Ransomware attacks – Tips from the trenches

Ransomware attacks are an increasingly common and serious risk for Canadian organizations of all kinds and sizes. The Canadian Centre for Cyber Security’s National Cyber Threat Assessment 2023-2024 warns: “… ransomware is almost certainly the most disruptive form of cybercrime facing Canadians”. This bulletin provides practical suggestions, based on real-world experience, for responding to a ransomware attack.

Ransomware attacks

Ransomware is malicious software that prevents access to or use of an infected information technology system or device (an IT Resource) or related data, and demands (typically through an on-screen ransom note) a ransom for a decryption key to restore the infected IT Resource or data. There are two basic kinds of ransomware – “locker” ransomware (which prevents use of an IT Resource by locking the user interface) and “crypto” ransomware (which encrypts specific files or data so they cannot be used without the required decryption key).

Ransomware is often installed on an IT Resource through fraudulent techniques, such as a deceptive email or text message with a malicious attachment or link (known as “phishing” or “spear-phishing”). Sophisticated ransomware can spread throughout a computer network (including to data stored in cloud services) to install other kinds of malware before the ransomware activates encryption.

A ransomware attack can cause significant economic loss and other harm to the victim organization, including: (1) temporary or permanent loss of data; (2) business disruption loss; (3) costs of restoring infected IT Resources and data (if possible) and otherwise responding to the ransomware attack (e.g., complying with legal reporting/notification obligations); (4) costs and liabilities arising from regulatory investigations and legal claims/proceedings by affected individuals and organizations; and (5) harm to the organization’s reputation and relations with customers, employees, stakeholders, and business partners. Ransomware can also cause significant economic loss and harm to the victim organization’s customers who depend on the organization’s services and products.

Organizations can mitigate the risks of traditional ransomware attacks by creating and maintaining secure and current data backups that can be used to restore affected IT Resources and data without the need to pay a ransom for decryption keys. However, in response to those countermeasures, ransomware criminals have evolved their approach to include “triple-threat” ransom attacks – stealing data before encrypting IT Resources and data and then demanding a ransom payment from the victim organization by threatening to: (1) sell or publish the stolen data on the dark web for use by cybercriminals or the organization’s business competitors; (2) use the stolen data to attack or demand ransom from the victim organization’s customers, stakeholders, and business partners; and (3) perpetrate additional attacks on the victim organization’s IT Resources and internet access.

Canadian and U.S. cybersecurity agencies have issued guidance for preventing and responding to ransomware attacks. For example, see Canadian Centre for Cyber Security’s Ransomware Playbook and Ransomware: How to prevent and recover, Australian Cyber Security Centre’s Ransomware Prevention Guide and Ransomware Emergency Response Guide, U.K. National Cyber Security Centre’s Mitigating Malware and Ransomware Attacks, and the U.S. CISA- MS-ISAC Joint Ransomware Guide. The National Association of Corporate Directors’ 2023 Director’s Handbook on Cyber-Risk Oversight provides a list of questions corporate directors should ask senior management to assess their organization’s readiness to respond to a ransomware attack.

Law enforcement and cybersecurity agencies have warned that paying a ransom is risky because there is no guarantee that ransomware criminals will keep their promises to deliver effective decryption keys or delete stolen data, and the ransom payment might encourage additional attacks against the victim organization. There are also moral or ethical considerations because paying a ransom will reward and encourage cybercrime, and the ransom might be used to support other criminal activities. Nevertheless, for several reasons, ransomware victims often choose to accept those risks and pay a ransom for decryption keys or data deletion.

We have prepared a check list and article providing tips on this topic which is available on BLG’s website.

This content has been updated on May 2, 2024 at 12 h 37 min.