Ransomware cyberattacks are enough to strike the fear into the heart of corporations especially following the high-profile attacks on Colonial Pipeline in the US and, closer to home, the cyberattack on the HSE. Both attacks resulted in the shutting down of entire systems, with Colonial paying a partial ransom and HSE refusing to do so. Both attacks were also said to be undertaken by the Russia-based Conti gang.
The good news is that research by leading security company Sophos points to a falloff in organisations being directly affected by ransomware attacks, from 51 per cent during 2019 to 37 per cent in 2020. The bad news is that this reduction is more a reflection of the scale of attacks, from low ransom attacks to more highly focused and expensive hacking.
The same report, State of Ransomware 2021, alarmingly points out that the overall cost of recovering from a ransomware attack has doubled in about the same period, from $761,106 in 2019 to $1.85 million in 2021.
Brian Murray, enterprise account executive at Sophos, emphasises the importance of prevention over recovery, but recognises vigilance is key to spotting if such an attack is happening. “Prevention is core, but also being able to spot if an attack is under way and acting swiftly.”
Murray explains: “The most urgent thing is to contain the attack. If you suspect an attack is happening, and you don’t have the tools to stop it, the next best thing is to determine which devices have been impacted and isolate them immediately.”
Disconnecting
He advises disconnecting those devices from all networks. “This is only a stopgap, but it will give you time to evaluate which endpoints, servers and operating systems have been affected. It will also give you time to check on backups or indeed to make backups immediately.”
Once the necessary internal protections are being put in place, it is also advisable to look at what external bodies may need to be informed, such as in the case of data theft.
“We suggest working with external security experts and cyberinsurance and legal counsel – for example, does the breach need to be reported to law enforcement and to the data protection authority. Non-reporting or late reporting can result in additional fines to the company.”
Other elements to consider are employees and customers, both of which may be directly impacted.
“If a ransomware software is embedded in your software your corporate email may already be compromised, so you may consider setting up new, external ways of communicating the news.”
Once a company has contained or stopped an attack, then a debrief is vital. Sophos suggests bringing in specialist incident response teams to make sure that all elements are dealt with, and lessons learned.
“Be prepared for the fact that recovery will probably take longer, and cost more than you expect, and that many others will be affected by the impact of the attack, such as customers and suppliers.
“However, on a more positive note, reviews following major attacks appear to show that an organisation which responds effectively to a crisis and acts with integrity, transparency and openness can see its trust and reputation enhanced rather than diminished. So don’t give up, do the best you can and don’t be afraid to bring in outside help.”
Convictions
Finally and legally, it is next to impossible to secure convictions against criminal gangs operating out of countries with no extradition agreements. However, in the case of Colonial Pipeline, the US department of justice was able to recover half the ransom as it located the private keys of the Conti Bitcoin wallet used to receive the funds. Cryptocurrency is only pseudo-anonymous so either the Conti gang were inexperienced or careless. Or perhaps they were just advertising their services. Be prepared.