Supply Chain Defense
Why Are the Consequences of Ransomware Attacks Rarely Fully Understood?
The statistics are eye-popping and the fallout is real. As technology grows, so too has ransomware’s prevalence. While security experts continue developing safer environments, bad actors constantly look for ways to compromise systems. Simply said, they don’t care who or what they disrupt.
It’s sobering to think that by 2031, according to Cybersecurity Ventures, that a business, consumer or device may endure a ransomware-related attack every two seconds, a sharp rise from every 11 seconds last year. The same research also revealed that ransomware costs are expected to skyrocket from $20 billion last year to more than $265 billion by 2031.
Seeing the Bigger Picture
The sheer scale of the problem is quite staggering. While ransomware attacks frequently hit the headlines, the larger costs incurred by targeted or victim companies — and individuals — are often hidden beneath the surface. Senior leadership and boards hear about ransomware attacks and their frequency, but rarely understand how an incident plays out — from immediate triage to lingering business recovery. Not to mention the impact that this could have on customers, employees, and the wider public. Having worked in this industry for a long time, I know that impacted firms face reputational damage, regulatory fines, legal and security restructuring costs, loss of production and productivity through downtime. The consequences are extensive.
So while business leaders appreciate that ransomware is disruptive, the long tail of such attacks and true implications tend to be less understood. Likewise, most think about attacks and the impact on the victim organization alone, or the restoration of their business-as-usual systems, but attacks also affect the victim’s customers, third parties, and wider stakeholder ecosystem. We must recognize ransomware as a systemic threat that can also lead to the disruption of ordinary peoples’ lives. According to BlueVoyant’s ransomware research, unsuspecting victims also suffer the consequences, such as layoffs, medical treatment delays, travel disruptions, the inability to access funds, and much more.
The U.S. Experienced 65,000 Ransomware Attacks in 2021
According to our ransomware research, the U.S. saw more than 65,000 ransomware attacks in 2021, with one of the biggest — the Colonial Pipeline — leading to a slew of gas stations across the southeast being emptied. Colonial Pipeline paid hackers $4.4 million for a decryption tool that restored oil operations, despite FBI and U.S. Department of Homeland Security recommendations that companies should avoid paying ransoms. (Never mind that there were arrests).
The BlueVoyant research shows that ransomware attacks put victims out of business, force hospitals to turn patients away, prevent access to critical services, cripple business operations and much more. While each attack is unique, there are some commonalities to these targeted attacks with their disruptive activities, high payouts, and sometimes double and triple extortion techniques, which are becoming more common as hackers look to take their victims for as much money as possible. Today, not only are organizations at risk of having their data locked and having to pay to get it restored, but once attackers have touched the data to lock it, they are now exfiltrating it through double extortion. In triple extortion, hackers also ask anyone who may be impacted by the data stolen to also pay up.
This means that attackers are not only asking to be paid to unlock data, but they are asking to be paid to not release it on the web. Unfortunately, attackers are then approaching customers, partners, suppliers, and the extended ecosystem, and asking these organizations to pay to not release their data.
Making the Right Decisions
Vendor organizations face a range of decisions when responding to an unfolding attack. They may need to determine whether to cease operations, especially if they don’t know the extent of the attack, and are looking to prevent adversaries from advancing further into their systems. Decisions about how to respond may have to be escalated for higher authorization. If a quick decision for a response isn’t made, attacks may penetrate further across systems and networks before the organization can begin its defensive responses.
If the organization decides to shut down or halt operations or networks, this creates a domino effect for more decisions to be made. Company leadership is forced to determine how to move forward operationally without access to internal systems, and that’s before the company has determined whether it is going to pay or negotiate with threat actors.
Forcing a halt in operations means that some companies do move forward and negotiate with attackers. A 2022 Proofpoint study found 82 percent of British companies that have been victims of ransomware attacks paid a ransom to retrieve their data. However, cooperation with attackers as I’ve outlined above can lead to further exploitation methods, while leaders must also deal with remediation of any affected networks. If established security procedures have backed up pivotal information and systems, a company typically has more flexibility when facing criminal extortion, but this isn’t always the case. Disclosure or Not?
Enterprises face critical decisions regarding their public communication strategy post-attack and managing not only the reputational damage, but also the longer-term loss of customer trust. If Personal Identifiable Information (PII) or sensitive customer data is breached, companies are typically required to publicly disclose this. Some organizations choose to walk the fine line of not revealing the breach and just pay the ransom to avoid embarrassment. However, this is a highly risky strategy to adopt and could lead to future issues and loss of customer trust.
In the period following an attack, organizations can also face legal, regulatory, and government scrutiny from the U.K.’s Information Commissioner’s Office (ICO). Immediately after an attack, regulatory growth is depressed from operational loss, and business recovery can include the cost of refactoring systems and processes, putting in place security improvements and business priority restructuring.
Expert Help is Required
Dealing with a breach brings a minefield of decisions, which can lead the organization down a path that it would rather not tread. This is why it is so important to call in the experts and ensure that the business is getting the right level of counsel and guidance. After all, you’re dealing with criminals who often don’t have the same moral compass or ethics that we have come to expect in business.
Ransomware will remain prolific in 2022 and beyond, so it’s not a question of if, but when, and how prepared the business is to deal with both the incident and the aftermath.
James Tamblin is president, BlueVoyant UK.