Fri, Nov 27, 2020
Since early 2020, as more of the workforce remained away from the office due to COVID-19, our cyber investigators in APAC have seen a surge in threat actors exploiting remote access vulnerabilities to gain initial access to their victims. While these attacks often ended in a widespread ransomware launch that encrypted a victim’s data and demanded payment for the decryption key, another disturbing trend became increasingly common—data theft prior to encryption.
In a recent analysis, ransomware accounted for over one-third of all cases as of September, surpassing email compromises as the topmost threat. The rapid, forced migration to remote work caused by the pandemic opened additional entry points for infection, and our intelligence found that 47% of all ransomware attacks got in through RDP compromises, while another 17% came in from vulnerability exploits such as the ones related to VPN and other remote access solutions.1
Kroll case intake analysis, January 1 – September 1, 2020
Historically, ransomware had been successful due to the abrupt nature of the attack. It impacts critical systems at a volume level, creates significant risk in time and operational capacity and instills fear and doubt in victims. Since more companies are prepared to defend against ransomware impact with strengthened and verified backup policies and staging of key restoration capabilities, threat actors have changed their tactics. Confidential data is now stolen prior to a ransomware launch, allowing threat actors to extort victims twice. In addition, ransomware groups such as Netwalker, Maze, DoppelPaymer, REvil and Ragnar have moved to publicly shaming “non-compliant” victims and exposing stolen data in phases to further force payment. Kroll has actively investigated incidents attributed to Netwalker and Maze in APAC, but it should be noted that Maze announced they ended operations after November 1.
Due to this trend, companies must shift from seeing ransomware as just a business disruption that can be remedied through backups to treating the incident as a potential data breach that can carry increasingly high fines. Few examples below:
Victims must consider regulatory reporting, client/customer notifications and reputational risk. Furthermore, an incident is not just a matter of restoration, it needs to be thoroughly investigated by professionals to determine the full impact and ensure total containment and remediation.
Paying a ransom is ultimately a business risk decision. Common questions often include: Can business operations continue without that data? Is it detrimental if stolen data is leaked? Will this encourage the threat actors if payment is made?
If you are considering engaging with the threat actor, seek legal advice and utilize professionals who can assist with providing threat actor intelligence, obtaining a proof of life sample, reducing payment amount, ensuring legal compliance if a payment is made, and completing the payment as an independent third -party.
Here are some simple steps companies can take to ensure they are prepared for an incident:
Engaging an end-to-end cyber risk management expert with capabilities ranging from proactive services such as risk assessment tests to incident response services and investigations, companies will be able to leverage on the full suite of services to check breach readiness and close potential gaps.
In an interview with Ausbiz TV, Kroll's Louisa Vogelenzang discusses the rise in ransomware attacks. Watch the video here:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Kroll’s ransomware preparedness assessment helps your organization avoid ransomware attacks by examining 14 crucial security areas and attack vectors.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.
Kroll’s data breach notification, call centers and monitoring team brings global breach response expertise to efficiently manage regulatory and reputational needs.
Kroll’s Virtual CISO (vCISO) services help executives, security and technology teams safeguard information assets while supporting business operations with augmented cyber expertise to reduce business risk, signal commitment to data security and enhance overall security posture.
Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.