Ransomware traditionally targeted individuals and their computers by locking them down and demanding payment for their recovery. However, ransomware has evolved over the past five years, with cybercriminals realising they can extract more money from organisations than individual people. This led to upgraded ransomware spreading across networks, locking down entire organisations and ransom demands escalating significantly.
A new approach to ransomware
Cybercriminals have recognised the immense gain in locking down entire organisations. They’ve moved from 'spray-and-pray' (where they target anyone and everyone) to 'big-game hunting' tactics. This move means they now focus on both the low-hanging fruit and those larger organisations they perceive to be well funded and inadequately defended.
As the shift in tactics pays off, hackers continue to devise new and more insidious ways of extorting more money from their victims. In the past three years, the rise of double-ransom attacks (where hackers lock systems and steal sensitive data – demanding a ransom for the restoration of both) has shown they now spend more time and effort for higher pay-off targets.
Over the past five years, the BDO and AusCERT Cyber Security Survey has shown this shift from 'spray-and-pray' tactics to 'big-game-hunting' – and for hackers, it’s paid off.
Figure 1 - While overall ransomware attacks have decreased, hackers are becoming laser-focused and more successful in their targeting
Figure 2 - Statistics from the BDO and AusCERT Survey show that while ransomware attacks have gone down, the proportion of victims who pay ransoms has increased dramatically (note: no data was captured for ransomware payments in 2018)
Hackers are becoming more successful in holding Australian organisations for ransom. These statistics paint a concerning picture, which lends importance to the timely announcement of the Federal Government's Ransomware Action Plan (RAP).
Solidifying the Australian Government's intention to reduce the economic impact of cybercriminal activities, the RAP establishes the path our nation will move through to combat evolving cyber ransom tactics. This includes mandatory reporting of ransomware attacks and more significant powers and mandates for prosecuting cybercriminals.
In this article, we explore what the RAP means for Australian businesses, for cybercriminals, and for ourselves as cyber practitioners and business decision-makers as we prepare for the RAP's initiatives to evolve into fruition.
What this means for Australian organisations
The Australian Government’s RAP is a component of the broader national security framework and the next step in the fight against cybercrime in Australia. In addition to encryption, we see examples of confidential information taken by the attackers as an additional measure should organisations restore data from backups rather than give in to any ransom demand (the double-ransom tactic). As a wealthy nation and early adopter of technology, we have become a prime target.
The RAP provides a blueprint for strengthening cyber security and resilience capability and provides organisations with avenues for guidance and advice in preparing for, and responding to, cyber attacks.
For Australian organisations, there are several key considerations:
- Organisations with an annual turnover of more than $10 million will be required to report ransomware attacks. Like prior legislation regarding Notifiable Data Breaches, it's designed to provide increased visibility of the problem (and solutions) by forcing it out into the light - a place criminal activity vigourously avoids.
- Enforced 'assistance' may require the provision of access to IT systems to agencies assisting organisations in responding to attacks.
In addition, organisations need to consider the insurance impacts of ransom payments.
There is an ongoing question of the legality of ransom payments and whether they facilitate the global criminal economy. Of course, this is weighed up against potentially catastrophic consequences should the business entity not be prepared for such an attack. Also, paying the ransom does not guarantee the return or deletion of the data.
The RAP states professional payment facilitators may be committing a criminal offence. This could significantly impact insurance markets and their policy coverage, resulting in many Australian organisations having to reconsider how they will address such issues.
What it means for cybercriminals
The Australian Government aims to turn the tables on cybercriminals with the RAP, but will this have a serious impact?
The scenarios below highlight how the RAP impacts cybercriminals.
Greater leverage in short to mid-term
For many smaller businesses, ransomware becomes a business continuity issue. If they are not prepared for an attack and do not have the appropriate infrastructure in place, it may be cheaper to pay the ransom than to face the prospect of reporting it and potentially having to rebuild from the ground up. If insurance coverage ceases to cover ransomware payments and underprepared organisations have no viable way of recovering from a ransomware attack, this could lend greater leverage to cybercriminals dealing with victims who are out of options and force the whole scenario further underground.
Continual evolution and rebranding
Ransomware syndicates evolve rapidly to overcome technical defences, law enforcement investigations and public scrutiny. Over the years, the ransomware gang EvilCorp has allegedly rebranded, as the US Government imposed fines for any organisation who paid ransoms to the cyber-crime group to continue collecting ransom payments. The RAP has not made paying a ransom explicitly illegal, so this continued evolution of ransom tactics is still a viable scenario for organisations to consider.
Greater potential for disruption to criminal operations
The world's top technology companies recently came together, calling for a coalition to combat cybercriminals. In an 81-page report sent to the White House, certain recommendations included requiring cryptocurrency platforms to implement Know Your Customer (KYC) and other anti-money laundering measures. This creates central government cyber incident recovery funds and an international framework to help organisations prepare and recover from attacks. The RAP shows that Governments are taking ransomware seriously and expect businesses to do the same. As such, criminals can expect more intensive efforts to disrupt their operations and deny them success.
Decreased revenue potential in the long term
The RAP could influence insurance markets and cyber specialists who, in turn, may no longer facilitate ransom payments even as the last resort, meaning many businesses in the long term may 'accept' that payment is simply not an option.
Of course, cybercriminals and ransomware gangs may continue to carry out attacks, test governments and organisations' resolve, or apply even more pressure by focusing on critical infrastructure.
If ever there was an incentive for proper proactive planning and cyber readiness, this is it. The RAP aims to combine the capability and expertise of various agencies with increased powers, funding and legislation, all designed to reduce the attractiveness of Australia as a target. Organisations needs to understand how well they are protected against a ransomware attack, as well as how to best respond to ransomware attack when this does happen.
Australian organisations should be bolstering cyber incident readiness by ensuring they have well-designed and thoroughly tested incident response plans supported by ransomware playbooks to guide communication, coordination and escalation.
Strenghten your defense mechanisms
Plugging the gaps is the first step to build strong cyber defences. Your organisation should assess its protection mechanisms against ransomware which as a minimum should cover:
- Implementing the ACSC Essential Eight across your organisations
- Strengthening your email environment against phishing attacks
- Providing appropriate cyber security education and training to your staff
- Reviewing your cyber insurance policy to understand your cover and obligations.
How to prepare
As the RAP's initiatives develop over the coming years, many Australian organisations will be legislatively obligated to improve their current capabilities to respond to cyber security incidents.
We've outlined three steps you can take now to prepare for legislative changes and better defend your organisation from ransomware.
Design and implement a cyber incident plan
The time to prepare for an emergency is not during an emergency. Your organisation must establish a cyber security incident response plan to guide the ways it will:
- Manage communication, coordination and escalation during an incident
- Analyse and understand the nature, extent and scope of what's happening
- Contain the spread of impacts
- Eradicate the cause of the incident
- Recover the business to the same state of operation it was in before the event.
Cyber security incident response plan, while distinctly separate from your standard IT incident management processes, should be integrated with it along with your IT Disaster Recovery, Business Continuity, and Crisis Management Plans and processes.
Have a playbook
A cyber crisis, such as a double-ransom attack, will introduce unchartered waters for your executive decision-makers. Your Board and C-suite must be armed with a clear playbook to help them establish the organisation's position on ransom negotiations, understand what decisions they need to make, what support is available (internally and externally), and guide them through the ‘do’s and don’ts’ of a cyber ransom crisis.
Test them both
You can’t know how well a plan truly works until it’s been tested, either deliberately in a measured way or through a high-stakes trial-by-fire. Cyber exercises are a low-stakes, high-gain way of learning what must be done in a cyber crisis without ‘paying the price in blood’.
Effective, high-quality exercises are tailored to an organisation, designed to meet very clear objectives. They should occur regularly to engage both technical (i.e. IT and cyber security practitioners) and non-technical (i.e. media, legal, risk etc.) stakeholders.
Your exercise facilitators should provide you with a co-developed plan which details the exercise objectives, delivery format (i.e. tabletop discussion-based exercise, or functional ‘desktop’ drill) and expected challenges and their mitigations. It should also include a clear description of the exercise scenario and all its possible variants depending on participant responses, and importantly, the psychological load which the exercise will apply to participants to ensure they are engaged, interested and not under/overwhelmed.
You should not wait for a high-stakes crisis to see if your incident response plan works. Rehearse early and regularly to build the cyber crisis muscle memory of your people continually.