Written by: Amit Jaju, Senior Managing Director of Ankura Consulting India Private Limited
As remote work has become more common over the past year, ransomware attacks have increased 102% year over year globally. India is the worst-hit country with 213 ransomware attacks per organization every week, up 17% year-on-year, according to industry reports. While ransomware attacks target all industries; in India, IT/ITES remains a more vulnerable sector due to global network connectivity with overseas customers, as well as with government, finance and healthcare companies that handle large volumes of sensitive data and personal.
Ransomware attacks are usually carried out via phishing emails, social media posts, malicious advertisements, etc., using malware to infect target systems, thereby encrypting files, databases or virtual data stores. Threat actors, which may include organized cybercriminals, cyberterrorists, insiders, state-sponsored threat agents, etc., often use the “double extortion technique”, which means that data is exfiltrated before encryption. Threat actors demand a ransom in exchange for decrypting or deleting the exfiltrated data or for not releasing the stolen data into the public domain. The request for payments can amount to thousands of dollars in cryptocurrencies. This can impact many businesses that are subject to various regulatory obligations to ensure data protection and report data breaches. Paying a ransom is also not a simple answer due to the risks of money laundering and penalties.
Apart from leaving ransom messages on screens, threat actors also use different techniques like contacting vendors, customers, security companies or threatening media leaks to increase pressure to make payments. Many companies that are part of international supply chains or have contractual obligations with customers or deal with companies in countries with strict data protection laws are obligated to disclose these attacks and breaches. As many companies have large back-office operations in countries like India, Philippines, etc., any ransomware attack resulting in data breach or system compromise in back-offices or computer centers shared can impact other offices in countries like Europe, USA, Singapore. etc having strict computer and data privacy laws.
To identify the root cause of any attack and determine potential financial and reputational damage, companies typically hire cybercrime experts to analyze and investigate further.
As technology evolves, so do the technical challenges of these surveys. The availability and integrity of data, backups and logs are part of this. Previously, forensic experts recovered deleted files from hard drive, volume shadow copies by taking advantage of some loopholes in ransomware encryption techniques. However, due to the advancement of ransomware using complex encryption techniques, it becomes difficult to restore data. Previously usually ransomware used to make a copy of the file, encrypt them and then delete the original file, which allowed forensic experts to recover the deleted data to some extent, but recently ransomware encrypts the file in place, making recovery of deleted data ineffective. . Volume Shadow Copies, which store a backup of certain files, are deleted. It encrypts both the main MFT (Master File Table) and the backup which stores all file information on NTFS (a Windows file system technology) on the hard drive, which makes file system recovery difficult. Free or unallocated space gets deleted or erased by the ransomware, which makes it difficult to recover deleted files.
Most organizations do not store logs or store logs for a short period of time for the operating system, databases, or other network devices. These logs contain valuable information that allows the investigator to perform root cause analysis or identify what activities took place during the attack or what could have caused it. Without this information, experts are limited to analyzing only the available data and face difficulties in tracing the timeline of events.
Companies use security appliances to detect and block ransomware attacks; Deploy email filtering to block phishing emails, malicious files, and suspicious links. Solutions such as data loss prevention establish rules to prevent unauthorized data sharing. Examining dark web forums can help identify the origin of data and preview data for sale. However, technology alone does not solve the problem, people trained to manage these devices and mature processes are important. A 24/7 Security Operations Center (SOC) can be expensive. An outsourced SOC operation or managed detection response can help keep pace with the changing threat landscape. Contracts with these outsourced vendors should be reviewed by the legal team for built-in provisions of appropriate obligations under applicable data protection and disclosure standards, such as breach notification deadlines, etc.
A common best practice is to back up and store important data in different locations, including the cloud, so that the data can be restored in the event of a ransomware attack. But this leads to the need for additional storage space increasing the cost. Many cloud service providers and data center vendors insist on signing standard contracts, which makes it difficult for legal teams to negotiate terms such as indemnification in the event of such infrastructure attacks. Often backups are not tested for recovery in such scenarios and sometimes backups are also encrypted, leaving organizations to accept data loss or negotiate and pay.
A question faced by many companies concerns the legality of the ransom payment. Paying the ransom to the attacker is risky because the decryption key may not be shared, or the data will be sold despite paying the ransom amount. When paying the ransom is the only option, many organizations lack experience in managing and negotiating with threat actors. Professional negotiators/consultants with such experiences can help initiate such dialogues. If the company has availed cyber insurance, it can be useful in such situations to recover from a loss, so it is essential to notify the insurance company in a timely manner in accordance with the agreement. It is important to involve the legal team when purchasing cybersecurity insurance to understand and negotiate the terms and conditions.
Even after negotiations, companies face challenges around cryptocurrency payments. Consultants can help businesses dealing with cryptocurrency brokers. After payment, cyber experts can help test the decryption software/key on a small subset of backup images. It is important to prevent further attacks during the recovery phase, as the decryption software may introduce other malware. Cyber experts can help ensure that the software received is safe and that further attacks are prevented by undertaking cybersecurity due diligence and network risk assessment.
It is essential to develop an incident response plan that defines the steps that a user or the incident response team can take in the event of a ransomware attack. If the organization discovers that it has been affected by a ransomware attack, the incident response or IT team as well as the legal team should be notified immediately. Once the infected systems are isolated, a few tools developed by forensic experts by reverse engineering the ransomware can be used to recover the data. They can decrypt files to their original state, however, even after decrypting files, there might be traces of the ransomware on the system which can trigger again, thus encrypting files or system. The other solution is to format the system, but it is possible that the infection has already spread in the network of the organization if the system was connected there. The IT/Security team should scan the IT environment for any potential infections. Any data loss or signs of exfiltration should be identified. In accordance with applicable laws and regulations, the breach may need to be disclosed to the relevant authorities.
Regular patch management helps mitigate known system vulnerabilities and flaws. Segregating the network by department or sector helps prevent the spread of ransomware. Restrictions on privileged access, zero trust policy, and minimum number of access points through which ransomware can enter the organization help minimize these attacks. Implementing software asset management practices with whitelisting and blacklisting applications helps ensure that unauthorized software products are blocked. Performing quarterly or periodic security/penetration tests will help ensure that the network/systems are not prone to weaknesses. Regular training and user awareness campaigns, such as mock phishing tests, should be conducted to educate users on how to avoid or respond to ransomware attacks.
In today’s digital and connected world, the threat landscape changes frequently, so it’s best to proactively invest in and implement recovery techniques, tools, and plans that will prevent ransomware attacks. or will help to respond properly to a ransomware attack, thus avoiding any loss of reputation or money.
If you have an interesting article / experience / case study to share, please contact us at [email protected]