjustment for businesses.  Making it even tougher is the fact that cyberattacks have exponentially increased over the course of the pandemic. More attacks of every kind have occurred, but ransomware was most prominent. Ransomware attacks were up 150% over the previous year. Arguably even worse – the amount paid by victims of ransomware attacks increased more than 300% in 2020.

2021 has been no different. There has been a dramatic increase in ransomware activity this year so far, with attacks against critical infrastructure, private companies, and municipalities making almost daily headlines.  The amount of ransom demanded has increased dramatically as well.  Amounts as high as tens of millions of dollars are being demanded, as attacks are becoming more sophisticated.

What is so different about ransomware attacks now that are making them more dangerous than ever? Even just a few short years ago, attacks only involved the deployment of ransomware. Attackers would gain access through a phishing email, which would deploy malware on an infected machine when a user would click on a link. The malware then would encrypt data, and the threat actors would offer a decryption key in exchange for a ransom payment.

As was the case with many of the attacks, the hackers wouldn’t even gain access to information from the company. Sometimes they didn’t even know what company to end up targeting. They just looked for systems to exploit and waited for payment. Once they received a payment, decryption keys were sent and the matter was over.

Today, it’s a whole new ballgame. According to Hiscox, Ltd., of more than 6,000 companies who took part in a recent survey, 43% of them confessed to being the victim of a cyberattack in 2020. This is a 38% increase from the year before, and 1 in 6 of these were a ransomware attack. In 2020, ransom amounts grew to mid to high seven figure amounts.  In 2021, these amounts have reached tens of millions of dollars.

Along with increased monetary demands, the ways in which hackers are carrying out attacks are changing as well. Attacks are focusing on exfiltrating information, and the more sensitive the info the better. The threat actors are typically highly organized criminal organizations who know their targets financial situation, the industry in which they operate, and how to exploit the company for maximum effect. In addition to simple encryption techniques, attackers are performing reconnaissance of company files - stealing upwards of a TB of data at a time.

After the encryption and theft of your company’s data, you’re left with an ultimatum – Pay up or else. No payment means no decryption key and the release of your private company data on the dark web. When the report of an attack on a company occurs, especially if they don’t pay the ransom, this can damage their reputation or exposing their private and confidential information which might include customer or employee data.

So what should you do if your company is attacked?

If your company is the victim of a ransomware attack, follow your organization’s incident response plan. In addition, notify senior management and your company’s legal department. Also, by including an attorney at the beginning, it ensures that an investigation is protected by attorney-client privilege and the attorney work product doctrine. This reduces the risk of exposure in any class-action lawsuits or other legal claims that may arise.

Additionally, notify your company’s insurance carrier at the beginning so they can determine whether there is coverage under applicable cyber insurance policy. An offer to pay ransom must be pre-approved by the insurance carrier before any communication to the hacker.

The decision to pay a ransom usually rests with senior management and often includes the board. Each incident must be assessed individually as to whether or not it should be paid.

Some key questions organizations need to ask when determining if a ransom should be paid include:

• How sensitive is the information that has been accessed or exfiltrated?

• Does the company have back-ups of the information, or does it need the decryption keys?

• Do the costs of refusal, such as business disruption, the impact to systems or customers, negative publicity or reputational harm, exceed the ransom demand?

• Is the threat actor tied to a company that is on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned-entity list? (If so, it may be illegal under U.S. law to pay the ransom.)

Depending on how severe the attack is, most companies will file an online report with the FBI of the indicators of compromise involved in the attack to help authorities in tracking these ransomware groups.

There are several things that a company can do to reduce their risk of an attack:

• Review your company’s incident response plan to be sure that in the event of an attack, it’s clear who is responsible for what actions.

• Review your company’s cyber insurance policy and be sure that ransom is covered and that the level of coverage reflects the current reality.

• Be sure multi-factor authentication is enabled on all company accounts, including service accounts and social media accounts, and that strong spam filters are in place.

• Establish a communication channel on a secure texting app so that senior management can communicate in the event of a cyberattack that takes down company email systems.

• Train your employees to identify phishing emails and educate them on the modus operandi of threat actors seeking to dupe them into clicking on links.

• Identify high-risk employees, such as those with administrative rights to systems, who might help perpetrate an insider attack.

• Assess the need for a prophylactic threat hunt by a reputable forensic firm engaged by counsel for privilege. For example, many companies treated the migration to a work from home environment as a “data security event” that would warrant a threat hunt of the system.

• Assess the cybersecurity programs and protocols for your key vendors — particularly any entity that handles sensitive or critical company data.

• Test back-up systems regularly and make sure they’re segregated from other company systems.

With preparation and a good plan, your company can reduce its risk and be better prepared to deal with a ransomware attack.

Story via Harvard Business Review