Ransomware on the rise

Photo: © leremy / Adobe Stock

Ransomware attacks have been on the rise over the last several years, targeting businesses as well as critical infrastructure systems.

“Threat actors are attacking 24/7 –– this is a full-fledged business for them,” said Jason Conley, Digital Forensics Examiner, Envista Forensics Ltd. “If an organization doesn’t have, for example, two-factor authentication or other security controls, eventually [threat actors] are going to get in.”

Fabian Franco, Senior Manager of Digital Forensics and Incident Response (DFIR), Threat Hunting and SOC, OpenText, said that supply chain industries and corporations that have not invested a lot of money into their cybersecurity practice and infrastructure are starting to see that it’s like “shooting fish in a barrel” for threat actors to infiltrate.

“It’s easy pickings to go out there and find a vulnerability that may be exposed to the internet and for them to take advantage of it,” said Franco. “Part of that security posture is making sure you’re patching your systems.”

With ransomware attacks on the rise, there has been more of a concerted effort to take threats like this more seriously.

“We’ve been seeing a growing concern, which is actually surrounding what’s called the supply chain,” said Jaycee Roth, Associate Managing Director, Cyber Risk, Kroll. “The idea here is understanding and knowing how your network connects to or touches other organizations, and how that information is shared or protected with other organizations.”

The implications of a ransomware attack may extend beyond the immediately-affected targets.

“It goes beyond just that organization,” said Franco. “That’s where there needs to be that investment where a company may spend a couple $100,000 up front, instead of having to spend millions on the back end and affecting the entire community outside of their one little ecosystem.”

According to Conley, while IT teams may be excellent in their ability to fix or build technology, they may not be trained in cybersecurity, which is something businesses should consider investing more heavily in.

“Cybersecurity is a field unto itself, with various specialized training, and if an organization doesn’t invest in somebody like that inside their department, they need to retain somebody at least to come give them a health check,” said Conley. “It’s as damaging as a fire, and businesses need to treat it with that level of severity because I’ve seen ransomware remediation periods go from 14-21 days before businesses get back up and operational again.”

To pay or not to pay

A company’s decision to pay the ransomware demands is not a simple question, according to the experts. Calling it a “sensitive topic” amongst the U.S. government, Conley also notes that the RCMP has been vocal about deterring victims from paying the ransom.

However, he also says that “when it comes to a business decision, the CEOs are often looking at one, and I’ve seen some businesses where they would have been destroyed had they not purchased a decryption key. For others, it’s a matter of return on investment.”

Reiterating that paying the ransom is not a black and white question, Franco explains that there are a number of different reasons why a company may choose to pay a ransom and to look at the full scope of the situation.

“For example, a company that gets hit with ransomware may have others advising not to pay, but they don’t realize what’s being lost,” said Franco. “How much money are they losing overall because of a ransomware attack where they may lose $300 million?”

Franco said that when a company pays the ransom, it may have cost them $3 million, which to them is a “no-brainer,” but then there is the bigger picture of “what about the employees that aren’t going to be able to go to work, or that are living paycheque-to-paycheque and don’t get a paycheque for two or three weeks until this is recovered?”

For Roth, if the question of having to pay was asked prior to November 2019, she would say that if a company had valid backups, they could likely avoid making a ransom payment. Or for victims that could live without the affected data or simply re-create it, they may not have to pay.

“Now, since November of 2019, a ransomware variant gained celebrity status called Maze, which is like a gang name, and they came on the scene, and they introduced a new tactic called data exfiltration into their attack pattern.”

Data exfiltration, said Roth, is essentially copying files and folders out of the victim environment. The threat actors then put them into their own systems and environments.

“Now not only are all your files locked, but if you were a company that prior to November 2019 would have had backups and could have restored or could have lived without your data, you now have this threat looming over your head that an attacker has information from your environment, and they use that as an extra layer of extortion to say, ‘If you don’t pay us, we’re going to post this data,’” said Roth.

There have been several notable ransomware hacks in the past year, including the Colonial Pipeline in Houston, Tex., and the meat processing company JBS, where an attack temporarily disrupted some operations in Australia, Canada and the U.S.

In a statement published June 9 on its web site, JBS USA “confirmed it paid the equivalent of $11 million in ransom in response to the criminal hack against its operations. At the time of payment, the vast majority of the company’s facilities were operational. In consultation with internal IT professionals and third-party cybersecurity experts, the company made the decision to mitigate any unforeseen issues related to the attack and ensure no data was exfiltrated.”

“No organization wants their client lists or personal health information, customers credit cards released on the dark web,” said Conley. “Now, of course, paying that to a criminal organization, you have no guarantees that they aren’t going to turn around and utilize that data elsewhere. But that’s another big deciding factor as to why organizations are paying out.”

Conley adds, “[JBS] probably wanted to show that they did everything possible to avoid that exposure.”

Taking action

Recognizing that there is plenty at stake, implementing a strong cybersecurity hygiene program has become a top priority.

Roth shares that the federal government will be passing Bill C-11, which enacts the Consumer Privacy Protection Act and the Personal Information and Data Protection Tribunal Act and to make consequential and related amendments to other Acts.

“We’re going to see some enhanced compliance obligation penalties, as well as revised private right of action against giving rise to class action risk and service provider obligations,” said Roth. “One of the obligations is going to be that if you are an organization that transfers personal information to your service provider, the service provider provides substantially the same protection to that personal information that you would be happy to provide under that act.”

Roth adds that the penalties for this bill are quite substantial, where it can be a maximum penalty of $10 million, or three per cent of an organization’s gross global revenue and its financial year.

“That’s going to be substantial for a lot of businesses and making sure that their data is protected,” Roth said of the bill, which is still waiting to be passed.

Stressing that good cybersecurity hygiene “has to be a living, breathing, effort,” Conley said that it should be treated with the same care that an organization would manage a disaster recovery plan or a business continuity plan.

“This should be a very active, very alive document because times are constantly changing and the technology is constantly changing,” said Conley. “Any good security program has to have layers. When organizations keep up a human firewall, they keep their employees on the ball and up to date on this; they keep their technology up to the highest standards possible and they’re doing everything they can. And with cyber insurance on top of that, I think that would put any organization in a pretty good stance for coping with the future.”

Conley concludes: “The less companies that have to go through this, the better.”