A whirlwind of confusion: what happens in the first hours of a ransomware attack

The global economy might still be struggling to get back on track. But the finances of the cybercrime underground are in rude health. Payments from ransomware victims exceeded $1bn last year – a record high. And that’s just for the cryptocurrency wallets forensics analysts were able to track. The real figure is undoubtedly much higher. In this context, all organisations should plan for the day when they too will be compromised by ransomware actors.

Unfortunately, many still do not. And their lack of preparedness is something threat actors thrive on. During the post-breach response period, they will do everything in their power to ramp up victims’ confusion, in order to extract maximum financial returns.

Network defenders must stay calm and stick to their plan. When it comes to ransomware, forewarned is forearmed.

The worst-case scenario

There are several ways in which an organisation could end up a ransomware victim. RDP compromise, email phishing and exploitation of software vulnerabilities are still the top three attack vectors for threat actors. But the first the organisation may actually see of an attack is likely to be a ransom note on a networked PC – or potentially an entry in a ransomware data leak site detailing how much data has been stolen.

From the start, network defenders are on the back foot. They may have no prior experience of dealing with a ransomware breach. Their adversaries, on the other hand, are usually seasoned professionals with stacks of domain expertise. Their operations behave more like regular SMBs than one may imagine. And in some cases, their resources can match those of high-flying enterprises. One infamous group, Conti, reportedly spent $6m (£4.8m) annually on salaries, tooling and support services.

Many questions to answer

Victim organisations will have a relatively short time frame in which to act. This kind of time-based pressure is a classic social engineering technique designed to rush victims into making irrational decisions. A clock may count down the minutes they still have left to purchase a decryption key. Or for breaches where only data was stolen, until that data is ‘leaked’ to the world.

In the meantime, business leaders will be frantically asking their IT teams to answer their questions:

• How do we deal with this?
• Who can help us?
• How much of the business is impacted?
• How much data has been exfiltrated?
• How much downtime can we expect?
• Has the story been reported in the media/on social media?

Unfortunately, without a clear, pre-rehearsed incident response plan and team in place, such questions can be tricky to answer. And the threat actors will be doing what they can to continue wrongfooting their victims. Among the tactics designed to sow confusion and force payment may be:

• Exaggerating how much sensitive data they have been able to exfiltrate
• Threatening to launch a distributed denial of service (DDoS) attack
• Contacting customers and partners and asking them to demand the company pays a ransom
• Threatening to inform regulators about the breach

Such efforts are becoming increasingly persistent, and novel. In one case, a ransomware group hijacked a US university’s emergency broadcast system to send staff and students text messages and email alerts that their data was stolen and would soon be released. In another, they hijacked and defaced the victim organisation’s website to display a ransom note to the world. In a third case, a ransomware group claimed it was willing to alert crooked traders about a breach before it was made public, so that they could short the listed firm’s stock.

Such efforts have one single goal in mind: to throw a spanner in any recovery plans and put network defenders on the back foot. If they can frighten the organisation in to paying the maximum ransom demand rather than a lower negotiated figure, all the better.

Struggling to respond

Organisations caught in this whirlwind of confusion will find it extremely difficult to successfully respond unless they have prepared for something like this worst-case scenario. Yet unfortunately, government data tells us that just a fifth (21%) of UK businesses even have an incident response plan in place, rising to 47% of mid-sized firms. Fewer than two-fifths (37%) have cyber-insurance.

This matters, because despite the news headlines, most ransomware victims are not big-name brands or government agencies, but SMBs. The median size for a breached organisation stood at just 230 employees in Q4 2023. Some 36% of victims in the period had fewer than 100 staff members. There is a ruthless logic to this. Smaller firms are less likely to have the resources and expertise needed to protect against ransomware attacks in the first place, or contain and recover from them rapidly if they are breached.

The truth is that no organisation is safe from ransomware today. But a compromise doesn’t have to precipitate an existential corporate crisis. The message is simple: plan today to avoid a whirlwind of pain tomorrow.

To find out more on what a ransomware attack could entail for your organisation, and how to mitigate and respond effectively, sign up to our forthcoming reality check webinar: Assessing the real impact of a Ransomware attack.