New record levels of ransomware extortion payments:

In a world that is becoming increasingly interconnected, attempts at ransomware attacks on companies are on the rise and the amount of extortion payments reached new record levels last year.¹

A ransomware attack entails a company's data being maliciously encrypted for the purpose of extorting ransom payments to decrypt it.

This makes finance departments an attractive target for cybercriminals, as there is sensitive financial data to be captured, making it possible to interfere with or prevent business-critical processes such as payment transactions. In a ransomware attack, it is precisely these data sets that are the target of attacks in the first step, usually resulting in the encryption of individual files, entire drives or the blocking of access to applications. As a result, a successful ransomware attack not only leads to considerable financial losses, but can also undermine the trust of customers, suppliers and investors in the company. The resulting potential losses are staggering.

Alongside taking pre-emptive measures to protect against ransomware attacks, companies should therefore develop a business continuity strategy so as to respond quickly and effectively in the event of an incident. The extent of any damage can be greatly reduced by putting structures in place that can maintain or restore business operations even under difficult conditions.

During a ransomware attack, access to a company's internal data is blocked by encryption. In doing so, both a public and a private key are used to encrypt and decrypt the data in question. While the public key is sent to the victims of the attack, the private key is only known to the attackers. This allows the attackers to encrypt the data without the victims being able to decrypt it, unless of course they pay a demanded ransom. Failure to pay the ransom within the time limit carries the risk that the attackers will delete the private key, usually making it impossible to decrypt the data.

Both well-organized hacker groups and individuals may carry out such attacks. According to a study that analyzed ransomware attacks on European companies, the typical approach is this:²

The first stage is the “reconnaissance” step, during which the attackers collect details on vulnerabilities in the company's information system and interfaces. After identifying these weaknesses and selecting the appropriate attack method, a targeted script is then sent to the company through various channels in an attempt to trick users into downloading it into internal systems. Once downloaded, the script gives the attackers remote control of the internal system and then performs the intended encryption of the non-public data. 

Alongside these targeted attacks on individual companies, hacker groups regularly take the opposite approach and attack a large number of companies by forwarding corresponding scripts, for example via email, to then check whether it has been downloaded into any of the companies' information systems. 

According to a publication by the Federal Criminal Police Office, more than 800 companies and institutions reported ransomware attacks to the police³ in Germany alone in 2023, and according to an EU study⁴, Germany is the second-most affected country in the world when it comes to ransomware attacks after the United States. Similarly, the annual nationwide study conducted by the German Federal Office for Information Security in 2023⁵ shows that the largest number of suspected victims from Germany in a single year was identified in so-called “double extortion” attacks (where the data is not only encrypted but also threatened to be released), with the total doubling compared to 2022. These attacks were not concentrated in one particular sector of the economy, but posed a threat to companies in a wide range of industries and sizes (see Figure 1), with medium-sized companies being affected the most statistically. 

Given the ever-increasing technical complexity of treasury departments, it is almost impossible to list all conceivable sources of such attacks. APIs, i.e. programming interfaces, that are not optimally secured can in particular be an entry point for malware.⁷ In addition, an average of a quarter of a million new variants of malware are identified on a daily basis, all of which can be used in such attacks and penetrate companies' technical systems through various channels.⁸ This means that a company's firewall, i.e. the software that controls the flow of data between internal and external networks, is subject to constantly changing checks. And many attacks succeed due to people inadvertently opening phishing emails or downloading infected files. 

This is why it is crucial that treasury departments take appropriate security measures to protect themselves against ransomware attacks. A vital component of a treasury department's IT system landscape is the treasury management system itself, which, along with its interfaces, should be regularly updated and tested for security. 

Other measures companies should adopt to protect themselves: Creating regular backups of their data and storing them in a secure location is one option. Especially when it comes to payment transactions, it is not uncommon to regularly mirror the productive system and transfer it to a disaster recovery server. 

In the event of an attack, this allows data to be fully or at least partially restored without having to pay a ransom. That said, these backups should always be checked and updated, as ransomware attacks also attempt to compromise the recovery of data from backups: This year's ransomware report from Sophos, a security software developer, found that 94% of organizations attacked by ransomware reported that the attackers also attempted to encrypt their backups⁹. Keeping an offline backup¹⁰ is one option in this case to prepare for cloud backups that do not work.

Regularly updating and patching the company's IT systems to close vulnerabilities and prevent attacks is another protective measure. Companies should also provide training for their employees to raise awareness and inform them about the risks of ransomware attacks. Combining these measures, companies can increase their chances of fending off ransomware attacks and protecting their data. According to BSI statistics from August 2022, spam messages made up around 34% of all business emails in Germany, highlighting how essential it is to protect against these attacks¹¹. 

If all of the above measures were not sufficient and the company was attacked successfully, the question remains as to whether the ransom should be paid. A pan-European study found that around 60% of attacked companies decided to pay the ransom so they could regain access to their data or IT infrastructure¹². This is especially surprising as even a ransom payment does not guarantee that the files will be decrypted, with the risk of internal company data being lost or made public also remaining. 

When deciding on how to respond to an attack, a key factor is the geographical location of the organization concerned, as different regulatory requirements apply depending on the country. In the United States, for example, making such a payment could be classified as terrorist financing, which is why the legal framework should be checked in advance. More stringent regulations or restrictions on ransomware payments could also be introduced in many countries at some point in the future. The organization “International Counter Ransomware Initiative”, which currently has over 40 member countries, advocates for stricter laws against such payments, as this creates incentives for such attacks. In the meantime, however, it remains up to the individual companies concerned to decide whether paying a ransom or sustaining damage without payment is the lesser evil for the company. 

Where a company does not categorically rule out paying a ransom, it should also look into cryptocurrencies or cryptocurrency custodians, known as wallets, as part of its business continuity strategy. They are often used as a means of payment for ransom demands. Owing to their decentralized nature and anonymity, cyber criminals often rely on cryptocurrencies to receive payments without being immediately identified. It is worth exploring whether structures should be put in place in advance for the company to make crypto payments. In fact, some companies go so far as to already keep certain cryptocurrencies in stock to avoid having to procure them at short notice in the event of a ransom demand and to also make sure that this option exists as a stand-alone solution without the need for traditional payment transactions.

Source: KPMG Corporate Treasury News, Edition 149, November 2024
Authors:
Börries Többens, Partner, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG
Marvin Berning, Manager, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

_____________________________________________________________________________________________________________

¹ see Ransomware-Zahlungen erreichen Rekordhoch – DerTreasurer.
² see The Ransomware Landscape in Europe, European DIGITAL SME Alliance.
³ see: Cyberkriminalität erneut gestiegen: Sicherheitsbehörden zerschlagen kriminelle Infrastrukturen, Bundeskriminalamt, 13 May 2024.
⁴ see: EU Agency for Cybersecurity (data from July 2021 to July 2022), European Union, 2022.
⁵ see: Die Lage der IT-Sicherheit in Deutschland 2023, Bundesamt für Sicherheit in der Informationstechnik.
⁶ ebd.
⁷ see: Unsichere APIs sorgen für Milliardenschäden, der Treasurer, 29. Juni 2022 [Non-secure APIs cause billions in losses, der Treasurer, 29 June 2022].
⁸ see: Die Lage der IT-Sicherheit in Deutschland 2023, Bundesamt für Sicherheit in der Informationstechnik [The state of IT security in Germany in 2023, German Federal Office for Information Security].
⁹ see The State of Ransomware 2024, Sophos, April 2024.
¹⁰ see Maßnahmenkatalog Ransomware, BSI, 2022 [Ransomware catalog of measures, BSI, 2022].
¹¹ see issue 08/2022: E-Mails und Spam-E-Mails in der Wirtschaft in Deutschland, BSI [E-mails and spam e-mails in the economy in Germany, BSI].
¹² see: EU Agency for Cybersecurity (data from July 2021 to July 2022), European Union, 2022.