For several years, cyberattacks on all types of organizations in every industry across the globe have involved the use of a weapon called ransomware. Ransomware attacks have grabbed headlines by rendering company data inaccessible and causing major business outages. In response, organizations have begrudgingly paid extortion demands to criminals using cryptocurrency in return for a key to recover the data.
Over the summer and into the fall, there has been an uptick of cyberattacks on small and midsized businesses in the financial-services industry, including mortgage companies that serve the residential and commercial real estate business. These companies, their employees, and the originators and referral partners who work with them need to know what happens when they become the target.
The anatomy of these ransomware attacks is relatively routine. A criminal will research your organization through publicly available information on the internet and learn about your business to determine their initial ransom demand in advance of executing the attack.
For example, employees may receive emails with malicious links or attachments. If clicked or opened, the criminal gains access to company systems and is able to identify where data is stored. Business data will then be encrypted and rendered useless, followed by an electronic ransom demand to be paid in cryptocurrency.
Ransom demands can range from hundreds of dollars to millions of dollars. With the use of an experienced negotiator, ransom demands can be significantly reduced. The negotiations firm can determine whether a payment can be made in compliance with various government requirements, then facilitate the acquisition of cryptocurrency.
The U.S. government strongly discourages the payment of ransom or other extortion demands, but for some companies, it may be the only option. Government requirements are in constant motion, and they come with rules about reporting and maintaining appropriate records.
In the U.S., sector-specific regulators have implemented requirements for financial-services firms, utility providers, health care companies, educational institutions, and oil and gas pipeline operators, among others. Each of these sectors have regulators with varying but similar requirements for implementing cybersecurity. These requirements include the reporting of a ransomware incident.
Even when a victim pays, they can never be sure what happens to their data. … At the end of the day, the victim is relying on the promises of a criminal.
Public companies have to report cybersecurity incidents to the U.S. Securities and Exchange Commission. Recently, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency announced that it will have rules for “critical infrastructure companies” to report incidents. Similar requirements are being implemented around the world. Businesses need to navigate these requirements and realize they may overlap. These government reporting deadlines vary, but at most there are a few days of leeway.
If the company chooses to pay the ransom, the best practice in the U.S. is to report the proposed payment in advance and then inform the U.S. Department of the Treasury, which has a formal reporting process. Companies need to be aware of regulations around the world that could affect their decision to pay.
Paying an extortionist should always be an option of last resort. Unfortunately, companies victimized by a ransomware attack and lacking a viable option to restore their systems and data with high confidence often must pay. Not having a disaster recovery plan and cyber-security incident response that have been tested usually becomes the primary decision pivot to pay the ransom.
On the positive side, ransomware criminals are extremely commercial. They often want to reach a deal and, for the most part, seek to honor the bargain by providing a decryption key that can unlock data and restore operations.
But there is plenty of downside. Up until the time of payment, victims can expect the criminal to provide the maximum amount of pressure possible. Ransomware groups often threaten to release confidential data or transcripts of negotiations to the public, and they might harass employees or clients. They’ll do anything they can do to force the victim’s hand.
Once the victim pays, these events often remain chaotic. Decryption keys might not work and communications may be nonexistent. It also could be a situation where two actors in the network are arguing about who should get paid.
Lastly, even when a victim pays, they can never be sure what happens to their data. As part of the payment, a negotiator works to get the data returned or deleted. But at the end of the day, the victim is relying on the promises of a criminal.
A ransom payment marks the beginning of the second half of the challenge: business restoration. Leveraging a decryption key provided by the criminal in return for the ransom payment and rebuilding company systems can take days or weeks to complete.
What can organizations do to avoid paying a ransom demand? It’s vital to have data backups and a reliable data restoration process that is regularly tested. The goal should be to eliminate the decision of paying a ransom.
In addition to ransomware attacks and extortion, organizations this past summer were peppered by a cybercrime known as business email compromise. These incidents involve criminals impersonating key executives, primarily by email or text message. Recipients of the email or text are asked to wire funds to a vendor under some story of urgency, with transfer instructions provided.
The bank accounts used to receive the funds are controlled by criminals. Attempts to freeze these transfers will be mostly futile unless detected quickly and reported immediately to the FBI’s Internet Crime Complaint Center, also known as IC3.
The response and investigative techniques to this type of email attack are typically focused on determining if the criminal gained or set up remote access to the organization’s systems, then identifying the email tricks used by the criminal. Answering these questions allow a company to update their email system and block future attempts, remediate any backdoors installed to support a criminal’s future access to the company, and bolster business resiliency.
Business email compromise scams accounted for more than $43 billion in financial losses between June 2016 and December 2021, based on more than 241,000 incidents reported to IC3. Keep in mind, these financial-loss statistics are based only what is reported to the U.S. government. Business email compromise incidents cost U.S. companies more than any other type of cybercrime — and their financial impact is soaring.
There are security controls that are “must haves” to manage the risk of a ransomware or business email compromise scam. Critically, firewall and antivirus protection is no longer cutting it. Organizations can take action to reduce these forms of risk. Of the many cybersecurity controls available today, the following affordable controls can have the most impact if your business is targeted by an extortionist using ransomware or a business email compromise scam.
Training: Inform employees when hired (and at least once per year) of the risks, as well as the tactics and techniques used by cybercriminals, while reinforcing that employees will be a vector of attack.
Continuous monitoring: Deploy advanced endpoint (system-level) protection software, which is monitored around the clock by trained staff who can quickly detect and block suspicious activity.
Data backups: Have backup and restoration capabilities that are tested and ready to go, which will instill confidence during a crisis.
Multifactor authentication: This form of software provides an additional item of required knowledge to log in to a computer or application, making it difficult for criminals to gain broad access to systems, applications and data. It is critical to test the effectiveness of a multifactor authentication implementation. Many companies with this installed today are still falling victim to cybercrime because the software was deployed incorrectly.
It is not just about hardening your company against a cyberattack. These controls (and others) will be necessities for insurance policies going forward, and they are requirements for certain cybersecurity regulations, legislation and best practices. ●