Out-Law News | 07 Dec 2021 | 4:02 pm | 1 min. read
The uptick in ransomware attacks, and likelihood of their continued prevalence, serve as a stark reminder of the need for organisations to get cyber-ready
Ransomware is an increasingly prevalent form of cyber attack. It involves hackers installing malicious software on to computer systems to prevent organisations carrying out everyday operations or accessing data or other assets. Organisations are then prompted to make a payment to the hackers to bring about an end to the attack.
According to Pinsent Masons’ report, ransomware incidents accounted for 31% of the cyber team’s caseload over the past 12 months, up from 16% in 2020. This growth is consistent with a rise in ransomware-related incidents identified by both the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO).
In its recent annual review, the NCSC said there were three times as many ransomware attacks in the first quarter of 2021 than in the whole of 2019, while the ICO said at its data practitioner’s conference in May that the number of data breach cases linked to ransomware attacks reported to it had jumped from 13 per month to 42 per month over the course of the previous 12 months.
The amount of ransom demanded by cyber criminals varies from case to case. In Pinsent Masons’ experience, ransom amounts demand commonly ranged between $30,000 and $250,000 but Davey said that the cyber team had been engaged in one case in the last year where attackers had placed a $9.5 million ransom on unlocking access to systems and data.
“The current threat of ransomware attacks is not going away any time soon,” said Davey. “Organisations will find themselves – out of nowhere – thrust into the complex world of managing a business threatening ransom attack. In all cases serious consideration needs to be given not only to the commercial and criminal risk factors in whether or not to pay a ransom and/or engage with the attacker but also, on whether or not there is a duty to report to organisations such as the ICO, other supervisory and regulatory authorities and/or the police, notify the stock market, as well as the data subjects themselves.”
“The uptick in ransomware attacks, and likelihood of their continued prevalence, serve as a stark reminder of the need for organisations to get cyber-ready and have rehearsed response and recovery plans in place for when an attack inevitably happens. Ultimately, it may well be that governments, policy makers or the insurance industry may step in with measures which go some way to breaking the cyber criminals’ business model,” Davey said.
Recent data from insurance group Marsh (20-page/4.99MB PDF) suggested the rising number of ransomware attacks is driving an increase in cyber insurance pricing. The overwhelming majority of companies renewing cyber insurance had experienced an increase in premiums in the first half of 2021, and in the first quarter, pricing rose on average by 29%.
In the Netherlands, the Dutch government is reportedly considering banning insurance companies from paying ransom payments to hackers, in a bid to take away the financial incentive for criminals engaged in ransomware and other hacking attacks. AXA announced earlier this year that it would no longer reimburse cyber insurance policyholders in France if they choose to pay ransom demands to cyber criminals.
In a report published earlier this year, the US-based Ransomware Task Force – a body bringing together software companies, government agencies, cybersecurity suppliers, financial services companies, non-profits and academic institutions – characterised ransomware as “a global challenge” that no single entity alone can address. It set out 48 recommendations for government agencies and individual organisations to address the problem of ransomware attacks.
The Task Force recommended, among other things, that a global strategy for combatting ransomware be developed, and that an international framework to help businesses prepare for, and respond to, ransomware attacks also be established. It further backed increased regulation of the use of cryptoassets – which cyber criminals typically favour for payment due to their ability to transact anonymously and dissipate assets quickly on the blockchain.
According to the Task Force, ransomware attacks should become “an investigation and prosecution priority”, and it further identified the need for legal clarification over the security measures businesses can legitimately take to fight off attackers.
An entire chapter of the Task Force’s report was also committed to recommendations aimed at helping individual businesses better prepare for ransomware attacks, with measures endorsed including mapping organisational security processes and controls to existing popular cybersecurity frameworks; undertaking ransomware-specific risk assessments, and; leveraging contractual terms to hold managed service providers and IT suppliers accountable in respect of their cybersecurity measures.
01 Dec 2021