If companies continue to pay, will ransom seekers ever go away? This was a recurring theme in the panel 'Ransomware Comes of Age', at Ropes & Gray’s 'The Future of Global Data Protection' digital conference last week. 

Edward McNicholas, co-leader of the Ropes & Gray data, privacy & cybersecurity practice, led a panel discussion featuring panelists Heidi Wachs, of Stroz Friedberg, Bill Hardin, of Charles River Associates, Rob Yellen, of Willis Towers Watson and Matt Gayford, of Unit 42 by Palo Alto Networks.

In this 60-minute session, topics discussed included:

  • The financial impact of ransom attacks
  • Whether cryptocurrency was a threat actors’ assistant
  • Cyber insurance
  • Patches
  • Top tips to protect your company
  • Likely future trends

Please see below for an overview of some of these topics, or to access a recording of the session please visit our blog: RopesDataPhiles.

Numbers: financial and volume

When discussing ransomware, one of the key points to arise is the financial impact to a company: it can, quite literally, devastate a business.

Discussing how ransom demand amounts have steeply risen over the last few years, Matt commented that ultimately it is a hugely profitable space for threat actors. Ransoms demands are increasing, with numbers sometimes into the US$10+ million range, and with significant profit to be made, the trend is likely to only get worse for companies.

Coupled with this is the significant increase in the number of attacks. Heidi and Bill both commented that they have been flooded with requests for assistance on incidents. Heidi commented that this increase and the evolution is not just in frequency and size, but also impact. Essentially, threat actors have realised that their tactics are very effective and with a low barrier to entry into this market, which lacks the risks of some other forms of extortion and has a high rate of success, more and more companies are left with their hands tied, looking for a way out of the financial hit that usually comes with such an attack.

Is that the worst they can do?

Unfortunately, no it is not. Threat actors are not just demanding money and leaving the company alone if you say no: they have evolved. Bill discussed data exfiltration - the concept of extracting data without authorisation, and how the threat of selling this data is becoming more common. This threat is accompanied by an increase of extremely aggressive threat actors, with intimidating emails, calls and full on blackmail on the rise.

Another common occurrence is the encryption of backups. Heidi added that the first phrase they previously heard when speaking to a client was “we have backups” – but now, unless these are properly separated and stored, these may well be targeted too. In addition, if a company does pay, how do they know the threat actors will genuinely go away? Traditionally, there has been the concept of 'honour among thieves', but if this data is exfiltrated and there is the potential to make further money by selling access, that is going to become a more serious issue.

“What should I do to avoid this?” is hopefully the main question you’re thinking right now: so keep reading…

Six things to protect your company against ransomware

A range of measures were discussed, with our panelists giving a few top tips on how to protect your company:

  • Multifactor authentication: this should be standard practice now, as a minimum.
  • Access control, management and review: ensure access (such as passwords and profiles) are secure.
  • Due diligence: beyond the usual diligence, don’t forget to inspect the cyber and code aspects when acquiring another company – you never know what you are integrating.
  • Defence in layers: threat actors are getting creative, so having layers of defences is key (end point detection response tools, detailed firewall logs that can be reviewed and monitored, etc.).
  • Attack surface management: understand what the company has, including what devices there are and who does what, to learn where your gaps are. Once you understand what is vulnerable, you can work to increase protection and gain full coverage. 
  • Consider insurance: ransomware attacks can happen to anyone and to continue operating smoothly when it occurs, adequate insurance well-tailored to the company can help to shift the risk. Seek professional help when you purchase insurance to make sure the company receives everything it wants and the support it needs.

Future gazing

Edward concluded the session by posing the question of whether we will be having the same discussion in three to five years' time, or if ransomware is a solvable problem.

It was generally agreed that provided there is a vulnerability, ransomware is unfortunately not going anywhere. High profile cases end up in the media, but small and medium-sized businesses are also targeted. As long as there’s an opportunity to make money or do damage, threat actors will continue to target businesses of all sizes.

Rob predicted that a more diverse regulatory framework is likely to be introduced to tackle the threat actors more directly and Bill foresaw other types of extortion and blackmail emerging, expanding into targeting individuals following new opportunities provided by technology such as “wearables”. To provide some optimism, Heidi suggested that awareness is rapidly growing and as companies are upgrading and developing, they are ultimately becoming more challenging to attack.

This brings us back to the thought, if companies continue to pay, will ransom seekers ever go away? It is clear that as companies become more sophisticated, so do threat actors. Might this lead to sophisticated threat actors streamlining their efforts to focus on 'big fish' for a bigger payday, with less refined threat actors targeting the smaller and less worldly companies for ease, leaving a safe gap for those companies in the middle? 

There is no silver bullet or quick solution for any company and it is clear that companies need to continue adapting. 

The key takeaway message is to stay current, continue to put in layers of defenses to protect your company and request a recording of the session from our blog (RopesDataPhiles) for further information.