Ransomware attacks are becoming more common, more effective and more costly—despite advancing defences. Here’s what you need to know to prepare your business for a successful attack.
Ransomware attacks may not be new, but they’re a growing concern for organizations. Ten to 15 years ago, ransomware was merely a nuisance. Successful attacks may have locked targets out of their systems or encrypted their data, but rarely had additional repercussions.
But as defences against ransomware evolved, so too did the attacks.
Over the last couple of years in particular, ransomware has been seen as a technical problem that could be solved by investments in cybersecurity tools and technologies. Yet ransomware keeps evolving and attackers keep coming up with new ways to bypass the defences organizations have put in place.
Today, ransomware attacks are more sophisticated and severe than ever before, and the ransom amounts are significantly higher. According to Canadian insights from PwC’s Global Digital Trust Insights survey, 39% of respondents expect a rise in ransomware attacks in 2023. Yet the vast majority of organizations aren’t adequately prepared to recover from a successful attack.
Preparing for a ransomware-ready future is possible, but it may require organizations to reimagine ransomware risks from a business perspective—not just a technical one. Here are five things you need to know about ransomware to prepare your company for a successful attack.
Financial motivation is at the heart of every ransomware attack. Unfortunately, most attacks are quite successful. Putting strong, technical defences in place to prevent ransomware is critical, but is no longer enough to protect your organization from a successful attack.
Attackers have proven time and again that they can and will find a way around your security safeguards. The only guaranteed way to put an end to ransomware would be for every single target organization to stop paying up. Although ideal, this scenario simply isn’t realistic.
There is, however, a better path forward—one that encompasses both protection and preparedness. Thinking about ransomware as a technology-driven financial crime, as opposed to strictly a cybercrime, may help your organization reimagine ransomware risks more holistically.
Almost every ransomware attack now uses data exfiltration, or the unauthorized transfer of data from a device or network, which adds another layer of risk to organizations.
Theoretically, ransomware attacks continue to become more sophisticated because organizations are getting better at defending themselves. But modern attack methods are often able to bypass most of the basic protections that organizations have in place.
Ransomware-as-a-Service (RaaS) lowers the barrier to entry even further, as cyberattackers no longer need to develop their own malware. Additionally, many ransomware attacks are still launched through phishing or spear phishing campaigns, and organizations that don’t put as much time and effort into training their employees tend to be easier targets. Some ransomware actors even launch secondary attacks to pressure organizations into paying.
The chances of avoiding or preventing a sophisticated ransomware attack are difficult to calculate with precision, but assuming your organization will be targeted at some point can help begin the process of preparing for such an attack.
Ransomware attackers often use double extortion, first demanding payment from organizations to return their data or provide a decryption key, then demanding additional payment to destroy their copy of the data or threatening to publish it publicly.
Ransomware is often successful and is becoming increasingly accessible to threat actors. But with a lower barrier to entry, most ransomware attacks today are less thoroughly researched than previously thought. Ransomware attackers are often given too much credit, when in reality their attacks may be akin to throwing spaghetti at the wall to see what sticks. While many threat actors plan ahead and hit organizations with deeper pockets, in all likelihood there are just as many that don’t.
Calculating the cost of ransomware risks is often challenging due to nuances that make them unique compared to other types of cyberattacks. Not only are there threats of system outages or disruptions to business operations, but there are also threats of reputational or financial harm, not to mention the cost of litigation.
Being prepared to respond to a successful ransomware attack could save your company time and money if an attack should occur. Understanding what’s at risk from a financial, operational, reputational and regulatory perspective may help you answer any questions about whether or not to pay.
Authorities often lack the resources to investigate or prosecute ransomware attackers. More often than not, ransomware actors launch attacks from countries where prosecution isn’t possible. While we may hear some examples of instances of threat actors being arrested and prosecuted, there is often politics at play in these unique situations.
For the most part, ransomware actors correctly believe that they can attack organizations with impunity. It’s unlikely this will change in the near future.
There have been many attempts to quantify just how bad the ransomware problem really is, but there simply aren’t reliable statistics about ransomware out there. Oftentimes, the organizations that do pay don’t want it to be known that they’ve paid.
It may be difficult to say with certainty that ransomware has become more successful without any empirical evidence to support that claim. But the frequency of attacks leads us to believe that they are often successful.
Remember, most successful ransomware attacks never appear in the media and many may go unreported altogether. If the data we do have suggests the problem is bad, in all likelihood, it’s probably much worse. When successful ransomware attacks do make the news, try to imagine how your organization would respond in a similar situation.
For an example, please see Conti cyber attack on the HSE.
Whether to pay or not to pay a ransom is a decision most organizations aren’t prepared to make. From a moral standpoint (and from the viewpoint of the authorities), you simply shouldn’t pay. But the business reality of this decision is often very different—especially when it’s a matter of life and death, such as when critical infrastructure is at stake.
Adding insult to injury, there’s often a tight timeline to make a decision around payment. Most threat actors give organizations a mere 72 hours to make a decision. But even after three days, most organizations still don’t have sufficient information around exactly what’s happened and what the repercussions are to confidently make a decision.
This lack of time is purposeful—ransomware actors know that 72 hours isn’t enough time to really understand the risks associated with the attack. But what if you had more time? What if you posed this question today, rather than waiting for a ransomware actor to force you to answer it in 72 hours flat?
We live in a time when cyberattacks are plentiful and, for some organizations, constant. Many mature organizations understand how to deal with a ransomware attack from a technical perspective and know the systems they need to have in place to recover and rebuild. But ransomware is no longer strictly a technical attack.
There’s an increasingly urgent need for organizations to make decisions about ransomware risks on a non-technical side. The technical perspective will never stop being important. But most organizations haven’t given the broader risks enough consideration or thought. And it’s those risks that can most impact an organization moving forward.
Today, most of the decisions around responding to ransomware are business decisions. How your organization responds will depend on multiple factors. But ultimately, it comes down to preparedness.
Waiting until a successful ransomware attack to plan your response is like waiting for an earthquake before creating a disaster recovery plan—it may be too late to undo the damage it caused. But even with the strongest technical defences in place, preventing ransomware attacks altogether is no longer realistic. Instead, organizations should assume they will, at some point, be the target of a successful ransomware attack and determine how such an attack might affect their business holistically.
Partner, Cybersecurity, Privacy and Financial Crime National Leader, PwC Canada
Tel: +1 416 815 5306
Partner, National Cyber Forensics Investigations Leader, PwC Canada
Tel: +1 416 687 8262