2021/2022 Cyber/Data Outlook: Ransomware Attacks: Strategies for Preparation and Mitigation
Businesses’ dependence on (and investment in) online infrastructure resulting from the COVID‑19 pandemic, and the availability of cryptocurrency, has created an environment ripe for significant increases in the frequency and ingenuity of ransomware attacks. As the workplace continues a long-term transformation, flexible work arrangements and remote access to company data are likely to continue to provide malicious actors with ample targets. Not unlike other criminal enterprises, cybercrime continues to become more sophisticated and “businesslike” in its application.
Over the past year, these developments in ransomware — alongside a number of very prominent breaches in the public and private sectors — have prompted international concern regarding cybercrime, and are likely to generate more political willpower and co-ordinated strategies to combat ransomware in the near future. Political and business actors in Canada, including the Chamber of Commerce, are also alive to these concerns. These events make responding to an attack incredibly complex and time-sensitive, as domestic or foreign government sanctions aimed at ransom groups and virtual currency exchanges can derail a negotiation in midstream.
Strategies to combat cybercrime, regulate cryptocurrency, and obtain global relief notwithstanding traditional jurisdictional boundaries are still in their relative infancy. Businesses should be cognizant that legal frameworks in this area are unsettled, and will shift with some degree of frequency, sometimes in a way that could disrupt recovery from a ransomware attack.
Ransomware is malicious software, or “malware,” that prevents access to data, holding such data hostage until the target pays a ransom. Most often, ransoms are paid in a form of cryptocurrency, such as bitcoin. Ransomware comes in two primary forms: (i) encryption ransomware, where data is encrypted, and a key to unlock the encryption is provided to the target upon paying the ransom; and (ii) lock-screen ransomware, where the target is locked out of their computer system or online device until the ransom is paid.
These methods are often utilized in concert with other strategies in order to achieve double or triple extortion, namely the levying of threats to release sensitive data exfiltrated in a ransomware attack, or to directly target and harm individuals or customers whose data was stolen. These additional threats allow criminals to extract a larger fee from the target than they might have otherwise received for decryption alone.
There is also a possibility that, once an initial ransom is paid, there may be additional levels of encryption, or lockscreens, prompting additional ransom payments. However, the criminals behind the larger ransomware groups are generally cognizant that they command a “brand premium,” as long as they maintain a reputation for keeping their word. A party that promises to decrypt data, and then doesn’t, is unlikely to be trusted by the specialized service providers who assist businesses in these areas.
CURRENT TRENDS IN RANSOMWARE
The evolution of ransomware is a fascinating example of innovation in the criminal underground: just as other businesses diversify, so do cybercriminals. Cybercriminals are sensitive to changes in technology and market demands; and they continue to evaluate the effectiveness and efficiency of their products and gain inspiration from their competitors.
The industry of ransomware is an extreme form of entrepreneurial tech disruption, not entirely dissimilar from how Napster and Pirate Bay disrupted the creative industries via copyright infringement at an unprecedented scale. It is not a coincidence that ransomware actors use Megaupload/Mega — a service famous for facilitating mass copyright infringement — to make off with stolen company files, or that peer-to-peer systems are being used to distribute malware and infect unwitting users. For example, in recent years, we have seen cybercriminals shift away from their nascent strategies, which centred around high-volume attacks, to a more selective approach, targeting larger businesses in an attempt to demand larger payments. As a rule, cybercriminals will gain access to, and then engage in reconnaissance within a target’s data (such as their financial statements) before the actual attack in order to tailor their ransom request and to attempt to more effectively encrypt backup systems. Cybercriminals are also increasingly targeting smaller municipalities and health-care organizations, due to the perception that they have weaker security controls and are more likely to pay ransoms in order to restore essential public services — particularly during the COVID-19 pandemic.
Concurrently, the development of ransomware as a service (RaaS) has also changed the ransomware landscape significantly, becoming the most prevalent means of attack (Sophos 2022 Threat Report). Criminals can purchase monthly subscriptions to access user-friendly ransomware kits on the Dark Web, often complete with technical support. Instead of purchasing monthly subscriptions, some instead use a profit-sharing model, splitting the proceeds of ransoms with the RaaS provider. Some “providers” have invested in upscale graphic designs for their customer service portals and publishing portals.
These developments highlight three key take-aways: (i) cybercriminals are highly responsive to the nuances of current events, and will target vulnerabilities accordingly; (ii) diversification means that everyone, from individuals to medium-sized enterprises to large businesses may be subject to an attack in Canada; and (iii) ransomware is constantly evolving, meaning that strategies to prevent or react to ransomware require diligent upkeep.
HOW TO PREPARE FOR OR MITIGATE THE EFFECTS OF A RANSOMWARE ATTACK
The wide range of targets and immense potential costs of ransomware attacks highlight the importance of businesses investing in preventive measures. These include implementing strong security systems and procedures, rapidly patching vulnerabilities, engaging in penetration testing, educating employees on how phishing emails or other ransomware may be introduced into a system, reducing attack surfaces, air gapping backup data, building multiple layers of access within online data storage, and utilizing multi-factor authentication. The more difficult it is to navigate a system and the more difficult sensitive data is to reach, the less likely it is that cybercriminals will launch an effective attack.
Particular areas of vulnerability that should be addressed in preventive measures are backup storage, cloud storage, and remote access points. Frequent review of preventive measures is also essential — over time, cyber tools once reputed to be particularly secure become subject to the ingenuity of cybercriminals. For example, blockchain-based digital currencies and applications are increasingly subject to scams and hacks, and cloud storage is not invulnerable either. For more information, please see our article: Blockchain vulnerabilities — crypto hacks, blockchain forensics and legal challenges.
Even with robust preventive measures in place, it is equally important for business to have an incident response plan (IRP) in place for how to react in the event of a ransomware attack. Ransomware pop-ups (like the one shown below) are unsettling, and an IRP supports making measured and effective decisions, including when and how to involve legal counsel and external expertise. Additionally, having a well-formulated means of restoring from backup data in an IRP will help mitigate any reputational damages that may flow from the ransomware attack. For more information, please see our article: Ransomware: avoidance and response.
In developing an IRP, businesses should also consider the key factors driving whether or not to pay potential ransoms. While paying ransoms may be the only method to recover data, businesses should take note that paying ransoms may make their business a target for future attacks. Payment could also result in violating sanctions, particularly with respect to the United States. Further, insurance providers may not cover the costs of paying the ransom, or other costs related to ransomware attacks, and data may remain compromised or corrupted even after the ransom is paid.
FUTURE TRENDS IN RANSOMWARE
In the near future, there is likely to be greater regulation, international co-operation and enforcement in the areas which coalesce with ransomware, including cryptocurrency and cryptocurrency exchanges, and money laundering. Already, there have been some examples of successful enforcement against cybercriminals and seizure of the proceeds of ransomware, as well as civil cases where the target of an attack was able to recover stolen cryptocurrency. In the next few years, law firms may be able to step up from their current dominant role as breach coaches and regulatory interfaces and win back ransom funds through innovative court proceedings using newer Norwich Pharmacal, Bankers Trust, Mareva and proprietary injunction remedies developed in recent cases to track and freeze ill-gotten gains. For more information, please see our article: Blockchain vulnerabilities – crypto hacks, blockchain forensics and legal challenges.
At the same time, business should be aware that cybercriminals will continue to modify their weapons to evade enforcement and target vulnerabilities. This means that businesses should continue to monitor trends in ransomware and update and test preventive measures and IRPs accordingly.
To keep you informed, empowered, and ahead of the curve, McCarthy Tétrault’s multidisciplinary Cyber/Data experts have launched the 2021/2022 Outlook Report, which provides an overview of the important Cyber/Data developments of 2021 and looks ahead to potential changes in 2022. Learn more by downloading the report here.
 For example, please see US charges two men over ransomware attacks, seizes $6M | nypost.com, U.S. charges Ukrainian and Russian in major ransomware spree, seizes $6 mln | Reuters, and Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside | OPA | Department of Justice