The State of Ransomware: A Bigger Fear Than COVID-19

• By Brian Wrozek
• Jan 04, 2021

What do security professionals fear more this holiday season – ransomware or COVID-19? Believe it or not, they’re more concerned with the former.

That’s according to a flash survey of nearly 50 senior cybersecurity professionals taken at Optiv Security’s November OptivCon Virtual event. When asked, “What do you think is the greater threat to your business this holiday season: Ransomware or COVID-19?,” 60% of respondents said ransomware.

These survey results reveal just how big of a problem the ransomware epidemic is: We’re in the midst of a global health pandemic that has taken trillions of dollars out of the global economy, yet many security professionals are more fearful of ransomware. Why? In many cases, it’s because they don’t have an effective ransomware incident response (IR) plan in place – and therefore, they don’t know what to do when a ransomware attack occurs.

Another Communications Breakdown

While the solution to the ransomware problem might seem simple (prepare for it and put a plan in place!), there’s an underlying reason why so many companies are caught unprepared when the crisis strikes – and it’s rooted in the classic disconnect between cybersecurity and the boardroom.

Company leaders don’t understand that ransomware is a corporate crisis – not a cybersecurity problem. They think it’s the CISO’s job to block ransomware attacks, rather than leadership’s job to be prepared to respond to a successful attack. Unfortunately, this narrow view of the ransomware problem dramatically increases the potential harm that can result from the attacks.

The Ransomware Playbook

Similar to the IR plans and playbooks developed for data breaches, successfully dealing with ransomware also requires a strategic IR plan that methodically details the procedures for rapid response to and containment of incidents. The overall goal is to limit the risk of impact to the business.

At a minimum, an IR plan should include:

• Working backups,
• Detection and prevention controls,
• Data classification and valuation of data,
• Communication trees and templates, and
• Rules of engagement with ransomware dealers.

On this last point, in the event of a successful ransomware attack, organizations have three choices: 1) they can attempt to recover from the compromise; 2) they can pay the ransom or attempt to negotiate; or 3) they can do nothing at all. The FBI’s stance is to NOT pay or negotiate with cybercriminals. While this is certainly a best practice and the outcome you hope for, it might not always be possible – for example, hospitals with patients’ lives on the line or companies that will go out business if they don’t pay up may have no choice but to pay. This decision is up to each individual company – and it should be part of a coordinated response led by the C-suite and board, executing according to a pre-established IR plan.

It’s also important to note that having an IR plan is not enough – it also must be tested and reviewed on a continuous basis, and important procedures must be practiced frequently. Professional basketball players, for example, will practice hundreds of free-throws even though those shots are worth only a single point. Companies should spend the same amount of rigor on issues as important as responding to a ransomware attack that could cost their company millions of dollars.

The Evolution of Ransomware

Ransomware attacks, as they are executed today, are stressful enough for companies .... and it’s about to get worse. In 2021, we expect ransomware to become increasingly sophisticated and even more dangerous. Specifically, we believe:

1) Ransomware attacks will start to compromise our critical infrastructure, potentially holding entire regions of the country hostage.

2) Deepfake videos will move beyond a way to spread misinformation and morph into a new form of ransomware (i.e., extorting companies for money with the threat of releasing a damaging deepfake video).

3) As internet-enabled technology becomes more embedded in physical systems and medical devices, the loss of human life due to ransomware attacks will become a real consequence.

Having a coordinated business and cybersecurity IR plan is one of the most effective ways to overcome the fear of ransomware and minimize the business impact of these attacks. And, with ransomware attacks expected to become more complex and dangerous in the coming months, IR plans will become mandatory for an organization’s response capability and survivability.

If you don’t know where to start, learn from the experiences of companies that have previously been targeted by ransomware campaigns and seek the advice of cybersecurity experts. Don’t wait to act until it’s too late and your company is in full-fledged crisis mode. Put a plan in place today that will shore up your defenses against ransomware, and reduce the potential damage of successful attacks.