Held to ransom

Ransomware is a growing problem with dire business consequences, writes Damien Manuel GAICD, chair of the Australian Information Security Association and director of the Centre for Cyber Security Research and Innovation at Deakin University.

As digital technology advances, so do the tactics and influence of extortionists. The extortion tools they use are no longer photos or documents collected from rubbish bins, but sophisticated software designed with a single purpose in mind – to cripple your business if you don’t pay the ransom.

Industry analysts suggest the cost to the Australian economy from ransomware attacks alone, was up to $1.4b in 2020 and we know it has dramatically increased during the COVID-19 pandemic.

In June 2021, a private member’s bill was introduced into federal parliament to force organisations and government entities to notify the Australian Cyber Security Centre (ACSC) when ransomware payments have been made, including the amount and key details of the attack. It is yet to be seen if the bill will progress, but the intent is to obtain a better understanding of the impact to Australian business, who the perpetrators are and to see if ACSC and the Australian Signals Directorate (ASD) can disrupt the criminal activity, making Australian businesses a less attractive target.

Ransomware can be infiltrated into an organisation in a variety of ways, such as innocent emails to staff or directors with seemingly innocuous attachments giving external parties access to the recipient’s computer. Once the other party installs and activates malicious software, it can move swiftly through the local computer and network, encrypting data and systems rendering them useless unless you have a special key — where the ransom comes into play. This type of attack can be crippling to the business and their customers and worst of all, it is also available as a service that can be purchased by anyone who wants to inflict damage to any business or individual.

This year, there have been some high-profile, big-impact examples of ransomware attacks — such as Colonial Pipeline in the US, which caused fuel shortages, multi-national meat manufacturer JBS, which was offline for multiple days and Nine Entertainment, which had live broadcasts disrupted. It is a reminder that all businesses regardless of size can become a victim of a ransomware attack.

The earlier advice, to back up data, has been so successful that criminals have now adapted and modified their business model. Now, not only are you extorted to get a key to recover your data, but you are asked to pay a ransom to stop data that has been stolen from being publicly released or sold on the dark web.

This change in operation creates a new dilemma for businesses with the threat of confidential and sensitive material released to the market. A release of sensitive information could trigger privacy act breaches, the need to make a notifiable data breach disclosure to the Office of the Australian Information Commissioner (OAIC) and potential litigation by impacted parties.

Do you pay the ransom?

This is a difficult moral and ethical question. Paying can be the fastest way to restore business services or prevent public disclosure of information, but there are no guarantees as you are dealing with criminals or hostile governments. Paying also helps perpetuate the ransomware business model and doesn’t prevent it from reoccurring. In fact, it may lead to another criminal syndicate being tipped off that your organisation is an easy target that will pay, increasing the chance of it occurring again. In some jurisdictions, paying may actually be a criminal offence.

Six tips to avoid becoming a ransomware victim

• Prepare for a ransomware attack and document what will be done, who leads communications and how the incident will be managed. Also ensure you practise with your staff and board, as time and clear, decisive decisions and communications will be key, especially in a time of crisis.
• Implement controls (technical and procedural) commensurate with the risk appetite of the business. You often hear about implementing the ASD Essential 8 (baseline mitigation strategies). The reality is not all the controls may be practical for your business from a cost and agility perspective — and not all controls are equally effective. Use them as a guide or just a starting point.
• Ensure your organisation has good, well established data and risk management practices.
• Share experiences with your peers — in a crisis, you may need their assistance and advice.
• Your people are the front line of defence. Train them appropriately to increase awareness, but most importantly, to drive lasting behavioural change.
• Your perimeter no longer ends at the bounds of your organisation. It now extends to your third parties (especially cloud) along with any other organisation who may have access or connections to your systems. Beyond technical controls, consider establishing a third-party assurance program, accountability clauses in contracts, breach disclosure agreements and a right to audit your key supplier’s cybersecurity program to ensure they have adequate security controls and procedures in place.