Held to ransom

With ransomware attacks on the rise, establishing a process of triage for responding is essential. Simulation exercises can alert directors and executive teams to the issues and help them better prepare.

It was the phone call the chief information officer (CIO) of the Melbourne software company had long feared. After several hours of worsening IT issues brought operations to a halt, a ransom note demanding payment of $1.1m in cryptocurrency was found. As well as disabling IT systems, the perpetrators claimed to have exfiltrated sensitive company data and personal information about customers. They would release it on the dark web if the ransom was not paid in a matter of days.

The board came together via video link for the first of a series of round-the-clock crisis meetings. The chair reeled through a list of questions for board members, who looked stricken as it sank in just how little information they had to help decide whether to pay the ransom.

“Do we understand where the ransomware attack has come from? Have we been specifically targeted or just caught in a sort of drive-by shooting? What certainty is there that the perpetrators will unlock the data? Are critical or non-critical systems affected?”

These events were part of the simulation of a ransomware attack in which executives and directors are stepped through real-time experience and decision points. Until it actually happens, it’s hard to get a feel for what is involved and how best for board and management to respond. Furthermore, foolproof prevention is all but impossible, so it pays to be prepared.

A simulation lasts between 90 minutes and 2.5 hours, and involves an organisation’s IT team, heads of privacy, legal and communications departments, the executive leadership team and the board. The board comes together as it usually would during a crisis, whether that be in person or via videoconference. A cybersecurity expert typically works with someone inside the organisation to build the scenario — to make it as realistic as possible.

Ethical dilemma

A ransomware attack triggers a dilemma that could fundamentally impact an organisation’s reputation, should the matter become public. Directors must also consider business continuity and safety issues, which are heightened when interrupted business operations relate to health services. In September last year, the first death directly linked to a ransomware attack occurred when a hospital in Germany couldn’t accept emergency patients due to network issues and had to send the female patient to a healthcare facility 30km away.

Cybersecurity consultant Michael Wallmannsberger is a former Air New Zealand chief information security officer (CISO). “Working out how to deal with an attack is really a decision for directors, because there is often an ethical component to their decision-making,” he says.

Anatomy of an attack

Wallmannsberger says the extortion that occurs through a ransomware attack typically follows a pattern. It begins with a period known as “dwell time”, when the attacker enters an organisation’s network — often after detecting an entry point via out-of-date software. “They will be exploring the organisation and moving laterally through its infrastructure and extracting data,” says Wallmannsberger.

It’s likely that executives, the board and IT staff will still be oblivious at this stage. “The attackers will then do something to disable the organisation, such as disrupting manufacturing, after which time the ransom demand is issued,” he adds.

Most attacks nowadays are “twin-headed” like the one described above, says Richard Watson, lead partner of APAC cybersecurity risk management at EY Asia-Pacific. The attackers simultaneously disable systems and steal data, then issue a threat along the lines of: if you don’t pay us to unlock your systems, we’ll release this sensitive data into the public domain via the dark web.

“You’ve got two issues you have to deal with at once — the business continuity problem and working out whether they really do have your data and will release it if the ransom isn’t paid,” says Watson.

Most companies are unprepared

PwC Australia cybersecurity partner Andrew Gordon says that the aftermath of a ransomware attack is a highly stressful time for a variety of reasons — not least of which is the time pressure under which big decisions must be made. “Staff may be concerned that their own data has been stolen, as well as the organisation’s. There’s a lot of pressure from customers to continue to deliver services that they’re contracted for. It can be a very busy time when you’re dealing with many operational matters and not thinking about your strategic agenda.”

Many directors mistakenly assume a ransomware attack is best resolved by technical experts. “A lot of organisations fall into the trap of thinking, ‘It’s an IT problem and we’ll just restore our IT systems somehow’,” says Watson. “But we know from some of the recent attacks in Australia that business ramifications can be significant. As we saw last year, the effects of digital disruption can be large. We are so digitally connected that if a beer bottling machine or a broadcast system isn’t operational, it can take a long time to get it back online. Most companies are not on top of this, as judged by the fact that we’ve seen a huge increase in inquiries on this particular topic over the past year.”

To pay or not to pay?

The most critical decision of all is whether or not to pay the ransom. The formal position espoused by cybersecurity experts and the policy of most companies is “no”. The Australian Cyber Security Centre is clear in its advice: “Never pay a ransom,” states its website. “There is no guarantee you will regain access to your information. You may also be targeted by another attack.”

The reality however, can be different, says Watson. “We advise companies never to pay a ransom, but we know that companies do pay, and there may be certain scenarios where you would consider paying, such as if there was significant safety risk.”

When the data that cybercriminals are threatening to release is sensitive to your customers, such as health data, there’s a strong case that a company acting in the best interests of its customers might want to pay a ransom, notes Wallmannsberger. “The decision has to be made on a case-by-case basis. I’d certainly not take a black- and-white view,” he says.

There have also been cases when companies have paid, but the decryption keys haven’t been supplied — either deliberately or because the cybercriminals were amateurs who were unable to decrypt the locked files. Either way, the money went up in smoke.

“Our rationale is that there’s no honour amongst thieves,” says Watson. “You may just be throwing good money after bad. And if you’re a known payer, they’ll just come back for more.”

Gordon suggests starting from the position of not paying and then working backwards to see whether it is possible to avoid a situation where paying becomes imperative.

Reputational damage

There are several reasons why paying a ransom would be ill-advised, and highlights once again why a decision ought not to be made in the heat of the moment. The reputational fallout could be significant. Firstly, it is unclear whether paying a ransom is illegal in Australia. It may breach laws relating to counter-terrorist funding and money laundering. Similarly, paying a ransom could run afoul of sanctions — for example, if it were reasonably evident that a ransomware campaign was raising funds to support the objectives of the North Korean government.

In June 2021, Labor introduced a Ransomware Payments Bill 2021 to require companies with an annual turnover of $10m-plus that pay ransom to cyber criminals to inform the ACSC. Companies would not be publicly outed for paying ransom, but would be required to report to the ACSC, which would confidentially assist law enforcement and other targeted companies. While the AICD does not anticipate the Bill will progress, it is aware the government is also looking at options to encourage greater reporting to ACSC.

“Often, the insurers want to be calling the shots,” says Watson. “At the end of the day, it’s their loss, potentially. We recommend getting your insurer involved sooner rather than later.”

A simulation exercise will likely identify issues that can’t be resolved on the day, such as extending business continuity plans. Gordon recommends repeating the simulation annually, as cybercriminals change tactics. “If you’re well-prepared, when a real attack happens it is still unpleasant, but you will make better decisions for your organisation,” says Wallmannsberger.

Snapshot

There has been a 60 per cent increase in ransomware attacks against Australian entities in the past year, according to the Australian Cyber Security Centre. Recent widely reported high-profile cases, confirmed by company statements, include beverage giant Lion, logistics company Toll Holdings, BlueScope Steel, Nine Entertainment, UnitingCare Queensland and Australia’s largest beef and lamb processing company, JBS Foods. The attack on the global food company halted its operations worldwide and a $14.2m ransom was paid. The average ransom demand in Australia is $1.25m, according to cyber company Crowdstrike, whose same survey found that two-thirds of organisations were targeted during the past year.

Large organisations tend to be specifically targeted, while smaller ones are hit with a “spray and pray” approach — the same phishing email goes to many organisations hoping that some are duped.