Ransomware: five things you should know to prepare for a ransomware-ready future

Ransomware attacks are becoming more common, more effective and more costly—despite advancing defences. Here’s what you need to know to prepare your business for a successful attack.

Ransomware attacks may not be new, but they’re a growing concern for organizations. Ten to 15 years ago, ransomware was merely a nuisance. Successful attacks may have locked targets out of their systems or encrypted their data, but rarely had additional repercussions. 

But as defences against ransomware evolved, so too did the attacks. 

Over the last couple of years in particular, ransomware has been seen as a technical problem that could be solved by investments in cybersecurity tools and technologies. Yet ransomware keeps evolving and attackers keep coming up with new ways to bypass the defences organizations have put in place. 

Today, ransomware attacks are more sophisticated and severe than ever before, and the ransom amounts are significantly higher. According to Canadian insights from PwC’s Global Digital Trust Insights survey, 39% of respondents expect a rise in ransomware attacks in 2023. Yet the vast majority of organizations aren’t adequately prepared to recover from a successful attack. 

Five factors to consider

Preparing for a ransomware-ready future is possible, but it may require organizations to reimagine ransomware risks from a business perspective—not just a technical one. Here are five things you need to know about ransomware to prepare your company for a successful attack.

1. It's a technology-driven financial crime

Financial motivation is at the heart of every ransomware attack. Unfortunately, most attacks are quite successful. Putting strong, technical defences in place to prevent ransomware is critical, but is no longer enough to protect your organization from a successful attack. 

Attackers have proven time and again that they can and will find a way around your security safeguards. The only guaranteed way to put an end to ransomware would be for every single target organization to stop paying up. Although ideal, this scenario simply isn’t realistic. 

There is, however, a better path forward—one that encompasses both protection and preparedness. Thinking about ransomware as a technology-driven financial crime, as opposed to strictly a cybercrime, may help your organization reimagine ransomware risks more holistically.

To pay or not to pay, that is the question

Whether to pay or not to pay a ransom is a decision most organizations aren’t prepared to make. From a moral standpoint (and from the viewpoint of the authorities), you simply shouldn’t pay. But the business reality of this decision is often very different—especially when it’s a matter of life and death, such as when critical infrastructure is at stake.

Adding insult to injury, there’s often a tight timeline to make a decision around payment. Most threat actors give organizations a mere 72 hours to make a decision. But even after three days, most organizations still don’t have sufficient information around exactly what’s happened and what the repercussions are to confidently make a decision. 

This lack of time is purposeful—ransomware actors know that 72 hours isn’t enough time to really understand the risks associated with the attack. But what if you had more time? What if you posed this question today, rather than waiting for a ransomware actor to force you to answer it in 72 hours flat?

Preparing for a ransomware-ready future

We live in a time when cyberattacks are plentiful and, for some organizations, constant. Many mature organizations understand how to deal with a ransomware attack from a technical perspective and know the systems they need to have in place to recover and rebuild. But ransomware is no longer strictly a technical attack. 

There’s an increasingly urgent need for organizations to make decisions about ransomware risks on a non-technical side. The technical perspective will never stop being important. But most organizations haven’t given the broader risks enough consideration or thought. And it’s those risks that can most impact an organization moving forward. 

Today, most of the decisions around responding to ransomware are business decisions. How your organization responds will depend on multiple factors. But ultimately, it comes down to preparedness. 

Here are a few things your organization can do to better prepare for a ransomware-ready future:

Conduct a ransomware readiness assessment to identify how prepared or unprepared your organization really is. If you’re hit with a ransomware attack, you can feel more confident that you already have the support you need—immediately.

Identify any gaps in your insurance policies. Many insurers no longer pay when it comes to ransomware, so make sure you’re covered. 

Avoid serious financial sanctions around paying certain threat actors. Even if you think you’re doing the right thing, make sure there aren’t any unexpected risks that come with your decision to pay or not to pay. 

Consider the role of negotiation. There may be some value in at least opening up negotiations with ransomware actors. It could help you buy additional time, prove or disprove they’re exfiltrating data, or even secure a lower rate.

Understand what type of data you have. If data is stolen, you’ll already know exactly what your risk profile is. 

Decide as an organization what your policy will be for ransomware payment. Give yourself the ability to be flexible depending on the circumstances around the attack. 

Unite critical internal stakeholders and work together for better defence. Make sure the C-suite, board and organization as a whole are prepared to respond. 

 

Consider a managed service provider (MSP). Find an MSP that can constantly monitor your systems and catch precursor attacks from a technical perspective. This is particularly important given the lack of skilled talent available today. 

Assemble external stakeholders who are ready to act on your behalf. This includes security and forensics experts for incident response and investigations, communication experts to control reputational repercussions and legal teams to protect your response under privilege.

Bottom line: Don’t wait for a ransomware attack to act

Waiting until a successful ransomware attack to plan your response is like waiting for an earthquake before creating a disaster recovery plan—it may be too late to undo the damage it caused. But even with the strongest technical defences in place, preventing ransomware attacks altogether is no longer realistic. Instead, organizations should assume they will, at some point, be the target of a successful ransomware attack and determine how such an attack might affect their business holistically.

Contact us

Naren Kalyanaraman

Naren Kalyanaraman

Partner, Cybersecurity, Privacy and Financial Crime National Leader, PwC Canada

Tel: +1 416 815 5306

Joseph Coltson

Joseph Coltson

Partner, National Cyber Forensics Investigations Leader, PwC Canada

Tel: +1 416 687 8262

Follow PwC Canada