Ransomware hit big in 2023, with 95% more attacks compared to 2022, according to Corvus Insurance's Q3 23 Global Ransomware Report. So far there’s little slowdown as Q3 23 global ransomware attacks are tracking up 11% over Q2 (see Figure 1).
Figure 1: Ransomware attacks reported globally via ransomware leak sites
In Singapore, the story is no different as 84% of organisations reported a ransomware attack in 2023 versus only 65% in 2022. In Hong Kong, a spate of high-profile attacks has thrown the ransomware risk into the spotlight as businesses grapple with ways to prevent but more importantly, recover from an attack
Three government-related institutions in Hong Kong were hit over a period of three months – one of the city’s largest startup and innovation development zones, Cyberport, the Consumer Council and the Hong Kong Ballet, were all hacked and slammed with ransom demands in return for stolen data. Technology-related crimes in Hong Kong surged nearly 50% in the first six months of the year compared with the same period last year, according to Hong Kong Police data, attributing the rise to an increase in online economic activity as the COVID-19 pandemic eased.
As a CIO myself, I’m keenly aware of the pressures CIOs face and have worked alongside Veeam’s own CISO to develop a strategic, targeted response to cyberattacks. What I’ve found is: that there are four crucial measures to an effective post-attack response.
After a Ransomware Attack
- Observe
When faced with a ransomware attack, our first instinct from a security perspective is to eliminate the threat and resolve the issue. Truthfully, this isn’t the best move.
Instead, a CIO should first focus on quickly isolating the bad actor within the environment. Sequestering them without removal is helpful because 1) it prevents the bad actor from harming other parts of the environment, and 2) it allows you to observe their actions.
Eliminating or resolving the threat is tempting but it often prevents the opportunity to analyse the threat actor’s actions. It is also critical to understand the extent of the compromise both from a systems and data perspective.
Critical observation will help CIOs gain a better understanding of how the threat actor operates, and down the line, this knowledge will also help develop a proactive approach for the next ransomware attack.
- Correct
Now that you have a comprehensive understanding of how the attacker infiltrated your company, you can take corrective measures.
What do ‘corrective measures’ entail? Namely, removing the threat, patching up the attack vector, recovering systems and data, and addressing any other damage the attacker may have caused. In the observation stage, the attack is siloed off to prevent them from accessing and harming more of the company’s data processes.
Pull the necessary tools required for removal and do so with the knowledge that they will not be able to immediately return through their original breach, or any other potential vulnerability visible to the artificial eye.
Once the attacker’s presence has been removed, a CIO can review the damage done in full, checking through valuable data, backups, logs, and what seems to be missing if it can be recovered or has a copy, and what may require further action.
- Prevent
With the threat actor removed and the breach secured, CIOs can kick off preventative measures to avoid undergoing such an attack again. Scanning security measures will help identify any immediate gaps or vulnerabilities in your attack surface.
In reviewing the criminal profile stemming from the attack, as a CIO, you must focus on the key variables at play: the target, the attacker’s identity, the actions they took, and the impact they caused. These factors are crucial to determining the next steps to reduce future risks. Identify the pattern of behaviour to determine if similar activity could cause another, or wider, breach.
Security vulnerabilities are often seen as technical issues, but the biggest risk is the people working within the organization. Most attackers enter companies through human engineering – phishing scams or the like, preying on the distracted employee. In such cases that lead to an attack, you could immediately restrict or lock down access for employees to avoid further harm.
- Notify
It’s never fun breaking the news of a ransomware attack to your stakeholders. However, transparency is valuable to retaining trust and loyalty while keeping the industry informed about emerging threats.
You must be purposeful in your notification. Sharing everything without a plan not only risks the company's reputation but also leaves you vulnerable to future attacks. Instead, start by reaching out to key parties – the board, the company’s legal team, and business stakeholders.
Coordinate with your legal team and board to align on messaging and what information on the attack can be shared, with whom, and when.
It can take days to weeks to address an attack sequentially and thoughtfully. By this time, you will likely have the information to provide and be able to reassure customers of your company’s commitment to protecting their data, and the actionable steps taken to prevent more attacks. Doing so demonstrates customer value, and helps retain customer loyalty and trust.
What Comes Next?
While ransomware attackers don’t normally target the same gap twice, they can, and likely will, strike again. Taking a backward approach and securing already-breached zones is not going to be effective for long. Instead, CIOs should consider the potential vulnerabilities and targets to get in front of before an attack can occur.
In the end, CIOs that follow the post-ransomware attack procedure, in whatever capacity, should operate with a primary goal in mind: To secure the future of the company.