Forget these 5 ransomware myths

Ransomware attacks have recently filled the headlines and emerged as a top cyber security concern. But, for all the news coverage, there are still misunderstandings about the threat.

There’s little doubt about the magnitude of the ransomware problem. Business costs associated with ransomware are expected to hit $20 billion this year, according to Aon’s 2021 Cyber Security Risk Report, while cyber insurers have reported a fourfold jump in claims from 2019 through 2020.

"Business costs associated with ransomware are expected to hit $20 billion this year, while cyber insurers have reported a fourfold jump in claims from 2019 through 2020."


The ransom itself is only a small part of the costs and damages associated with a ransomware attack. Organisations can also face significant business interruption. In some cases, attackers threaten to release sensitive information if their demands aren’t met, potentially damaging their target’s reputation. According to the Cyber Security Risk Report, seven in 10 ransomware attacks involved threats to expose data — attackers even threatened to sell it to the highest bidder.

"At the end of 2020, 7 in 10 ransomware attacks involved threats to expose data."


As the threat advances, it’s critical that organisations understand its nature — and what to do about it.

“The recent widely reported ransomware attacks underscore the fact that cyber risk is not just about data breach. Acknowledging and managing cyber risk is key to running your company, period,” says Katharine Hall, senior vice president, National Cyber Practice & PSG Broking Leader, Commercial Risk Solutions at Aon. “This is a significant risk to your organization and being able to run your organization successfully.” 

5 Myths to forget

As with other sorts of cyber attacks, the criminals carrying out ransomware attacks have grown more sophisticated —in both their attacks and the selection of potential targets. But, while the magnitude of the ransomware threat is becoming clearer, there are still several myths around this type of cyber risk.

Myth 1 | My business is not a ransomware target due to its size, industry etc
“When we analyse ransomware attack patterns, they’re indiscriminate,” says Richard Hanlon, EMEA chief commercial officer at Aon Cyber Solutions. “These attackers go after the weakest link and, despite the investment and the focus on ransomware defence and malware detection, on any given day there are hundreds of known vulnerabilities that regularly remain unpatched across businesses, irrespective of size or industry, and the attackers exploit those known vulnerabilities.”

Tom Ricketts, senior vice president and executive director, Commercial Risk Solutions, Professional Services at Aon, says professional services firms, especially law firms, have become one of the top targets of ransomware and extortion hackers.

“Hackers want to monetise data they have stolen or access to systems they have breached,” says Ricketts. “They need two things from their targets: money and sensitive data. Professional services firms are perceived as having both. Many law firms used to think that no one could possibly want the ‘uninteresting’ data they hold. But hackers aren’t interested in the content. It’s about that data’s value to the firm and the firm’s clients, which can be millions of dollars.”

Myth 2 | Backing up data is enough protection from ransomware attacks
Sophisticated cyber criminals might be more interested in seizing an organisation’s collection of personally identifiable information than in simply taking control of its network or damaging the data.

Paying a ransom might result in criminals providing a decryption key that allows the victim to get systems running again. But, if they collected personally identifiable information in the course of their attack, those criminals might also look to conduct a secondary attack, Hanlon warns. They might threaten to sell that information or even post it online, further compromising the business and its reputation.

Myth 3 | Ransomware losses are limited to the ransom payments
“Paying the ransom is the tip of the iceberg,” says Hanlon. “Whatever the business, it’s better to understand ransomware losses in the context of business interruption, because that’s the single biggest threat from a ransomware attack. There are companies whohave gone out of business because they could not recover from a ransomware attack.”

In fact, losses from a ransomware attack can extend well beyond the ransom and remediation expenses.
A ransomware victim can lose business, face exposure to third-party claims and suffer reputational damage, Hanlon notes. For some businesses, the service interruptions resulting from the attack can lead to customer reimbursements that far exceed that cost of the ransom.

Myth 4 | Threat actors attack immediately upon gaining access to a network
“People talk about ransomware attacks as if it’s a ‘day zero attack,’ where criminals turned up on the day that the ransomware demand was made,” says Hanlon. “But in reality, there’s often many, many phases before the criminals launch the actual attack.”

Attackers often begin with a reconnaissance phase, seeking to identify a vulnerable target and the best ways to exploit it.

In the next phase, weaponisation, the criminals apply what they’ve learned and shape the direction of their attack, perhaps by crafting credible-looking phishing emails.

By the time the attack is executed, the criminals might have been in the network for months. They could already have collected and tested passwords, infected networks, disabled firewalls and gained trusted access to the network, allowing them to evade detection by security software.

“Sometimes attackers will try a small excursion to see what the response would be,” says Hall. “And then they plan the bigger attack based on what they’ve learned from the small disruption.”

Myth 5 | Security software provides adequate protection from ransomware attacks
Security software is critical, but it’s not enough, according to Hanlon. Around-the-clock scanning and ongoing vulnerability management, along with end-point detection and monitoring, are an essential first line of defence.
We also can’t forget the human element, Hanlon says. Human error is the number one reason organisations’ networks are breached.

“This sounds basic, but alongside the sophisticated security software you need to install, you cannot underestimate the importance of basic cyber hygiene. You have to constantly reiterate to your trusted-access employee group how they need to be cyber aware and always on the alert. Make sure employees go through regular training and education awareness. Conduct simulated phishing campaigns to gauge employees’ awareness,” Hanlon says.

Trust no one
The best approach in today’s ransomware environment is actually a “zero trust” approach, says Hanlon.
“Even people that you assume are on the network, you have to get them to authenticate using multi-factor authentication,” says Hanlon. “And you’ve got to do it in a way that also includes high levels of encryption getting into secure systems.”

Expect a ransomware attack
To combat the ransomware threat, organisations must recognise that they can be a target. They should take an “assume breach” mentality, according to Hanlon.

Leaders should challenge their information technology professionals to consider that the organisation has already been breached and to focus its ransomware defences accordingly. “It’s the importance of preparing for the expected,” Hanlon says.

Related articles:

Organisational resilience for the rise of technology

 

If you would like to discuss any of the points covered, please contact Aon’s head of Cyber Risk Alistair Williams or visit aon.co.nz/cyberrisk

This website contains general information only and does not take into account your individual needs or financial situation. It is important to note that limits, excesses, terms and conditions and exclusions apply to the products and services outlined on this website. Please refer to the relevant policy documents for details of cover, the provision of which is subject to the insurer’s underwriting criteria that apply at the time. Please contact us if you have any questions.