Expert insight from our cyber incident responder
When talking to clients or taking questions at the end of webinars, many ask us about ransomware.
In fact, ransomware is often the first thing people ask about!
Organisations seem really worried about it – and understandably so. Ransomware features a lot in the news. A particularly noteworthy attack was MOVEit, which was also a zero-day exploit, but we see plenty of ‘run-of-the-mill’ attacks too. There are even daily ransomware victim feeds!
Admittedly, threat actors can and do claim attacks that didn’t happen or are exaggerated. Nonetheless, the risk of a cyber incident is significant, and as data leaks such as the ‘mother of all breaches’ suggest, sooner or later, every organisation will ‘get done’.
Anecdotally from the news, ransomware attacks appear to be growing. This trend was confirmed by the 2024 Data Breach Investigations Report: Verizon found a significant jump in ransomware/extortion attacks compared to the 2023 report.
So, I sat down with cyber incident responder Vanessa Horton to get her expert insights into this trend.
About Vanessa Horton
Vanessa holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications.
She’s worked for the police as a digital forensics officer, where she was involved in complex crime cases. Vanessa was also awarded a Diamond Award and an Excellence in Service Delivery Award.
Now, she’s part of our cyber incident response team, helping clients with their cyber security requirements.
Previously, we’ve talked to Vanessa about anti-forensics, and picked her brain on cyber incident response.
In this interview
To what extent do you track industry news?
I try to look at cyber news every day. I like to keep up to date, particularly in this industry, so I can support clients better. I also research things where I can – such as anti-forensics, or bigger ransomware trends.
What ransomware trends have you noticed?
First, ransomware gangs are much more organised now. Many have their own logos and conduct job interviews, and there have even been calls for research papers on the dark web! As a result, these groups have become even more dangerous than they already were.
Second, gangs seem to be putting all their efforts into data exfiltration, moving away from data encryption in the process. Or they do both, in what’s known as a ‘double-extortion’ attack. This really is worrying.
Why is this such a worrying trend?
Well, historically, one of the best responsive measures to ransomware was to take regular backups. You don’t need to pay a ransom to have your files decrypted if you can simply restore them yourself.
However, if your data has been exfiltrated, you can still be held hostage by the attackers.
In fact, threat actors are really putting the pressure on organisations now by spending more and more time in their victims’ systems, trying to find the truly sensitive data. This makes organisations not just more likely to pay, but also gives attackers leverage to demand higher ransoms to begin with.
Of course, the UK government advises against paying ransoms, but doesn’t legally enforce this, unlike some other countries.
What’s your personal advice on paying ransoms?
That’s very tricky to answer.
Ethically speaking, you clearly shouldn’t, as paying the ransom funds further criminal activity. Besides, they’re criminals. What’s to stop them selling the data, whether immediately or further down the line, even if you do pay?
However, paying could prevent sensitive data from being sold on the dark web, thereby reducing the impact of the breach. I do want to stress the could here though – again, there’s no guarantee the attacker will keep their side of the bargain.
So, I think organisations need to weigh up the risks to make the right decision for their specific situation. I don’t think the answer to your question is a clear-cut ‘don’t pay’, but not paying will likely be the best action to take in most cases.
Want to receive future interviews like this – and other blogs – straight to your inbox? Subscribe to our free weekly newsletter: the Security Spotlight.
Let’s go back to the trend we were discussing earlier. Besides applying more pressure on their victims, why else do you think ransomware groups are favouring exfiltration over encryption?
Exfiltration is doubly profitable for ransomware groups. The victims are more likely to pay up and the threat actors can sell the data on the dark web. In fact, the stolen data can be more valuable than the ransom payment itself.
But I think there’s more to it than that.
The ‘traditional’ method of data encryption is a really difficult program to code, because for the attacker to be able to blackmail their target, their encryption needs to be really sound. You’ve got to cover all the infrastructure.
Exfiltration, on the other hand, requires the attacker to simply obtain access to their victim’s systems, get the data on it, then demand the ransom.
In short, from the criminals’ perspective, exfiltration requires far less effort. And it certainly offers a far better return on ‘investment’.
What can organisations do if their data has been exfiltrated?
It’s tricky. The criminals already have the data, so that’s not going to help you recover from this attack.
However, a fast response remains critical to both minimise the impact of this attack and prevent future incidents, particularly of a similar nature.
One of the most important things to do is conduct an initial forensic investigation. That means figuring out:
- What happened?
- What was the root cause?
- When did the initial attack happen?
- What data has been breached, exactly?
- Did the attackers put a back door in your systems, so they could easily re-access them later? This is something I’ve actually seen with clients, though can’t share the specifics due to client confidentiality.
By conducting this type of early investigation, you’re not just meeting your legal and regulatory obligations, but also gathering the information you need to take the right measures to prevent such situations from recurring.
Interviewer note: Real-world examples
Vanessa previously shared real-world examples to demonstrate just how important it is to take the time to investigate root cause.
Understandably, when you suffer a business disruption, your first instincts are to get your systems up and running again. And yes, continuing your business-critical operations is very important to minimise the hit to your organisation.
But, as Vanessa previously highlighted with a real-life case study: if you restore your services without investigating root cause, you’ll ‘get done’ again. Possibly just weeks later, and by the same threat actor, leaving you back at square one.
Worse, organisations that suffer multiple incidents in quick succession are more likely to hit the headlines. Journalists love writing about the ones that make for a better story.
What else should organisations think about?
Well, legal notification requirements aside, I want to remind people that data breaches affect more than just the organisation’s finances and reputation. A data breach is also horrible for the people that data belongs to – your data subjects.
Having your data available on the dark web to the highest bidder is really hurtful, particularly if the data is of a personal nature. Those people entrusted you with their data, and failing to adequately protect it damages your relationship with them.
So, be considerate. You can’t undo the breach, but you can mitigate the damage by being open and transparent about what happened, exactly whose and what data was compromised, and so on.
You can also offer your subjects advice and support in actions they can take to at least mitigate the impact to them personally.
People do remember and appreciate such honesty and transparency, and this will help your organisation’s reputation. Equally, people will also remember attempts to hush things up – and the truth does tend to get out, even if it’s not until years later.
And the headlines speak for themselves – organisations can suffer
enormous damage, and can even go out of business, by doing the wrong thing.
Do you have any final words of advice?
Prevention is always better than a cure. You need to take reasonable steps to stop opportunistic attacks, at the very least, which can be really cheap to do, too. Measures like:
- Passwords and MFA [multifactor authentication];
- Anti-malware software;
- Regular patching; and
- Firewalls.
And many others are all easily accessible and affordable, and go a long way towards reducing the likelihood of an incident.
But if you suffer a breach anyway, it’s obviously too late to prevent the incident altogether – this time round, at least.
That’s why forensic investigation is so important: figure out what happened, what vulnerabilities you need to fix, where staff education is lacking, and so on. Make sure you learn some valuable lessons, so you won’t suffer the same incident again.
Cyber Incident Response Investigation service
If you’ve suffered a cyber incident, we can give you and interested parties (e.g. insurance providers) assurance the incident is being dealt with quickly and efficiently.
Our Cyber Incident Response Investigation service will help your organisation answer key questions such as:
- How the threat actor gained access; and
- The steps needed to contain, eradicate and recover from the attack.
We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.
In the meantime, why not check out our previous interviews with Vanessa on cyber incident response and anti-forensics?
If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.