“Even amongst organizations that have built a formal cybersecurity incident response plan, only about a third also have playbooks for specific types of attacks”
Ransomware has become one of the top cybersecurity threats today. In 2019, it reached new heights when the number of incidents reported doubled from the prior year, affecting both the public and private sectors, writes Wendi Whitmore, VP of IBM X-Force Threat Intelligence. These attacks are especially devastating because they have the ability to halt critical services within industries like healthcare and emergency services by operating in different ways than other cyberattacks such as DDoS or data theft. Cybercriminals are also constantly advancing their ransomware methods for higher return on investment.
Unfortunately, evidence suggests that many companies are not preparing for this emerging threat, and having a specific ransomware incident response plan is a rarity: a recent study from IBM Security revealed even amongst the more advanced organizations that have security playbooks for different types of attacks, less than half have plans in place for ransomware.
Organizations might be overlooking how these attacks differ from other cyber threats—specifically how they force them to make emergency decisions. Ransomware victims are faced with timely choices, such as deciding to completely shut down services to avoid further damage, or pay a ransom immediately in order to keep essential services running like medical operations in connected hospitals or government systems.
It is important that organizations understand the complex and evolving ransomware landscape, and how it differs from other types of attacks, to be better prepared to stop and respond to it. Generic, catchall cyber response plans aren’t going to cut it – ransomware is a completely different beast and needs to be treated as such.
Ransomware Attackers are Getting Bolder
Ransomware has picked up a lot of momentum in the last decade and has become a central point of discussion for cybersecurity incident responders over the last several years. However, just because they are no longer new doesn’t mean they are slowing down. Why are cybercriminals still using this technique after all this time? Because it works. Ransomware attacks cost organizations an estimated $11.5 billion in 2019, up $3.5 billion from the previous year.
Over the last several years, cybercriminals have gotten smarter about how they leverage this disruptive technique in order to create the most return on investment. In the early days of ransomware attacks, many of the attacks were carried out randomly by amateurs using malware packages they purchased from malicious coders.
Lately, I’ve seen a shift in the way these attacks are carried out through our work with clients at IBM X-Force Incident and Intelligence Response Services (IRIS). Attackers, often operating as organized hacking groups, are now spending as long as several months after accessing an organization’s network to get a better lay of the land—and to better understand which systems are the most valuable. This extended reconnaissance pays off by letting them demand larger ransoms from their victims. Just a few years ago, we saw criminals asking for only $1,200, but this year we saw ransomware demands ranging from $10,000 to $25 million.
Preparing to Stand up to Attackers
Ransomware is a unique form of cyberattack that allows cybercriminals to adapt to changing landscapes. Therefore, it is important for organizations to have a response plan that takes into account both the specific factors that make ransomware different from other attacks and their current situation.
It’s easy to underestimate ransomware attacks because they appear to have a very clear response plan: 1) Get infected; 2) Pay the ransom; 3) Get back online and go about your business. Especially when the ransom price is low or a cyber insurance policy will cover the ransom cost, it can be tempting to just pay off the attackers and forget about the whole affair. However, in my nearly 20 years working in incident response, I’ve found that it is not cheaper to pay the ransom than it is to resolve the core security issues. Cybersecurity teams still need to investigate the origins of the attacks and scrutinize corporate systems to ensure that the cybercriminals have left no means to infect the systems again after the ransom is paid. Otherwise, the organization may end up paying double—or triple—the ransom over a series of attacks.
Either way, IT teams have to manually decrypt each infected device to restore the data, which is not typically a seamless process. Depending on the size and volume of data affected, it can take days to months of work to restore systems to full operationality. Therefore, it is important for organizations to consider beforehand exactly how much risk they are willing to incur and time they are willing to spend before deciding whether to pay a ransom.
Most organizations have not yet done this level of detailed planning. Even amongst organizations that have built a formal cybersecurity incident response plan, only about a third also have playbooks for specific types of attacks according to the 2020 Cyber Resilient Organization Report. The study also found that 52% of organizations that do have response plans have never reviewed or have no set time to review or test those plans, meaning that these plans are not adapting to the current operational and risk landscape of the organization.
Unfortunately, ransomware attacks have become even more pressing in the pandemic era. Hospitals are increasingly a target with more than 750 healthcare providers impacted by ransomware in 2019 alone, even before the pandemic magnified their importance. But other organizations have reasons to worry, too. As more employees started working from home to enforce social distancing measures, they stepped out from behind the corporate network firewalls that usually protect their computers, giving cybercriminals a broader attack surface to infect systems
How to Move Forward
Response plans help coordinate the actions of each team member so that they can spend less time figuring out what to do in the event of a ransomware attack, and more time responding. Time is of the essence when responding to cyber threats because the more time it takes to shut down an attack, the more time the business spends in a state of disruption—and the costlier it becomes.
Therefore, the most important way to prepare for ransomware attacks is to develop a specific set of procedures in a cybersecurity incident response plan that address the unique situation of a ransomware attack. Then, the plan needs to be thoroughly reviewed and tested on a regular basis to ensure that the plan still works and that it has adapted to the current needs of the business. According to the 2020 Cyber Resilient Organization Report, companies that spent the time to develop and apply an incident response plan had fewer incidents that resulted in a significant disruption to the organization within the past two years compared to those that didn’t.
That plan should include preparation in advance of an attack, like ensuring that the organization maintains offline backups to restore operations quickly and cheaply in the event of an attack. It also needs to include guidelines for how to find and close the security hole that allowed the infection in the first place. It also may help to seek guidance from professional incident response advisors to make sure that the plan is comprehensive in accounting for needs of the industry and the latest threat intelligence. They can also help you test the plan to make sure that all team members know the steps needed to investigate and remediate any specific attack.
With ransomware’s ongoing evolution and its recent spike in the face of our new normal, one thing is clear– it’s not going anywhere. That being said, organizations should be taking this time, especially as they navigate remote workforces, to reevaluate risks and better prepare for this specific attack, otherwise the results could be costly.