Ransomware is an escalating and evolving cybersecurity threat facing organizations around the world. In 2020, ransomware attacks increased seven-fold by year end, with over 17,000 devices detecting ransomware each day.1 As an added challenge, ransomware is more sophisticated than ever before with modern variants designed to inflict immense damage and perpetrators demanding higher payouts. In the past few months alone, ransomware has caused catastrophic disruptions to the business activities of, among others, Colonial Pipeline, food processing giant JBS USA Holdings Inc., and Ireland's national health care system.2 Successful attacks cost businesses millions of dollars, including disruption to business, personnel cost, device cost, network cost, lost opportunity, reputational harm, and a potential payment of a ransom.3 Cybercriminals are demanding and making more and more money, with the average ransomware payout per event growing from approximately $115,000 in 2018 to more than $300,000 in 2020; and the highest ransom paid more than doubling from $5 million between 2015 and 2019 to $11 million in 2021.4 Governments, law enforcement, and regulatory bodies have taken notice, with companies facing pressure to effectively prepare for and respond to ransomware attacks.5
Given the current threat environment, it is critical that companies seeking to manage their cybersecurity risks have some understanding of how ransomware has evolved to become one of the most damaging cybersecurity threats today. Companies are facing increased legal, regulatory, and political scrutiny in the wake of these attacks, which in turn requires companies to have appropriate management structures and controls in place, with board oversight, in order to anticipate and address the significant harms that can be caused from a ransomware attack. Below we examine the key features of modern ransomware that companies should be considering, including how ransomware actors are now targeting specific companies, threatening to post their victims' most sensitive data online, and collaborating with other cybercriminals to increase the sophistication of attacks. After exploring modern ransomware, we then recommend guidelines for companies responding in the immediate aftermath of an attack so that companies are best positioned to contain the incident, resume normal business operations, and appropriately assess legal and regulatory risks.
Key Features of Modern Ransomware
Ransomware attacks traditionally operated by gaining entry to a system, usually through phishing emails, and then automatically locking or encrypting data by scanning for files with certain extensions. In the past, most ransomware actors used a "spray and pray" or "shotgun" approach in which ransomware was indiscriminately distributed in search of a vulnerable organization. While these opportunistic attacks had several notable successes, by 2018, organizations had largely adapted to the threat by implementing cybersecurity measures and disaster recovery and business continuity plans in response to attacks. As a result, traditional ransomware became less successful and was, for a time, largely overshadowed by other cyberthreats.6
In the past 18 months, however, ransomware has roared back to the forefront of the cyberthreat landscape. Modern ransomware attacks are more sophisticated and damaging in several key ways. First, modern ransomware actors frequently use a targeted approach, known as "big-game hunting" or "human-operated attacks," in which the ransomware is tailored for specific victims. Before an attack is even initiated, ransomware actors engage in deep victim profiling.7 Ransomware actors have become more proficient at doing so for several reasons, including the availability of databases and other tools that help identify victims based on their location, industry, size, and revenue; and anonymous communication platforms that allow for secure interactions and increased collaboration of cybercriminal groups. After identifying a victim and gaining access to their network, ransomware actors spend a substantial amount of time (typically weeks or months) taking over sections of the network before executing the ransomware. By spending more time in the targeted system, cybercriminals are able to move laterally to gain access to more parts of the network, identify the most sensitive data stored by the victim, and infiltrate critical backups making it harder for victims to recover from an attack. With greater access to sensitive data, ransomware actors also have more insight into their victim's financial health, which drives more tailored ransom demands.8
Second, in conjunction with the broad access to sensitive data provided by targeted attacks, ransomware actors now employ "double extortion" in which the ransomware not only encrypts the victim's data, but also exfiltrates it from the victim's network. This gives cybercriminals another avenue for extortion: if a victim does not pay the ransom, the attacker can publish or threaten to publish the victim's data online, sell the data on the dark web, or use the stolen data to exploit vulnerabilities in related systems. Victims face significant pressure to pay ransoms under those circumstances, which has led to a substantial increase in the amount of both ransom demands and payouts.9
1 See Fortinet, Global Threat Landscape Report: A Semiannual Report by FortiGuard Labs (Feb. 2021), available at https://www.fortinet.com/content/dam/maindam/public/02_marketing/08_Report/Global-TLR-2021- 2H.pdf.
2 Collin Eaton & Dustin Volz, Colonial Pipeline CEO Tells Why He Paid Hackers a $4.4 Million Ransom, Wall St. J. (May 19, 2021); Catherine Stupp, Irish Healthcare System Struggles With Tech Disruptions After May Ransomware Attack, Wall St. J. (June 18, 2021).
3 See Dep't of Health & Human Serv., Ransomware Trends 2021 at 11 (June 3, 2021), available at https://www.hhs.gov/sites/default/files/ransomware-trends-2021.pdf.
4 Palo Alto Networks, Ransomware Threat Report at 4 (2021); see also Jacob Bunge, JBS Paid $11 Million to Resolve Ransomware Attack, Wall St. J. (June 9, 2021).
5 See, e.g., Press Release, U.S. Senator Jackie Rosen, Rosen Leads Bipartisan Group of Senators to Reintroduce Bipartisan Electric Grid Security Legislation (June 24, 2021); Press Release, Fed. Bureau of Investigation, FBI Statement on Recent Ransomware Attacks (June 4, 2021); Press Release, Dep't of Homeland Security, DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators (May 27, 2021).
6 Magno Logan, Erika Mendoza, et al., The State of Ransomware: 2020's Catch-22 (Feb. 3, 2021), available at https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/the-state-of-ransomware-2020-s-catch-22.
7 Mayra Fuentes, Feike Hacquebord, et al., Modern Ransomware's Double Extortion Tactics and How to Protect Enterprises Against Them at 9 (2021), available at https://documents.trendmicro.com/assets/white_papers/wp-modern-ransomwares-double-extortion-tactics.pdf.
8 Id. Some ransomware actors include a third layer of extortion by adding denial-of-service ("DDoS") attacks against victim websites, which can overwhelm a network with traffic, causing further disruption of operations. Others have even added a fourth layer of extortion by directly contacting a victim's customers in an effort to increase pressure on the victim to pay. See Janus Agcaoili, Miguel Ang, et al., Ransomware Double Extortion and Beyond: REvil, Clop, and Conti (June 15, 2021), available at https://www.trendmicro.com/vinfo/dk/security/news/cybercrime-and-digital-threats/ransomware-double-extortion-and-beyond-revil-clop-and-conti.
9 See Palo Alto Report, supra note 4, at 4.
Originally Published by Harvard Law School Forum on Corporate Governance
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.