Now that the pandemic has shifted so many organizations to embrace a distributed workforce, cyber criminals are evolving to deploy new ways to take advantage of the abrupt shift. Nearly a year ago, as organizations in all industries scrambled to move their employees home, employees became more susceptible to some of the attacks that businesses were previously able to shield them from. For example, home internet connections are typically far less protected than corporate networks, and many organizations don’t have a plan for managing the information on their employees’ personal computers.
With a wider attack surface and a workforce not accustomed to handling their own cyber security, ransomware attackers are alert to new opportunities. To increase the likelihood of payment, they are strategically choosing which target to strike — and when. A moment that’s different in each industry, such as education and healthcare:
Universal Health Services Inc. said a malware attack in late September cost the hospital chain $67 million last year before taxes. Revenue dropped as patients went elsewhere for care, Universal Health said, and it incurred expenses to restore its operating systems. - Wall Street Journal
Given these changing tactics, many organizations are likely to pay demands for ransom, but that’s no guarantee that they’ll get their data, systems, or operations back. Some cyber attackers seek an initial ransom payment, and then return for more every few days. Others attackers sell the data they harvested, even after receiving the ransom.
Ransomware groups now favor “post-compromise” attacks, in which the threat actors wait to encrypt the data, first destroying backups and disabling security processes, gathering credentials, learning and modifying the target environment, and pulling out sensitive data. Then they launch an attack that’s extremely difficult to recover from.
Previously, ransomware attacks operated by denying an organization access to its own data until it pays the ransom, but ransomware developers have embraced the value of data. By making copies of the data and threatening to release it publicly, organizations face an additional threat. Not only are they unable to keep their organization free from ransomware, they may now be responsible for regulatory fines related to data protection. In addition, impacted organizations may lose customers, not only because their systems were down, but because customers no longer trust them.
Cyber attackers made at least $350 million in 2020, according to Chainanalysis, so they aren’t going to stop ransomware attacks in 2021. Don’t wait until you get a ransom demand. Plan ahead so you can act decisively in case of an attack, and create a team that has authority to execute on large-scale, operational decisions to mitigate damages. Finally, consider possible vendor solutions and limiting users to the least privileged access necessary for them to do their jobs. Limiting access, together with monitoring, threat detection, and a response plan, can help you limit the amount of damage ransomware can cause in your organization.