Ransomware - How can you mitigate an attack?

Imagine waking up to a message that part or all of your organisation’s most valuable data had been stolen by cybercriminals and was being held to ransom. It’s a scenario increasingly faced by IT teams daily, within small companies and household names. Recently The Royal Mail experienced an attack that resulted in 11,500 Post Office branches across the UK being unable to handle international mail or parcels.

Many ransomware groups pulled the trigger on attacks during the pandemic, driving the NCSC’s chief executive to describe ransomware as "the biggest online threat to people in UK". She noted that the groups behind the attacks are increasingly professional, exploiting “large profitable businesses who cannot afford to lose their data…or to suffer the down time.”

Today, the threat is just as imminent. There are several reasons for this. A report by FS-ISAC, a not-for-profit organisation focusing on cybersecurity in the financial services industry, highlighted the impact that Russia’s invasion of Ukraine had on the global cyber threat landscape, sparking a flood of ideologically driven ‘hacktivism’ where nation states provide funding to hackers.

At the same time, the threat surface is growing as organisations are ever more connected through an increasing ecosystem of partners, suppliers, and technologies.

And new tools powered by artificial intelligence (AI), such as ChatGPT, are springing up almost daily on the Dark Web. As a result, hackers now have the ability to flood computer networks everywhere with endless stream of attacks.

All these factors have come together to create a perfect storm for cybercriminals to execute increasingly sophisticated ransomware attacks on organisations. The threat is such that a report by the World Economic Forum (WEF) found that business leaders are “far more aware” of the cyber threat than they were a year ago.

Responding to increased cyber risks

Indeed, our own C-suite Barometer 2023 research shows UK C-suites are confident in their level of data protection (65% say completely protected, similar to 66% globally). Half think the cyber risk has increased in the last year, but an overwhelming number (94%) are confident they can manage these risks.

But the truth is that many organisations are still failing to address the basics of cybersecurity. For example, knowing what their key assets are, knowing how to protect them, and knowing how to patch them. This is due in part to the scale and pace of digital growth that companies have undertaken in recent years. It has become a challenge to secure their digital footprint.

It can sometimes also be difficult to prioritise security activities when you’re busy running a business. During the pandemic the priority was to establish a new remote workforce almost overnight, and security took a back seat, for example. So ensuring best cyber best practice can often fall behind keeping things up and running for IT teams, and security ends up an afterthought.

And it’s not necessarily a case of organisations being complacent. Many times, it just boils down to a lack of resources, or not having the right teams in place to manage cybersecurity. Ultimately, companies should be thinking about their investment in cybersecurity the same as they do with Health and Safety.

First steps following a ransomware attack

First and foremost, don’t panic. Every organisation should have a well-defined and tested incident response playbook that they turn to immediately, tailored to the individual organisation. Within it are contacts to call when – not if – they are attacked. If they don’t have the expertise in-house to resolve the situation, they should reach out to their third party consultants or trusted advisor for advice.

Know who does what in the aftermath of an attack. That playbook should include a list of roles and responsibilities for the CISO, the C-Suite, operational staff, communications and legal that are clearly defined and tested prior to an attack occurring. Who’s going to report the data breach to the ICO, is one example of allocating roles after an attack.

Understand the scale of the attack. It may look substantial at first glance but take a step back, understand what is happening – what data has been compromised, what systems were compromised? Again, your third party will help with understanding this.

Don’t pay – unless there’s a potential risk to human life.

Taking preventative measures

In the case of the Royal Mail, the organisation didn’t pay out the £67 million ransom sought by hackers linked to Russia. It employed a negotiation tactic with the hackers, asking for proof of the data that was compromised – a source of frustration to the attack group.

However, it’s worth noting that many times, organisations, especially smaller companies, don’t report attacks. Instead, they pay because they think they’ll get their data back.

But once you pay out, you lose either way. Once your systems are compromised by an attack group, it’s even easier to get hit again – and again. Secondly, those hackers have your data already, and often will go ahead and sell that information on the Dark Web, regardless of whether you pay or not.

So, what proactive measures you can you take to help prevent an attack?

Fix the basics. Understand your assets, and what if any vulnerabilities exist within those assets. Prepare a plan to remediate those vulnerabilities. Establishing a clear plan to respond to cyberattacks.

Also, test. Often organisations have a playbook, but they are often not tested, out of date, or it hasn’t been applied to a crisis. Run simulations to test the IT team’s detection and response capabilities and if they follow correct procedure.

These attacks remain a constant threat to organisations of all sizes and industries. It is critical you understand the risks and ensure you take every precaution to avoid being the next victim of a devastating ransomware attack.

Return to C-speak - Technology trends, turbulence and tactics