Yesterday, the Straits Times published an article stressing the importance of ransomware prevention, as opposed to ransomware response. The article stressed how companies in the city state are not prepared for cyber attacks, attributing this to lack of sufficient deployment of preventive cyber security solutions.
Absolutely, having appropriate defensive measures in place–including firewalls, Endpoint Detection and Response, and staff security training–is an essential building block of decent cyber security. Still, this can only cover a part of the risk. Good incident response planning is key in ensuring that companies can successfully manage a cyber attack, especially when it comes to ransomware. The key is for companies in APAC to stop adopting a reactive approach to cyber attacks, and start preparing for incident response before they occur.
Ransomware is the biggest threat
Ransomware is the single biggest threat that organizations face today. We see this from several metrics.
First, the rapid year-on-year increase in ransomware cases–with the number of global reported cases increasing by 92.7% in 2021 compared to 2020 levels.
Second, the cost of ransomware attacks, especially given the amount of damage they cause and the exorbitant requested ransom payments–with the average cost to recover from a ransomware attack now amounting to over USD 1.85 million, and 21 days of downtime.
Third, the incidence of ransomware attacks– with over a third of organizations experiencing one every single year. Ransomware is in fact the most common type of cyber attack today.
Finally, the business model of ransomware. Formerly just another type of attack usually conducted by bored computer scientists with a knack for the hack, it is now a multi billion dollar business with the Ransomware-as-a-Service (RaaS) model becoming more and more popular. A growing number of organizations, such as the DarkSide, REvil, and others, have started to franchise their RaaS capabilities to attackers. Essentially, the groups code the malware in all its details and variants, providing the encryption tools, communications, ransom collection, and so on. This is then franchised to lone attackers, who are responsible for penetrating the organizations. The criminal groups then take a percentage of the ransom collected.
RaaS has contributed to making ransomware much more widespread and attackers much harder to track down, such that any teenager or a disgruntled employee now has the capabilities to lock down the business of the world’s largest organizations.
Double extortion is becoming a prevalent tactic in ransomware, whereby criminals not only encrypt an organization’s data, but also steal it and threaten to leak or sell it online.
Singapore is one of the worst off countries when it comes to ransomware preparedness, with the percentage of Singapore organizations which experienced an attack being double the global average, at 80 per cent.
Prevention Is Good, But Not Good Enough
As stressed by the original author, prevention is an essential first step to building a good cyber security posture. But just as you would not want to live 100km from the nearest fire station–even if your house is built of bricks and concrete rather than wooden planks–you would never want to be out of reach of an expert cyber incident response team–even if you have all your firewalls and EDR in place.
In the past couple of years, we have learnt all too well that biological viruses evolve all the time, and that a single vaccine cannot protect humans from all the different variants that pop up almost weekly. In a similar fashion, many computer viruses are also programmed to change their appearance slightly every day so as to avoid being recognised by signature-based antivirus.
For this reason, viruses are able to penetrate endpoints even when these are protected by malware scanners and, in many cases, operate silently in the background for months or even years before the attacker decides to carry out a full-blown cyber attack. This way, criminals can pull data or monitor network activities, or use the infected endpoints as a bot to carry out a large-scale cyber attack on another victim.
Carrying out regular compromise assessments is the best way to spot these latent threats early, and 99% of Blackpanda’s first time compromise assessment clients have some sort of malware in the client’s systems.
Proactive Preparation Is Key
The Straits Times mentions that Singapore respondents have "the lowest confidence in their organisations’ ability to manage a ransomware attack", with only 61 per cent of companies being confident in their cyber security policies. This is an extremely worrying statistic, putting almost half of the country’s businesses at severe risk of permanent shut-down if hit by a ransomware attack.
However, to simply state that many companies focus too much on ‘response’ rather than ‘prevention’, would paint an incomplete picture. In fact, proper incident response planning is the single most important thing a company can do to effectively manage a cyber attack.
Rather than ‘response’, this kind of definition would refer to a lack of preparation, and a reactive approach to cyber attacks, whereby the issue is essentially ignored until it presents itself in all its terror. Cyber attacks are extremely stressful for everyone involved in managing them, and the longer a cyber attack’s dwell time, the greater the damage they can cause to an organization. This is why having a clear strategy for responding to a cyber attack, including cyber insurance, incident response plans and tabletop exercises, are so important. Just like fire drills, incident response exercises ensure that everyone in an organization knows what they should do in the event of a cyber attack. This not only speeds up the recovery process, but contributes to raising awareness about cyber security amongst employees, lowering the overall risk of incurring in an attack.
Another statistic mentioned in the article, in opposition to Singapore’s low cyber security preparedness, is that British companies have “the highest level of confidence in their organizations’ people and policies, at 94 per cent and 77 per cent respectively”. It is important to ask why the UK is doing so well compared to other countries. Here are a few suggestions.
- Over two thirds of organizations conduct cyber security awareness training at least once a quarter
- 82 percent of boards or senior management within UK businesses rate cyber security as a ‘very high’ or ‘fairly high’ priority
- Most organizations outsource their cyber security and incident response to an external supplier, citing access to greater expertise, resources, and standards for cyber security.
- 70 percent of organizations have a formal incident response plan in place
This data is telling on the importance of preparedness in managing a cyber incident when it inevitably occurs.
Get To The Root Of It
Another item that is brought up in support of preventive cyber security measures versus proactive ones is that “successfully targeted organisations were [...] vulnerable to repeat attacks. Among the organisations that paid the first ransom, nearly 80 per cent were hit with another attack soon after. Of this group, 68 per cent said the second attack took place within a month of the first and came with a higher ransom amount, while about half said they were hit again by the same attackers”.
Again, this is worrying, but it cannot be addressed through protective measures, as the backdoors and the malware will have already been installed by the attacker onto the endpoints. Instead, prevention starts with proper recovery and root cause analysis–which is always conducted as part of Blackpanda’s incident response. This ensures that the route that the attackers took to infect the network is fully understood, and any persistent threats are eradicated. Blackpanda has seen success in avoiding repeated ransomware attacks with clients who conduct a thorough threat hunt in the immediate aftermath of a ransomware attack, eradicating any dormant threats or backdoors that an attacker may exploit again in the future.
The Tea On Ransomware Payments
Now onto the most controversial part–ransomware payments. These are not only a financial issue, but also involve considerations on legality, emotions, ethics and stakeholders.
When deciding on whether to make a ransom payment or not, an organization must take into account the company’s balance sheet, and decide whether not paying the requested amount is worth years of setback in terms of business progress. Expert ransomware handlers can help advise on this, and negotiate a price reduction or a timeline extension with the attackers, and advise on whether it is legal or not to pay that particular hacker group. Paying attackers that are on sanctioned lists can lead to severe legal consequences for the affected company.
Paying a ransom is and should always be a last resort.
Of course, financing attackers can definitely have ethical implications, but one must also empathize with companies that do decide to pay up in consideration of the counterparts at stake. In some cases, not paying a ransom can mean loss of lives, or livelihoods, or the compromise of personal identifiable information of millions of clients and stakeholders. The picture is not so black and white, but it is important to lay out all the considerations at play in a realistic manner.
It is true that “giving in to the criminals and paying the ransom did not guarantee the safe return of stolen data”, but the risk of receiving a broken key from the attacker can be significantly reduced through proper incident handling. A key step of all Blackpanda’s ransomware response is ‘proof of life’, that is, the request of the decryption of a portion of the stolen files to serve as proof that the attacker indeed owns a working decryptor.
This is important because for the same reason that you would never buy a very expensive product or service from a vendor before knowing that they can actually deliver it to you.
In some cases, the incident responders are even able to independently decrypt part of the stolen data which–coupled with the proof of life materials–may be sufficient to resume business without paying the ransom.
Prevention Plus Response Preparation For A Good Night's Sleep
In conclusion, cyber attack prevention is definitely essential, but cannot protect an organization from all cyber attacks, particularly ransomware. Incident response preparation is also key to building a solid cyber security posture.
Increasing cyber security budgets, as recommended by The Straits Times, is a step in the right direction, but with the exponential growth of cyber security related costs, it can become very difficult to manage for small and medium enterprises (SMEs). Cyber insurance is the smartest way of spending that cyber budget, making both prevention and response more affordable and accessible. Pandamatics Underwriting, for instance, provides cyber security coverage for SMEs in the APAC region, whilst also guaranteeing priority access to Blackpanda’s incident response services so that any attack can be handled swiftly and cost-effectively, and with no administrative delays.
Asia is definitely experiencing a lag in cyber preparedness, as compared to the rest of the world, and the most important thing is for businesses to adopt a proactive, rather than a reactive approach.
Proactive cyber response is just as important as incident prevention, and only with a combination of the two can Singapore really step up in the cyber security game, and become resilient to growing cyber security threats.
