Imagine you walk into your office, home, or otherwise, turn on your computer only to find a screen that reads, “All your files have been encrypted.” Unfortunately, this is a nightmare that too many have had to experience.
According to Sophos, in 2021, 37% of all businesses and organizations were victims of ransomware. It cost the world $20 billion in 2021, Cybersecurity Ventures estimates.
Ransomware became a familiar staple on the evening news in 2021. In May, a ransomware attack crippled Colonial Pipeline, causing backups at the pump on the eastern coast of the United States. In June, the world’s largest meat supplier, JBS Foods, was forced to pay an $11 million ransom after hackers temporarily shut down all its beef plants in the United States. Even third-party technology providers were not immune. In July, a ransomware gang known as REvil infiltrated a software update in IT infrastructure provider, Kayesa, and used it to encrypt several of its clients with ransomware. This month, the San Francisco 49ers were surprised when a ransomware group infiltrated their servers and stole 379MB worth of data.
Traditional ransomware has become recognizable: Files are locked down. A ransom is demanded. Payment is either made or not. Then, files are either unencrypted or are not. This is the classic story. However, hackers can be savvy. They evolve. If there is money to be made, they will find a way to make it. So, now we are witnessing an evolution in ransomware.
Ransomware is morphing from single extortion to double extortion to triple extortion. Let me explain. Imagine you get hit with ransomware. So, your files are locked up, and the attackers have also pilfered some of your data. Now, let’s say it is customer information. The attackers first threaten to release the data online. Meanwhile, they take the information and extort your customers. They do so by telling your customers their data will be released to the public if they do not also pay a ransom. This has a dual benefit for bad guys.
Number one: they can get more money through this double extortion scheme by exploiting two organizations.
Number two: The bad guys can tell your customers it was you who lost the data and that they should contact you and voice their displeasure with you. This increases the pressure on the original ransomware victim (you). When you start hearing from angry customers, you are more likely to pay up to try and get your data back. But that’s not all!
The bad guys ratchet up the pressure even more by threatening to send evidence of the exploitation to media outlets, such as newspapers, blogs, or television stations. The threat of getting a phone call from the Wall Street Journal or famed cybersecurity journalist Brian Krebs would have any CISO reaching for the bitcoin.
The first documented case of triple extortion ransomware was heartbreakingly wretched. In the fall of 2020, Finnish physiotherapy provider Vastaamo was hit with ransomware, and tens of thousands of confidential client treatment records were stolen. Patients then received emails demanding ransom, or the contents of their discussions with therapists would be made public. Some of the victims were underage children.
Triple extortion ransomware is a very stark reminder of a sad reality. No matter how strong your cybersecurity is, you are always vulnerable. You might have an ironclad network perimeter, but if you use a third party to process any data, that data is vulnerable. That is just an example because no one really has unbreakable network defenses. That’s just not possible.
Therefore, your organization must move from reactive cybersecurity to proactive cybersecurity. You must assume that the worst will happen to you at some point, that a detrimental cybersecurity incident impacting you is an inevitability.
The foundation of building a proactive cybersecurity is developing a strong incident response (IR) program. The cornerstone of an IR program is playbooks. It is critical to have playbooks on hand for the most common cybersecurity incidents you will face, such as ransomware. Much as one works on a gridiron, a playbook is designed to guide your organization through a negative digital event, such as ransomware. Everyone in the organization knows exactly what they are responsible for during such an event. This helps save valuable time during the first critical moments of an incident, so you are not wasting precious time deciding how to respond. You already know how; you can check the playbook.
Of course, no play is perfectly designed. You will likely have to call some audibles. But a playbook sets the groundwork for the response. It also helps you make some decisions now, instead of during an incident. For instance, your team should be having conversations around its willingness to pay a ransom if it becomes necessary. If you needed to get a large amount of bitcoin quickly, who would you call? These are topics you should be discussing now, not after you receive a ransom demand. This is where tabletop exercises can play a large role.
Tabletop exercises allow you to run through scenarios in a safe environment. Leaders from across the organization can get together to plan how the organization would respond during a major digital incident.
One significant piece of any digital attack, especially ransomware, is communication. How you communicate the event to the outside world, including customers, regulators, law enforcement, and the media can be the difference between a strong response and a fumbled response. You need to ensure you have a communication plan in place for a digital incident.
Romain Rallu, the CEO of Privasec, has said, “With the continuous news of security incidents, people judge organizations more on their response to an incident than having an incident. Your market, as well as many regulators, can forgive an incident but won’t forget a poor or disjointed response.” A robust incident response program can make the difference.
Ransomware is not going away. It’s too lucrative. It is evolving, and you should too. Building a robust incident response program is a great way to start.