Ransomware is a very real threat with far reaching consequences. Victims of an attack will suffer brand and reputational damage, and the disruption caused can take months or years to repair. How would your firm respond to a ransom demand? What steps are you taking to prepare your organisation for a ransomware attack?
Background
Ransomware has grown to become among the most common cyber threats faced by organisations.
|
Malicious actors will try to penetrate a network, identify its critical data, deny access to the data owner or steal the data, and demand payment for the return of the data or reinstatement of access. Failure to pay will likely result in the stolen data being publicised. Statistics collated by Atlas VPN in 2021 showed that in that year alone, attack attempts had risen by approximately 150%. The report identified the UK as the second most targeted nation (after the USA) in the world, with a total of 14.6 million attacks. Whilst no official statistics have been produced so far for 2022, widely publicised ransomware attacks against NHS third party suppliers and Mariott Hotels would suggest the volume of attacks is not slowing. |
 |
Key Developments
Last week the Australian Government announced it is considering an unconventional step towards battling the threat. Claire O’Neil, the Minister for Home Affairs and Cybersecurity confirmed during an interview with the Australian Broadcasting Corporation that the Government were considering taking steps to criminalise ransomware payments.
The announcement follows several large scale and widely publicised attacks in recent weeks suffered by some large Australian organisations including a large health insurer, Medibank Private Limited, which resulted in 9.7 million customers personal data being compromised, including that of the Australian Prime Minister, Anthony Albanese.
Medibank did in fact announce that it would not be paying the ransom, a move that was supported by Claire O’Neil publicly on social media.
How significant is this?
This would be the first time a nation from the Joint Advisory With International Partners On Ransomware has taken such a step. So far, the UK and US Government strongly advise against paying any extortion demands. The US could sanction any organisations paying the ransom, but does not make the action strictly illegal.
The argument in support of this move is to undermine the criminal groups conducting the activity. This would attempt to deter an organisation from making a payment, thus making the activity unprofitable. However, there is also a possibility that organisations may simply include any financial penalties into a cost-benefit analysis for the attack. Depending on the size of the fine and any negative publicity, this may still amount to less than the possible losses of the data being released.
A report issued by Gartner ‘Should Companies Pay or Not?’ in 2021 describes the factors surrounding this decision with some very useful examples taken from organisations that have paid and some that have not.
What needs to be done?
The UK holds a strong position and advises against paying extortion demands. In fact, the UK National Cyber Security Centre (NCSC) created a ‘Hub’ in March 2022 to encourage all organisations to collaborate and communicate on the matter, with this guide on ransomware published by NCSC.GOV.UK.
As a member of the NCSC’s Cyber Security Information Sharing Partnership (CISP), Xcina Consulting engage with industry leaders in order to provide the very best support to clients when facing this challenging situation.
Last month Xcina Consulting Limited won the award in the Cyber Security and Compliance category for the second consecutive year at the Computing Security Magazine Awards in 2022. The ceremony was held in London.
For more information on how we may help you, contact info@xcinaconsulting.com.