How IT leaders can respond to the evolution of ransomware
With a proper strategy for response, communication, and recovery, leaders can respond for the evolution of ransomware and ensure staff are prepared for the worst
Ransomware attacks are among the most damaging types of cyber attack. A successful ransomware attack can lead to financial losses, significant downtime, and reputational harm.
However, it is also a constantly evolving attack vector, as new techniques are developed and exploited. Inspector Charlie Morrison, a veteran of the City of London Police and head of the Cyber Griffin program, and David Clarke, a former head of the fraud squad and now chief security officer for Guildhawk, explain at Infosecurity Europe 2024 that ransomware attacks are on the rise.
The key targets of ransomware attacks remain small to medium enterprises (SMEs), but there has been a gradual increase in ransomware targeting larger organizations with some international presence. These companies may not have the resources for a highly trained or experienced IT team or a complete cybersecurity suite.
Most ransomware attacks are initially conducted through phishing and social engineering, with a victim being tricked into clicking a malicious link and downloading ransomware onto the corporate network. There has also been an increased use of ransomware as a service (RaaS), where organized crime groups pay operators for ransomware attacks against specific targets.
According to Clarke, ransomware tends to be unfortunately underreported, which means the actual number of ransomware attacks could be far higher than records indicate. It is the opinion of both Morrison and Clarke that incidents of ransomware attacks should always be reported, as collaborating with the police could help mitigate current and future cyber attacks.
Rather than new techniques being developed, what Morrison and Clarke have observed is a refinement of known social engineering techniques. These have now – in Morrison’s words – “Gone on steroids”. However, this is still the tip of the iceberg.
Evolution of ransomware: A step change in attacks and sophistication
Criminals can now launch attacks faster rate than ever before, leaning on generative AI tools to create hyper-personalized identity attacks and using other novel technologies as the basis for new attack vectors.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2024.
A key incident that both highlight occurred in February 2024, when an employee at an unnamed company in Hong Kong was tricked into transferring HK$200 million (approximately $25 million) of corporate funds during a deepfake video conference call.
There are also instances of multi-vector ransomware attacks, which can incorporate elements of distributed denial of services (DDoS) attacks and swatting (spoofing emergency calls to make emergency services appear at a specific location). Supply-chain attacks and exploiting known software vulnerabilities are known methods for attackers.
Many of the techniques employed by ransomware operators are designed to derail decision-making processes. By increasing the amount of stress and pressure that a victim is under, they become increasingly susceptible to making a mistake and being exploited.
As a consequence of these highly personalized attacks, there needs to be an equally highly focused approach to training. Raising awareness of how ransomware attacks operate and how staff can be exploited through social engineering will help protect an organization against such attacks.
Previous advice for avoiding ransomware attacks remains valid, but leaders also need to focus on applying their incident response strategy to ransomware attacks. It is no longer just about prevention, but about mitigation and having actionable policies in place for when networks have been breached. These need to include data recovery in line with an organization’s backup strategy, network renewal, and a communication schedule.
Evolution of ransomware: Communicating attacks properly
There is a statutory responsibility for reporting cyber attacks, such as data breaches or ransomware, to the Information Commissioner’s Office (ICO). These reports require a full briefing of what has been attacked and a scope of the data that has been compromised.
Clients and stakeholders will also need to be informed, and leaders need to clearly define their communications strategy concerning who needs to be informed about what and when.
It is Morrison and Clarke’s view that cyber crime and fraud can be just as devastating as violent crime. The costs of a ransomware attack are far more than simply financial loss. There is also the reputational harm and downtime after a ransomware attack. This can lead to people losing their jobs and businesses becoming bankrupt.
Ransomware attacks aim to disrupt their targets by exploiting vulnerabilities. There needs to be a change in culture from apportioning of blame to encouraging greater collaboration and internal cohesion within organizations. Blame culture, where people are chastized for mistakes, will not encourage people to come forward, and criminals are adept at exploiting this.
Victims of social engineering attacks are more likely to come forward if they know they will not be punished. This, in turn, will allow organizations to respond sooner – potentially before the cyber attacks can be fully realized.
It’s clear organizations need to collaborate more than ever before, as organized crime groups can operate at speed. It was noted during the discussion that the UK’s public-private sector collaboration is a world leader and an example of what can be achieved when governments work with private companies. That said, it was Morrison’s and Clarke’s opinion that more must still be done – and that this activity has to start now, before it becomes an emergency.