Ransomware has been a hot topic within the cyber security industry for quite some time now. It’s an often-lucrative cyber-attack method with an attractive return on investment. The motivation behind Ransomware attacks tends to be primarily financial, as cyber criminals can’t resist such easy opportunities to achieve their malicious goals. Ransomware is effective given that almost every individual or organization owns or has access to digital assets which are valuable to them. In regaining access or protecting said assets, many are forced to implement exhaustive measures and/or make great sacrifices. Cyber attackers take advantage of this by blocking users’ access to their own resources and requesting a ransom be paid. This type of digital extortion is very real and has grown in popularity across the industry.
While there are common trends regarding Ransomware, most companies, consumers, and cyber security professionals aren’t aware of a few misconceptions within the field. In this post, we aim to clarify these misconceptions.
Does ransomware constitute a data breach?
Cyber-attacks against companies are continually in the headlines. From ransomware attacks to disruption schemes that aim to hinder business operations, these attacks can impact users in a variety of ways. Headlines often dub these attacks “mega data breaches,” but are they really? It depends. Not every cyber-attack generates a data breach, and the same is true when it comes to Ransomware.
There are three main approaches to Ransomware: encryption, denial of service, and blackmail. When we overlay this with the core cyber principles of maintaining confidentiality, integrity, and availability of the data, understanding the impact of these attacks becomes more apparent. In the case of encryption or denial of service-based Ransomware attacks, availability is being impacted. People are unable to gain access to a resource they typically should be able to unless they pay or find another approach to overcoming the attack. In this case, the ransomware attack alone usually doesn’t result in a data breach, but it can be considered a successful cyber-attack.
In the case of blackmail, the attacker usually must gain access to some information the target doesn’t want to be exposed. Depending on how the information was obtained, this may be classified as a data breach because the loss of confidentiality fuels the validity of the attack. It’s worth noting that in blackmail-based attacks, attackers often bluff and exaggerate what information they’ve accessed to scare users into paying.
The distinction matters. Data breaches typically require disclosures and notification depending on the extent of the loss. A ransomware attack generally will not require disclosure if data is not lost, but there are exceptions. For example, a company may agree to disclose any significant cyber-attacks to third-party partners, whether data was leaked or not.
The bottom line is that not all ransomware attacks are considered data breaches, but the impacts can be equally severe.
Everything isn’t always what it seems.
Ransomware use cases are spanning beyond digital extortion. It’s been discovered that attackers also use the technology as a creative way to cover their tracks after conducting malicious acts within a given network. Ransomware technology locks up data and systems. If an attacker doesn’t want the victim company to be able to analyze logs and uncover what’s been done, they can use the technology to lock away their tracks and throw away the key. Even worse, they can ask for ransom and, once paid, never release the files. This is a very common outcome of ransomware attacks.
Research reports show that stolen data is not returned after payment nearly 75% of the time. In these cases, the attackers have not only breached your security and stolen information from you, but they benefit two-fold by covering their tracks and collecting ransom money in the process.
Attacks are trending downwards, but that doesn’t mean it’s time to relax.
Recent reports stunned the industry after disclosing that, for the first time in years, ransomware attacks are declining in volume. One quarter in 2018 saw a 45% decline, indicating that ransomware is no longer a first-choice attack method for many cyber criminals. However, this doesn’t mean we can get comfortable just yet. While the total volume was generally down, direct attacks against enterprises still saw an increase. This means that attackers are favoring quality over quantity by going after companies where they can get the biggest bang for their buck.
Backups aren’t always the answer.
A common recommendation for preparing for ransomware attacks is to have backups of your data available. While these backups are an integral part of any cyber security strategy, they will not provide a fix for every kind of ransomware attack. In the case of encryption-based attacks, backups are the way to go. You can wipe a device, including all encrypting data and restore a clean version. If it’s a ransomware attack that leads to denial of service, backups should also be able to help in most cases. A key concern would still be the time and effort required to restore the system from said backups. However, in cases where ransomware is used for blackmail, having a backup of data won’t help as confidentiality is the main issue at hand. The attacker is threatening to expose information that should be private and having an extra copy doesn’t stop them. This is a great reminder that a Ransomware protection strategy should be robust and include more than just processes for backing up data and restoring systems. Additional prevention, detection, and response plans are necessary. Check out our post for a quick guide to navigating ransomware attacks.
Insider Risk – How Prepared Are You?
Not every company is equally prepared to deal with insider risk. This report outlines the four stages of insider risk maturity and explores how to improve your insider risk preparedness.