The earlier a company understands its ransomware "victim profile", the better it can prepare for a potential attack.
Today’s ransomware attacks are much more sophisticated than they used to be. The days of “spray and pray” are over. We are now seeing Advanced Persistent Threats (APT) with tactics, techniques and procedures (TTPs), such as establishing a foothold in the victim’s network, collecting data and files, and spreading different tools before implementing the encryption and claiming the ransom payment. We can therefore assume that the victims aren’t picked randomly, but are analyzed deeply before they are targeted. The attackers calculate many factors, such as the wealth of the owners, the pressure imposed by clients, the cost of a day of downtime, or the impact of a delayed supply. All of these factors increase the pressure on the victim and the ability for attackers to offer a deal that the victim seemingly can’t refuse.
For example, if an attacker knows the daily turnover of a company (based on publications, leaks, or breached data), he can fine-tune his ransom claim to a sum that will not be disproportionately high, nor ridiculously low, but precisely within the parameters to make the victim think seriously about paying the ransom and buying back its network and peace of mind.
Leaking Data and Leveraging Privacy Laws as Additional Means of Pressure
Some ransomware hackers threaten to leak information, usually gigabytes of data or thousands of documents, if the victim refuses to pay. In some cases, this is how we learn that an attack has already occurred. Different companies may have different concerns regarding their data, but generally speaking, a massive data leak from the organization’s network is the nightmare of any CISO. Especially if it includes source code files, intellectual property in any form, sensitive financial figures, private information about employees and partners, or other confidential business documents.
By calculating the potential damage of a leak, executives might reach the conclusion that there’s nothing to hide or lose, and they address this threat with resilience. Things change when the attackers threaten to leak to the dark web Personally Identifiable Information (PII), such as ID documents, credentials, payment methods, etc., which are stored in the victims’ systems. The damage in this case is double – a hit to the company’s reputation and credibility, accompanied by a possible lawsuit for violation of privacy rules such as CCPA, GDPR, or other local privacy laws. Such violations may incur fines reaching up to 20 million EUR or 4% of the global annual turnover of the company according to the GDPR fines key, or $700 USD per entry if CCPA is applicable. The choice of paying the ransom in order to avoid a lawsuit becomes more of a question of finance and legal affairs, rather than a cybersecurity issue.
Preparing for an Attack
To prepare your business for a ransomware attack scenario and reduce risks and potential damages, we suggest that you answer these questions:
Understanding Your Victim’s Profile
Ransomware can hit anyone unexpectedly, yet we see that some organizations are at higher risk. The earlier a company understands its “victim profile”, a term that represents the perception of a ransomware attacker, the better it can defend its assets and prepare employees, suppliers, clients, and internal stakeholders for a potential attack.
Answer the following questions. If the majority of your answers are “yes”, then your “victim score” is high and you should start taking preemptive steps:
The Next Steps
No one enjoys preparing for a ransomware attack, just as no one likes the idea of seeing their house, car, or property damaged. In the case of natural hazards, we apply the best practices of safety, do an evacuation drill every now and then, and buy insurance policies in case things get out of control. When it comes to ransomware attacks, the procedure is similar:
You cannot eliminate the risk of being hit by ransomware, but you can significantly reduce the potential damage and ensure fast recovery.
Threat Intelligence Team Leader
Threat Intelligence Researcher
For more information contact us at [email protected].