The conflict between Russia and Ukraine, and its geopolitical fallout, make this a critical time for businesses to assess their exposure to ransomware attacks and other technological interference. In our recently released 2022 Sanctions Report we noted that the impact, frequency, and intensity of ransomware has increased significantly, presenting continued financial, regulatory, operational and reputational challenges for companies. The war in Ukraine and the resulting sanctions placed on Russia have only served to increase and evolve that threat.
Companies need to enhance their security and compliance controls to prepare for a shift in the way attackers are adapting their tactics to this new reality.
Digitalization Creates Risks
The pandemic supercharged digital transformation trends with significant but often hastily implemented and insufficiently secured technology adoption, usage of the cloud and other remote working and emerging technologies. Seamless global connectivity has made organizations more agile; however, it has also made them more vulnerable to attacks. The attack surface has expanded with cyber-attacks affecting organizations across all industries ranging from infrastructure operators to food producers to healthcare and education facilities. As the capabilities of cybercriminal groups increased in the past years, so have their breadth of targets and attacks now increasingly focus on a combination of disruptive attacks and data theft.
Geopolitics continues to shape the cyber threat environment, with some governments tacitly endorsing cyber as another tool to punish adversaries. Most recently, President Biden warned of Russian cyberattacks against the U.S. and that companies should be alert to threats and take steps to prepare now.
Ransomware’s Multiple Impacts
Though many companies have taken steps to improve their security and resilience, no system is impenetrable. Ransomware groups have demonstrated this truth, improving their tactics and tools to maximize the impact and returns of their operations. For instance, new tactics such as double or sometimes triple extortion, where criminals encrypt, exfiltrate and threaten to publish sensitive data have increased hugely over the past two years.
When organizations think of ransomware attacks, generally they consider the data implications and the financial fallout that could take place as a result first. But there are also other impacts to consider including regulatory, reputational and legal challenges. Many jurisdictions require that regulators be notified following a breach, and organizations must also assess their legal obligation to issue data breach notifications to all impacted parties – even if the ransom has already been paid.
One threat that few organizations have considered is the prospect of sanctions violations. If your organization is the victim of a ransomware attack and faced with the question of whether to pay a ransom, it is at risk of a violation if the attacker is affiliated with a sanctioned state such as Russia, Iran or North Korea, or even a sanctioned criminal group. Sanctions compliance requires clearly knowing the attacking entity and carrying out due diligence on that entity prior to payment, but in cyberspace, it is often difficult to know who you are dealing with.
Preparing for a Potential Cyber Attack
With increased risks and regulatory concerns, organizations need to prepare for when a cyberattack will happen, not if it will happen. In the past, cyberattacks could be handled internally and largely by the IT organization, but the sophistication and severity of today’s attacks now make this impossible. Organizations need to have an integrated plan that takes into account the many lines of responsibility and stakeholders involved in the event of an attack.
Critical aspects of this plan should include assessing and monitoring a constantly changing cyber threat landscape. This informs decision-making and helps to ensure security and technology spending are proportionate to the unique threats that every organization faces. Knowing your potential adversaries, or at least scenario planning the intent and capability of potential threat actors to target your organization – including the likely intrusion points – is crucial. It helps to build a robust control environment. It also informs the operational response when the inevitable does happen, including decisions around whether to facilitate a crypto-currency payment.
While the cyber risks for organizations continue to increase, U.S. companies have taken a more proactive approach to cyber risk management. The governance of cybersecurity is no longer solely an IT-department responsibility, and business leaders recognize cyber attacks as a major risk for their organizations. By identifying how cyber and ransomware attacks have shifted, understanding the organizational risks that could take place if a breach occurs, and developing a plan of action to respond to a potential attack, organizations will be best positioned for success.