The rise of ransomware attacks and negotiating with cybercriminals

It’s like a scene out of a movie – employees arrive at work (or, in today’s environment, log on to their laptops and company network), only to discover they’ve been locked out of the system and their files.

A ransom-note pops up with one very clear message: You’ve been hacked, your files are encrypted, and if you ever want to get back online and access your data again, you’ll need to pay a ransom in bitcoin.

The note includes a link to a site on the dark Web, where most online clandestine activities take place, and once the link is triggered, a clock starts ticking down the hours before you lose your data – forever.

A few years ago, most businesses thought this would never happen to them – especially companies in South Africa. The rise of ransomware as a service has changed the game though. Now anyone can be a hacker; all you need is access to ready-to-deploy ransomware on the dark Web.

 

Ransomware is a reality

A few short weeks ago, one of the world’s biggest meat processing firms paid $11 million (R150 million) worth of bitcoin to hackers to get its business back online. It was the second major ransomware attack on a US firm in as many weeks, and we expect to see more attacks as the year progresses. In 2020, around R245 billion was paid in ransom to hackers – all via bitcoin.

Closer to home, the City of Joburg experienced a ransomware attack in late 2019. I have also personally been involved in over 15 ransomware negotiations, all centred on making bitcoin payments and achieving the desired outcome of getting a business back online.

Here’s the problem. Since the launch of Bitcoin in 2009, people can receive digital payments without revealing their identity. This makes ransomware attacks safer and more lucrative, which is a dangerous combination, and we can see the steady increase in ransomware attacks as a result. In 2015, the FBI estimated that the US was subjected to a thousand ransomware attacks per day. This number quadrupled the following year.

According to Mimecast, by 2020, 92% of organisations reported that their business had seen ransomware delivered via email attachments. Nearly 30% of organisations had seen business operations impacted by ransomware during the same year.

The result? When it comes to cybercrime, it’s ransomware first and only, with everything else a distant second. To make matters worse, the implementation of General Data Protection Regulation (GDPR) and the Protection of Personal Information Act (POPIA) are shining a spotlight on protecting personal information, which only increases the value of customer data.

Syndicates are now adding extortion to their playbooks, siphoning off confidential files before encrypting systems. If their ransom demands aren’t met, they threaten to release sensitive data to the media or auction it off on the black market.

 

Navigating complex ransomware situations

Today’s reality is that for every ransomware case that makes the news, many more small and medium-sized companies prefer to keep breaches under wraps. Many firms are also choosing to pay their hackers to protect their clients’ data and the business’s continuity, even though there is the obvious concern that continuing to pay ensures that ransomware remains a lucrative and growing industry. And make no mistake – this is an industry. It’s sophisticated, organised and worldwide.

So, how can your organisation protect itself?

  1. Protect your business against social engineering. Most ransomware is delivered via email or through stolen login credentials and passwords. Strict protocols and an understanding of how syndicates work and how they look for ways to scam employees into opening email attachments is the first step towards keeping them out. Educate your employees and remain vigilant.
  2. Use sophisticated tech to combat smart ransomware attacks. We know that ransomware attacks are becoming more sophisticated, and cybersecurity professionals are taking action. There is a host of tools available today that can help your organisation prevent, detect and respond quickly to ransomware attacks that are threatening your business and customers.
  3. Conduct a forensic audit immediately. Time is of the essence. Whether you are negotiating a ransom or not, it’s essential to understand precisely how hackers breached your system and if they have left any backdoors for another attack. Deleting and closing breaches before a forensic audit takes place could leave you open to a second attack.
  4. Bring a professional negotiator in. Ransomware negotiations can be complex, and unfortunately, simply paying a ransom doesn’t guarantee data recovery. According to the Sophos State of Ransomware 2021 report, of the companies that chose to pay a ransom, only 8% of them got all their data back. Nearly a third (29%), couldn’t recover more than half their encrypted data. There are experts who have experience in these negotiations, and they can help you get the best outcome from a complicated situation, specifically that once a ransom is paid, all data is restored.