Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search
In Practice

Avoiding Response Paralysis as Ransomware Attacks Mature

Your files are encrypted. You have five days to submit payment, or your data will be lost.

Last year, ominous messages like this one appeared on the computer screens of millions of businesses and organizations targeted by ransomware. Such attacks are not new, but have recently grown more frequent and severe — in 2020, they reached new heights, fueled partially by the pandemic.

Once a relatively minor concern, ransomware can now cripple organizations as they routinely disrupt operations for days or weeks. They can cost billions of dollars in downtime, remedial expenses and skyrocketing payments now demanded to release or restore data.

Despite ransomware’s prevalence, however, too many victimized companies suffer from response paralysis. Lacking the necessary plans and procedures, businesses under attack often find themselves in a state of shock that can deepen a crisis. 

With attackers growing bolder and more aggressive, businesses cannot afford to respond on the fly.

This month, the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security announced a cybersecurity campaign, Reduce the Risk of Ransomware, in an effort to raise awareness and decrease susceptibility to attacks.

Finding Weaknesses

Ransomware attacks constantly evolve as perpetrators experiment and learn. Increasingly, cyberattackers scan corporate technology environments to identify companies with poor cyber hygiene — for example, lax controls or unpatched software.

Once identified, the next step is to penetrate vulnerable networks. Attackers may send phishing emails, use watering hole attacks — in which they seek to infect targeted companies by attacking websites that their employees frequently visit — or offer bogus software on thumb drives. Sophisticated attackers may also install backdoors or plant “process bombs” that lay hidden for later exploitation.

The nature of attacks is also changing. Many attackers now use data stolen in cyber breaches to extort businesses: Pay us or we’ll disclose your proprietary or personally sensitive data.

Amid the pandemic, malicious actors have stepped up their efforts. With more people working from home, hackers have discovered a rich environment of unsecured Wi-Fi, vulnerable equipment and outdated intrusion prevention software. As remote working environments seem likely to remain prevalent after the pandemic ends, these dangers will not disappear.

Cryptocurrency and Ransomware

Although for many, cryptocurrencies like Bitcoin are an alien concept, their use has proliferated across the dark web — and Bitcoin is the currency of choice for ransomware attackers. Coveware, a cybersecurity consulting firm, estimates that 98% of ransomware demands are denominated in Bitcoin. Companies facing ransomware demands should know that making a cryptocurrency payment is not as simple as going to the bank or using a credit card.

Bitcoin is easy to get and difficult to trace. Although Bitcoin operates on an identifiable public blockchain, it allows for anonymity, with no direct way to identify specific account owners. In a cryptocurrency transaction — which can take time to execute — both parties are identified only by an address or account number, and users often can only purchase and send Bitcoin after setting up digital wallets through cryptocurrency exchanges.

The anonymity of cryptocurrency could bring regulatory scrutiny. In October 2020, the U.S. Treasury Department’s Office of Foreign Assets Control warned that it may sanction companies for making payments to any person on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list — even if they do so unknowingly. The Foreign Corrupt Practices Act (FCPA) also prohibits U.S. citizens from bribing foreign government officials to benefit their business interests.

OFAC recommends against paying ransoms and encourages companies and their advisors to instead report cyber extortion attacks to law enforcement. Still, with critical data, business functions and reputations at stake, it’s important for businesses to be ready for all possibilities. Companies should engage outside counsel or cyber forensics providers for guidance and to manage potential cryptocurrency transactions. If a company decides to make a ransomware payment, this will help enable a smooth, quick transaction that is in line with regulatory requirements.

Consider ransomware risks as part of your broader risk management efforts — and consider every situation on a case-by-case basis.

Planning Is Everything

Businesses can take several steps to reduce their ransomware risk. Foremost among these is improving cyber hygiene, which can help limit potential exposure to attacks.

At a minimum, companies should focus on the following hygiene essentials:

  • Regular backups and periodic data restoration testing. Storing backup data offline in a secure manner, with limited access for privileged users, can substantially expedite recovery from an attack. A full backup should be completed at least once a week, while the most valuable data may need to be backed up more often and incrementally. Businesses should also conduct tests to confirm that backed up and restored data will work in a live environment.
  • Network segmentation. Splitting large networks into smaller segments through firewalls and other means can limit opportunities for attackers. Without gaining privileges, unauthorized users will hopefully not extend beyond the originally compromised segment.
  • Limiting access. Companies should require multifactor authentication for users accessing critical or sensitive data. Businesses can also keep prying eyes from sensitive data by requiring remote access to corporate IT systems through encrypted VPNs only.
  • Vulnerability and patch management. Users should update software with patches released to respond to identified malware threats in a timely manner to maintain the security of applications and operating systems.

Specific but Flexible Response Plans

Even with these measures in place, it’s imperative to develop detailed cyber incident response plans. These plans should include specific procedures and processes for managing ransomware attacks. They should also identify the resources and vendors to call upon in the event of an attack, which can enhance preparation and resilience.

Plans should also consider potential outcomes and how responses — including the possibility of paying a ransom — will be viewed by boards, shareholders and others. A decision to pay a ransom should be made only after careful reflection and consultation with key advisors. These should include legal counsel — with specific experience responding to cyberattacks — cyber forensic specialists, extortion services providers and insurers.

As every situation is different, it’s important to not have an ironclad policy that dictates always paying or never paying ransoms. Consider every situation on a case-by-case basis, taking into account the cost of the ransom, the criticality of affected data and estimated cost of restoration, the likelihood of successful restoration if the ransom is not paid, and other factors.

Crisis Rehearsal

In addition to careful planning, testing is key. Tabletop exercises that walk through worst-case scenarios can enable organizations to rehearse and refine their responses to ransomware attacks to build resilience. Group exercises that involve all cyber incident response and crisis management stakeholders, including legal counsel and key vendors, can identify important questions and challenges to be addressed before an attack. Exercising plans will require that all stakeholders are on the same page about who will be responsible for specific actions and decisions.

Conducting periodic indicators of compromise assessments, meanwhile, can help validate the integrity of an organization’s IT enterprise and keep unauthorized users, malware, or backdoors off networks. These assessments can help to establish new baselines for IT enterprises and confirm networks are clear of unauthorized activity.

Finally, consider ransomware risks as part of your broader risk management efforts. Take into account your cyber insurance coverage, broader enterprise risk management programs, and value chain as you review and develop your ransomware plans and prepare for the possibility of an attack.

James Holtzclaw

Senior Vice President of Cyber Risk Consulting at Marsh Advisory

James Holtzclaw is a senior vice president of cyber risk consulting at Marsh Advisory, where he works with a team of experts to identify, develop, implement and execute cybersecurity consulting strategy, capabilities, and services in North America.

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe
​​