Ransomware recovery needs a whole of business response Ransomware recovery needs a whole of business response Ransomware recovery needs a whole of business response

For organisations in today’s hyper connected, digitally enabled world, cyber security attacks are no longer a question of if, it’s a question of when. During the past 12 months there has been an escalation in the use of ransomware in sophisticated, targeted attacks against large organisations.

Previously ransomware was mostly used against individuals; however large, organised criminal groups are using technical means such as unpatched vulnerabilities in external internet facing systems or stolen user credentials to compromise organisations’ cyber environments. The disruptions caused by COVID-19 and weaker system security due to the quick adoption of solutions to enable remote working means companies are even more at risk of a cyber security incident.

Once inside an environment, attackers conduct reconnaissance to identify the data and information they believe to be of the highest value to the company – whether this is the contents of a company fileserver, sensitive commercial information, or personal information associated with customers or employees. Often this reconnaissance occurs over an extended period of time, with the attackers using compromised user accounts to work undetected.

Attackers will then work to exfiltrate (remove) data from the environment, and in parallel deploy ransomware to computer systems across their target. This often has a crippling effect, and as witnessed from recent, high profile Australian cases, can have a catastrophic impact on an organisation’s ability to deliver services, produce products or operate at all.

Not only does this type of attack result in systems being taken offline and made inaccessible as a result of the ransomware which locks user systems and data, victims are often faced with a secondary (and often more significant) issue of their stolen data being made available through dark-web marketplaces and auction sites if they do not pay the ransom. A company’s data on the dark web means that not only do they face legal challenges of privacy and confidentiality breaches, but competitors could (illegally) bid for their potentially very sensitive data.

And while businesses need to be aware of the dangers to their own systems being accessed, these threat levels are becoming so sophisticated that breaching a third-, fourth- or fifth-party supplier can give attackers access to a business’ environment. This means that not only do you need to consider your own environment, but you need to be assured of the security environment that your suppliers can offer.

As Australian laws have tried to keep up with the quickly evolving cyber security landscape – being the target of a cyber-attack is not a crime, but how an organisation responds to an attack could trigger significant legal consequences. Under the notifiable data breaches (NDB) scheme, organisations must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved and the organisation has been unable to remediate the breach.

When there is a suspected data breach, organisations need to do an assessment to determine whether it is an eligible data breach and notification is required. When there is malicious activity, understanding whether the data and what data has been copied, modified or exfiltrated is central to this assessment. In the past, if there was no evidence or indication that the data has been impacted there was unlikely to be an eligible data breach. The challenge now is that the threat actors are becoming more and more sophisticated in covering their tracks. During a ransomware attack, the encryption of the data, or the way an organisation then responds to the encryption (by restoring that data from backups), may also mask the evidence that the data was also accessed or exfiltrated before it was encrypted.

Organisations need to be aware of this to ensure that evidence is not overwritten, logs are kept and reviewed to determine if there are indications that data could have been compromised or exfiltrated. If all an organisation is seeing is ransomware having been deployed, there is now a need to remain suspicious and look further. The decision to notify or not in those circumstances will depend on a range of factors such as the nature of the personal information impacted, the remediation steps, the risk of serious harm and the ability to minimise harm if the individuals are notified. As threat actors become more sophisticated in hiding their tracks, the assessment stage will become more complex and it may be that we see organisations opt to notifying individuals without any hard evidence of data exfiltration. Although this provides a chance for individuals to monitor the impacts, it is also likely to lead to a certain amount of complacency.

The difference between a good and a bad outcome from a security incident is how quickly an organisation can detect and respond to it. A security incident doesn’t just mean a breach, incidents are being enacted every single day with automated malware that continually scans systems, or a human on the other side trying hard to get into an organisation.

The key to ransomware attack recovery is preparedness, timely detection and efficient response across multi-disciplined organisational functions, including:

• Understanding and the ability to locate the data assets that your business holds that are critical to its recovery. 
• Creating a data strategy that minimises the amount of data that’s being held to reduce potential exposure.
• Implementing controls and assurance to ensure identified information assets are appropriately protected, and there is organisational awareness of the key risks.
• Deploying early detection capabilities of ransomware attacks across the identified critical assets and increase monitoring during response to improve success of recovery.
• Preparing appropriate and timely action by pre-establishing clear plans of action to respond and recover, including multi-discipline areas of legal, forensics, privacy, crisis management, marketing, cyber security, communications and board involvement.
• Equipping the business for recovery and wider impact assessment. The clear plans of action should extend to recovery process and include data/services restoration, multi-discipline areas to increase the success of restoring business as usual and restoring confidence in enterprise security controls.

Prevention though is always better than a cure and one of the most important elements of protection is education. A vast majority of ransomware attacks are enacted through emotive phishing campaigns that convince employees to enter their credentials. To prepare a workforce for possible attacks, organisations should perform regular phishing exercises which will help educate and bring about the culture change of teams being more aware of this form of attack.

Another critical element for organisations once they have been attacked is to understand the root cause. While on face value these attacks can seem to be ransomware and nothing else, once forensics starts investigating the data, it can become apparent that attackers were after critical business information, not money. And that they have been in the system for 12 to 18 months, undetected. Businesses must be careful to not only investigate confirmed incidents – when there has been a near miss, or detections that access might have been sought, but not gained can be a signal that you’re under attack or something more sinister is going on.

And while these action plans will assist in detection and recovery, key to a successful recovery is to have a plan that’s tested and ready to be enacted across all areas of an organisation.