Ransomware criminals are adding even more tools to their toolboxes, and companies are finding it harder to stay on top of the trends, according to guests on the most recent episode of The Insuring Cyber Podcast.
Jeff Dennis, partner at law firm Newmeyer Dillion, said that in addition to traditional attack methods like data encryption, in which ransomware criminals restrict access to a victim’s system until a ransom is paid, criminals are now stealing data and threatening to release it on the dark web without the payment of a ransom. In some cases, criminals are even contacting and threatening customers whose data has been stolen from victim companies, he added.
“This is sort of the newest trend,” he said. “It’s the third level of ransomware, or the triple threat of ransomware. And it’s pretty sinister, if you think about it.”
Dennis recently spoke alongside a panel of experts on Insurance Journal’s March cyber webinar, Raising the Bar on Cybersecurity. He said a common method used among ransomware criminals today is double extortion, which he says means criminals are extorting a victim on two levels.
“The first level is what most of us think of as the typical ransomware event – a bad actor gains access to your computer system,” he said. “They launch malware, which locks and encrypts your data or your operating system, and then you have to pay a ransom to the bad guys who, hopefully, provide you with encryption keys to unlock your system.”
Under the second level of ransomware – double extortion – criminals lock a victim’s system and exfiltrate a large amount of data, whether it’s intellectual property or personal information.
“Then, on top of the extortion demand to unlock your system, they also demand payment to return all of this data to you,” he said.
Most recently, criminals are taking it a step further by contacting victims’ customers about their stolen data.
“They’re now extorting a company on two levels, and a company’s customer on a third,” he said. “So it’s really challenging because, unfortunately, if you have customers who are getting directly contacted by ransomware thieves, you’re in a very tough spot. It is very difficult to respond in a way which will not lead to significant reputational damages and/or litigation.”
Drew Schmitt, principal threat intelligence consultant at Guidepoint Security, said earlier in the episode that this is raising the stakes significantly for companies who become victims of attacks in terms of how to respond and the amount of damage that can be inflicted.
“It really does raise the stakes on the potential damage to the organization,” he said. “With traditional ransomware, where we’re talking about encrypting files and taking systems offline, obviously that is a major technology problem. But when we’re talking about data theft and extortion, we’re talking about a data leak at that point. Data’s left the environment, and then you have regulatory challenges.”
Beyond regulation, the reputational damage can be significant for a victim as well, he added.
“I think the challenge really is in the potential for damage to move from just being a technological problem to a much higher or much more impactful type of damage when we’re talking about brand and reputation,” he said.
As if that isn’t enough for companies and their insurers to worry about, another ransomware trend that is beginning to pop up is data manipulation, according to Dennis. This happens when criminals, rather than encrypting or stealing data, change the data within a company’s system so that it is no longer usable or accurate.
“It doesn’t take a whole lot of creativity to think about some potential examples which could have very severe negative outcomes,” Dennis said. “For instance, what if a hacker breaks into an electrical power company and manipulates data which causes the power operators to react in such a way that they increase the electrical load, overload the system and cause widespread electrical power outages? That would be bad.”
Despite increasingly sophisticated attack methods, Schmitt said developing a proper cybersecurity plan is all about going back to the fundamentals.
“Working on classifying your data, making sure you know where your sensitive data is, proceeding to have backups for that data,” he cited as some examples of steps companies can take. “And then once you’re moving past the technology aspect of that, you get into making sure that you have detection mechanisms for data that might be potentially exfiltrated from the environment.”
Dennis agreed, adding that one of the most important steps companies can take when thinking about cybersecurity in the face of a challenging ransomware environment is simple communication.
“I think the key is really to have the conversation, starting at the highest levels. Leadership needs to identify a company’s key risks, weaknesses and mission critical functions, which must be protected,” he said. “Without the buy-in of leadership, the development of inadequate cybersecurity posture becomes nearly impossible. I routinely challenge company leaders to take charge of creating the appropriate cybersecurity culture from the top down.”
Check out the rest of this episode to see what else Drew and Jeff had to say, and be sure to check back for new episodes of this podcast publishing every other Wednesday along with the Insuring Cyber newsletter. Thanks for listening.
Was this article valuable?
Here are more articles you may enjoy.