Originally published September 2021.

Without cyber insurance your business is vulnerable.

An IT department received an email from their marketing team stating that they couldn’t access their files mounted on the file-share server. All file extensions on that drive had been renamed and encrypted with the Phobos ransomware. What came next could only be described by the group CEO as abstract panic followed by overwhelming, long-lasting concern as to what was missing, destroyed or unrecoverable, compounded by fear of what might be lying dormant.

In shock and uncertain what to do, the CEO dug out their cyber insurance documents and called the helpline. Within minutes, a cyber forensic expert had mapped out the process and taken much-needed control of the situation. Endpoint detection and response tools were installed and deployed to the affected network which, in due course, would verify the risk of future infection and root cause analysis. A forensic image of the server was collected and the investigation into the incident began.

The file server and affected machines were shut down to reduce the risk of the ransomware spreading. Senior management didn’t know what to tell employees and employees didn’t know what to tell customers. A PC in the back office had to be set up and used as a server, albeit with very limited access, and the only clean back-up available to work with was from four weeks ago.

Containment and monitoring of the environment was necessary for the next two months, checking for threats or unusual behaviour, and ensuring no malicious activities occurred. The forensic investigation concluded that remote desktop protocol (RDP) on a device had been compromised and a folder was found that contained multiple hacking tools. The device had authorisation to access the file-share server, allowing the ransomware to encrypt these files. Fortunately, the attempt to move laterally and gain access to privileged credentials had failed. Still, it was not until the end of the second month after the attack that business as usual could resume.

Despite no ransom being paid in this instance, the costs incurred soon mounted up to in excess of £25,000. The financial protection from insurance cannot be overlooked, however, the guidance and support that comes with it gives a highly unnerving and unsettling experience much-needed direction and a structured, effective, immediate response.

As Home Secretary Priti Patel highlighted recently, referring to the Colonial Pipeline ransomware attack, the consequences of an incident are: “not just about the loss of data. There can be real disruption and significant impacts”. And it’s these factors which, unfortunately, too many organisations overlook: the potential operational disruption, reputational damage, financial loss, fines, penalties, regulatory obligations and a fall in share prices. Without a roadmap, a tried and tested incident response plan and the right people involved, chaos will ensue and knee-jerk decisions made based on emotion rather than the right course of action for the business. 

A critical consideration that you must address before the event arises is where an organisation stands on paying a ransom demand. This is one topic which is causing ongoing debate.

Ransomware is essentially a crime-business model and the complexity of encryption has reached a level whereby it’s incredibly difficult to solve in a meaningful timeframe, forcing victims to pay the demand to get the decryption key. Few can afford to be without their technology for any sustained period of time and will prefer to pay if it means saving their business. The ability to gather open-source information allows threat actors to place a value on a victim’s data. And, threatened with public shaming if commercially sensitive, confidential or potentially embarrassing information is released, organisations feel they have no recourse but to pay.

From an insurer’s perspective, their priority is to get an insured business back up and running as quickly as possible. So, if back-ups fail, leaving a victim with nothing to fall back on, it may be more economical to pay the ransom than to undertake a full system rebuild.

“It’s criminal activity that is incredibly difficult to trace and can be carried out by anyone with access to a network, anywhere in the world” 

On the flip side, there are those firmly in the ‘don’t pay’ camp, raising the valid point that money coming in from paid ransoms often funds other forms of organised crime, like human trafficking and child exploitation. 

Then there’s the question of sanctions to consider – where are the threat actors based and what are the regulations in that territory regarding funding terrorism? And let’s not forget these threat actors are criminals. Although they themselves have a reputation to uphold and want ‘happy customers’, their demands come with no guarantee that there is a decryption key or that it will work, or that they won’t publicly release the data regardless of whether they’ve been paid or not.

With Ransomware-as-a-Service (RaaS), cyber extortion has become an industry in its own right. Gangs enlist affiliates to distribute their malicious code in return for a percentage of the ransom payment. It’s criminal activity that is incredibly difficult to trace and can be carried out by anyone with access to a network, anywhere in the world. While it remains a highly profitable activity, it will continue to affect companies of all sizes, across all industries.

So, is the legal banning of paying ransoms the answer? Unfortunately, I would have to argue no. Simply declaring an activity illegal isn’t going to dissuade criminals. If a loved one was being held to ransom, surely we would pay whatever we could within our means to get them home safely, illegal or not? It may have taken a severed ear for him to change his initial stance, but even J Paul Getty paid his grandson’s captors in the end. Ransomware is a widespread global problem: scammers will still scam.

The answer must be in finding ways to make these attacks less profitable and more difficult to execute, so that the criminal loses interest. Microsoft, Amazon, the FBI and the UK National Crime Agency have joined the Ransomware Task Force (RTF) in giving governments nearly 50 recommendations to help tackle this very issue. These include increasing regulation of cryptocurrency services, making it mandatory for victims to report if they pay criminals, and creating a fund to support ransomware victims and help them recover.

Organisations themselves also have a vital part to play and preparation is key. Assess your threats and vulnerabilities, run simulations and tabletop exercises, so that prior to
an attack the potential impact is understood, the necessary controls have been adopted and a tested strategy is in place. Protect and secure your crown jewels, implement multi-factor authentication for anyone accessing the network and restrict user privileges so that end users
only have access to what’s required to do their job. Effective back-up procedures must be in place which are regularly tested and offline. 

Simple best practices like this could be the difference between a business surviving relatively unscathed and a full-blown event which cripples entire operations.

There are no absolutes with risk management and no security measure is failsafe. Having experienced a ransomware attack first hand, the CEO of the company that suffered this attack stated: “Not to purchase cyber insurance in these current times is akin to not having your home valuables insured. I believe the risks far outweigh the cost. It is one of the things in life that you don’t realise you need until you actually do.” In this, the digital age, organisations have too much at stake to ignore such a real and present danger.