The Ongoing Threat of Ransomware Attacks and the Need for Comprehensive Preparedness

|

Ransomware attacks have increased significantly since the pandemic began in 2020.  The threat has typically involved using ransomware to lock and encrypt a victim’s data, files, devices, or systems, rendering them inaccessible and unusable until a ransom is paid to the attacker.  The disruptions resulting from ransomware attacks can be extraordinarily damaging and costly to organizations.  It is therefore important to be aware of the threat and the need for preparedness.

No Organization is Immune from Ransomware.

The rising trend in ransomware attacks is largely driven by threat actors who have found that demanding ransom from companies is more profitable than selling stolen credit card or social security numbers on the dark web.  These attackers have also recognized that the specific industry of the targeted data is less important than the fact that companies need access to their information for essential operations and may be willing to pay substantial sums of money to regain control of their systems.  Ransomware serves as the great equalizer, as no one is immune to its dangers.

The Average Ransomware Payment in 2024 was $2 Million.

Ransomware attacks begin like many other cyber threats, often initiated by a phishing email or by exploiting other vulnerabilities.  Once threat actors have gained initial access, they usually conduct reconnaissance to escalate privileges within the network, allowing them to move laterally and to identify valuable systems and data for ransom demands.  After setting the trap, the attackers launch their assault by encrypting files, possibly exfiltrating sensitive data, and then demanding a ransom.  While ransom demands can range widely, they often reach hundreds of thousands or even millions of dollars.  Recent reports indicate that the average ransom payment has surged to $2 million, with 30 percent of demands exceeding $5 million.1  Companies have learned that the costs associated with operational disruptions can quickly surpass the ransom amounts.  Even companies with viable backup systems may consider paying, as the time required to restore backups can often exceed the costs of paying the ransom.

Ransomware Groups Use “Double Extortion” to Encourage Payment.

Moreover, many attackers engage in “double extortion” by exfiltrating sensitive information—such as customer data—and threatening to leak it on the dark web unless the ransom is paid.  Reports show that in 32 percent of incidents involving data encryption, data was also stolen, marking a slight increase from the previous year. Data is often threatened to be published on the internet to what is frequently referred to as the “wall of shame.”  Threat actors will typically provide companies with sample files as evidence before publishing to encourage compliance with demands.

The DOJ has Led Law Enforcement Efforts Against Ransomware Groups.

The U.S. Department of Justice (DOJ) has increased efforts to combat ransomware threats in response to the increase in attacks.  In a recent report released by the DOJ’s Office of the Inspector General (OIG), the OIG noted that the DOJ’s efforts led by the Federal Bureau of Investigation (FBI) and the DOJ Criminal Division’s Computer Crime and Intellectual Property Section focus on prevention efforts.  The OIG further noted that the FBI’s strategic focus has been on the disruption of the ransomware ecosystem since arrests and indictments are challenging. 

FBI’s Successful Disruption of Ransomware Groups.

In August 2024, the FBI announced the disruption of the ransomware gang Radar/Dispossessor, by successfully dismantling services and domains used by the group.3  Earlier in the year, the FBI worked with international law enforcement to seize public-facing websites used by a prolific ransomware group, LockBit, to connect to its infrastructure and to seize control of servers used in attacks.  Additionally, law enforcement obtained keys to assist victims in decrypting data.4  LockBit was responsible for attacks against more than 2,000 victims and profiting from over $120 million in ransom payments.5

The coordinated effort by law enforcement to disrupt ransomware gangs is a lesson for corporations that defending against ransomware cannot rest solely on the shoulders of information security teams.  It takes coordinated efforts from multiple departments within the organization, including legal, communications, information security, information technology, and senior executives, as well as outside experts to assist with recovery, investigation, communication, and reporting.  This cross-disciplinary team should serve as the incident response team.

Planning for a Ransomware Attack Requires a Comprehensive Approach.

When faced with a ransomware incident, there are some critical first steps that every organization must consider, such as:

  • Backup Recovery Plan and Timelining: A robust incident response plan and ransomware playbook should discuss the recovery steps for restoring systems and should include realistic projections for recovery that can aid in understanding the impact to the organization.  Practicing restoration in real-time through a simulated attack, often called “red-teaming,” can further prepare incident response teams for an actual event and identify any problems with the proposed plan.
  • Ransomware Payment and OFAC: Determining whether to pay ransom is a complicated issue with legal, ethical, and practical considerations.  In 2020, The Department of the Treasury issued an advisory reminding companies of their obligations to comply with OFAC regulations.6  Before paying ransom, every organization must perform due diligence to ensure the threat actor is not a sanctioned group or individual.
  • Law Enforcement Assistance: Law enforcement tracks ransomware gangs and may help identify the group responsible for the attack.  In some cases, law enforcement may be able to offer keys that can be used to decrypt systems and data.  Incident response teams should consider when and how to involve law enforcement.
  • Crisis Communication Planning: Prompt communication can help reduce reputational impact and build trust with customers, clients, and employees.  Developing a communication plan with templates for internal and external communications and designated channels prior to an incident enables a prompt response.

Ransomware attacks present a number of risks to organizations, including financial loss, data loss, and reputational damage.  By addressing these areas collaboratively and comprehensively, organizations can better prepare themselves for the continued threat of ransomware.

3 International Investigation Leads to Shutdown of Ransomware Group, FBI Cleveland (Aug. 12, 2024), https://www.fbi.gov/contact-us/field-offices/cleveland/news/international-investigation-leads-to-shutdown-of-ransomware-group

Press Release, Office of Public Affairs, U.S. Dep’t of Justice, U.S. and U.K. Disrupt LockBit Ransomware Variant (Feb. 20, 2024), https://www.justice.gov/opa/pr/us-and-uk-disrupt-lockbit-ransomware-variant

5 Id. 

6 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments, Dep’t of Treasury (Oct. 1, 2020), https://ofac.treasury.gov/media/48301/download?inline