Ransomware extortion payments reach new record levels:

In parallel with an increasingly interconnected world, attempts at ransomware attacks on companies are on the rise and the amount of extortion payments reached new record levels last year.¹

A ransomware attack is the encryption of a company's data and the extortion of ransom payments to decrypt it.

Finance departments are an attractive target for cyber criminals, as sensitive financial data can be captured and business-critical processes such as payment transactions can be hindered or prevented. In a ransomware attack, these data volumes are the first target of attacks and usually result in the encryption of individual files, entire drives or the blocking of access to applications. A successful ransomware attack can therefore not only lead to considerable financial losses, but also damage the trust of customers, suppliers and investors in the company. This leads to a very high potential for damage.

In addition to preventive measures to protect themselves from ransomware attacks, companies should therefore develop a business continuity strategy in order to be prepared for the event of damage. Creating structures that ensure or restore business continuity even under difficult conditions can significantly reduce the extent of the damage.

In a ransomware attack, access to a company's internal data is blocked by encryption. Both a public and a private key are used to encrypt and decrypt the data in question. The public key is sent to the victims of the attack, while the private key is only known to the attackers. In this way, the attackers can encrypt the data without the victims being able to decrypt it, unless they pay a demanded ransom. If the ransom is not paid within the time limit, there is the threat and the resulting danger that the attackers will delete the private key, which usually makes it impossible to decrypt the data.

The attacks can come from both well-organised hacker groups and individuals. A study that analysed ransomware attacks on European companies identified the following typical approach:²

First comes the "reconnaissance" step, whereby the attackers collect vulnerabilities in the company's information system and interfaces. Once these points have been recognised and the appropriate attack method selected, a corresponding script is forwarded to the company via various channels and an attempt is made to trick it into downloading into internal systems. The downloaded script ensures that the attackers gain remote control of the internal system and then carry out the intended encryption of the non-public data.

As an alternative to the targeted attack on individual companies, hacker groups regularly take the opposite approach and attack a large number of companies by forwarding corresponding scripts, for example via email, in order to subsequently check whether a download to the information system has taken place.

In Germany alone, according to a publication by the Federal Criminal Police Office, more than 800 companies and institutions reported ransomware attacks to the police in 2023³ and, according to an EU study⁴ , Germany is the second most affected country in the world for ransomware attacks after the United States. The annual nationwide study conducted by the German Federal Office for Information Security in 2023 also shows⁵ that the largest number of suspected victims from Germany in a single year was identified in so-called "double extortion" attacks (where the data is not only encrypted but also threatened to be released), with the total doubling compared to 2022. The attacks were not limited to a specific economic sector, but posed a threat to companies of various industries and sizes (see Figure 1), with medium-sized companies being statistically the most affected.

Ransomware extortion payments reach new record levels:

Source: Federal Office for Information Security

The increasing technical complexity of treasury departments means that the possible sources of such attacks are difficult to list in full. In particular, APIs, i.e. programming interfaces, that are not optimally secured can be a gateway for malware⁷. In addition, on average a quarter of a million new variants of malware are identified every day that are used in such attacks and can enter a company's technical system via various routes.⁸ A company's firewall, i.e. software that controls the flow of data between internal and external networks, is therefore subject to constant scrutiny. Human error, such as opening phishing emails or downloading infected files, can also lead to a successful attack.

It is therefore crucial that treasury departments take appropriate security measures to protect themselves from ransomware attacks. A key component of a treasury department's IT system landscape is the implementation of the treasury management system, which, along with the associated interfaces, should be regularly updated and checked for security.

Companies should also take other measures to protect themselves: one option is to create regular backups of their data and store them in a secure location. In the area of payment transactions in particular, it is not uncommon to regularly mirror the productive system and transfer it to a disaster recovery server.

This allows you to restore all or at least part of your data in the event of an attack without having to pay a ransom. Nevertheless, the security of such backups should always be checked and updated, as the ransomware attacks also attempt to jeopardise the recovery of data through backups: According to this year's ransomware report by Sophos, a security software developer, 94% of organisations attacked by ransomware reported that the attackers also tried to encrypt their backups⁹. One option here is to keep an offline backup¹⁰ so that the company itself is prepared for non-functioning cloud backups.

Another protective measure is to regularly update and patch the company's IT systems to close vulnerabilities and prevent attacks. Companies should also organise training courses for their employees to inform them about the risks of ransomware attacks and raise their awareness. By combining these measures, companies can increase their chances of fending off ransomware attacks and protecting their data. According to BSI statistics from August 2022, spam messages represented around 34% of all emails in the economy in Germany, which emphasises how essential it is to protect against these attacks¹¹.

However, if all these measures were not sufficient and an attack on the company was successful, the question remains as to whether the desired ransom should be paid. According to a Europe-wide study, around 60% of attacked companies decided to pay the ransom in order to regain access to their data or IT infrastructure¹². This is particularly surprising in view of the fact that even a ransom payment does not guarantee the decryption of the files and there is still a risk of loss or publication of internal company data.

The geographical location of the affected organisation also plays a decisive role in the decision regarding the response to the attack, as different regulatory provisions must be taken into account depending on the country. In the United States, for example, such a payment could be categorised as terrorist financing, which is why the legal framework should be checked in advance. Stricter regulations or restrictions on ransomware payments could also be introduced in many countries in the future. The organisation "International Counter Ransomware Initiative", which currently includes more than 40 countries, advocates tougher laws against such payments, as this creates incentives for such attacks. Until then, however, it remains the individual decision of the companies concerned to assess whether a ransom payment or the damage without payment is the lesser evil for the company.

If a company does not categorically rule out paying a ransom, it should also consider cryptocurrencies or cryptocurrency custodians, known as wallets, as part of its business continuity strategy. Cryptocurrencies are often used as a means of payment for ransom demands. Due to their decentralised nature and anonymity, cyber criminals use cryptocurrencies to receive payments without being immediately identified. Here, it should be checked whether structures have already been created in advance to be able to make payments in cryptocurrencies for the company. Some companies even go so far as to already hold certain cryptocurrencies in order to avoid having to procure them at short notice in the event of a claim and to ensure that this option exists as a stand-alone solution even without traditional payment transactions.

Source: KPMG Corporate Treasury News, Issue 149, November 2024

Authors: Börries Többens, Partner, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

Marvin Berning, Manager, Finance and Treasury Management, Corporate Treasury Advisory, KPMG AG

¹ Cf. ransomware payments reach record high - DerTreasurer.

² Cf. The Ransomware Landscape in Europe, European DIGITAL SME Alliance.

³ Cf. cybercrime rises again: security authorities dismantle criminal infrastructures, Federal Criminal Police Office, 13 May 2024.

⁴ Cf. EU Agency for Cybersecurity (data from July 2021 to July 2022), European Union, 2022.

⁵ Cf. The state of IT security in Germany in 2023, Federal Office for Information Security.

⁶ ibid.

⁷ Cf. insecure APIs cause billions in losses, der Treasurer, 29 June 2022.

⁸ Cf. The State of IT Security in Germany 2023, Federal Office for Information Security.

⁹ See The State of Ransomware 2024, Sophos, April 2024.

¹⁰ Cf. catalogue of ransomware measures, BSI, 2022.

¹¹ See issue 08/2022: Emails and spam emails in the economy in Germany, BSI.

¹² Cf. EU Agency for Cybersecurity (data from July 2021 to July 2022), European Union, 2022.