8 October 2020
DRD Partner Kate Miller and Senior Analyst Geordie Hazeel examine the evolving threat of ransomware in the midst of Covid-19 and the significant communications challenges presented by the evolving tactics of cybercriminals.
The prevalence and often catastrophic impact of cyber attacks on the business landscape has been a consistent feature of the Covid-19 world.
Ransomware, in particular, has dominated headlines, resulting in a string of cyber attacks on well-known companies, from Travelex and Garmin to the still unfolding Blackbaud breach which crippled hundreds of charities and universities across globe.
Recent research mirrors press reporting: a threat report from Cybersecurity company SonicWall noted a 20 per cent rise in ransomware globally in 2020 and, in a September interview with the Telegraph, Eugene Kaspersky spoke of a 25 per cent increase in hacking activity in the wake of the pandemic.
What is also clear is that ransom payments are being made with increasing regularity – and law enforcement agencies and cybersecurity experts are scrambling to deal with the implications. All are aware that attacks will continue to proliferate if cybercriminals continue to be financially rewarded.
Many cyber insurance policies specifically cover ransom payments, and Garmin, Travelex and Blackbaud are all reported to have paid the hackers. To this end, Ciaran Martin, former head of the National Cyber Security Centre, a part of GCHQ, called last month for legislative changes to prevent businesses paying ransoms.
A less explored phenomenon fuelling this growing tendency towards payment, however, is the fast-evolving tactics of cybercriminals themselves – in particular…building a brand.
Amid the pandemic in March, the Maze ransomware group issued a press release. The text is Kafkaesque, offering discounts to affected organisations in a show of solidarity and carrying a promise to cease activity against medical organisations.
The statement, though, is indicative of cybercriminal gangs seeing reputation as increasingly essential to their malicious activities – specifically, cultivating trust.
While perverse, the more trustworthy a malicious actor is seen to be, the more likely it will be that ransom negotiations result in financial gain.
The methodology has also evolved, pioneered again by Maze in 2019. Where ransomware attacks once typically involved solely the encryption of files, rendering systems inaccessible and enabling extortion, now it is increasingly common for cybercriminals to exfiltrate data prior to encryption.
By stealing data rather than just locking it, the malicious actor can threaten to publish sensitive information, bolstering its negotiating position and enhancing reputational risk for a business.
This practice has dovetailed with cybercriminals displaying an increasingly adept and aggressive use of online communication channels to increase both leverage and their own profile.
Well-known operators like Maze, Doppelpaymer or CLOP have their own websites where they publish data or updates.
Twitter is often used to spread targeted messaging. By developing a reputation for a hostile use of communication, cybercriminal groups raise the stakes and, in doing so, increase the likelihood of a business paying the ransom rather than face public and media scrutiny.
This presents a significant challenge for organisations seeking to protect reputation and communicate on their own terms. While forensic investigations are in their infancy, sensitive information can already be flying around on social media.
An apt case study is the ransomware attack on Newcastle University this September, for which Doppelpaymer claimed responsibility.
While the university’s infrastructure was crippled and its investigation at an early stage, the group posted stolen data on its website and took to social media.
At this point, the university lost control of the narrative – the ransom element was reported in the press rather than an official statement, internal communications became external, and staff and students – learning of developments from the news rather than university – expressed anger on social media and offered interviews to journalists.
The ransomware group’s proactive, aggressive use of online platforms outpaced official communications, sowing confusion and cementing their own reputation. A staff member commented to Sky, “I have lost all faith in my employers’ ability to keep my data safe given they aren’t even telling us what is going on.”
As cybercriminals finesse coercive tactics and better understand the media environment and importance of reputation, a consistent, effective communications strategy has never been more vital. In the face of an enhanced cyber threat, organisations must be prepared to respond quickly, clearly, and above all, transparently.
Key to this is gaining a rapid understanding of what has happened and what data has been impacted, combined with swift notification to affected parties to ensure a company’s credibility as a source of information is maintained.
Unless businesses and communications professionals keep pace with the rapid evolution in cybercriminal behaviour, we will be left in a surreal position – where the ransomware operators are more trusted in their communications than the organisation being extorted.