
Expert insight from our cyber incident responder
When talking to clients or taking questions at the end of webinars, many ask us about ransomware.
In fact, ransomware is often the first thing people ask about!
Organisations seem really worried about it â and understandably so. Ransomware features a lot in the news. A particularly noteworthy attack was MOVEit, which was also a zero-day exploit, but we see plenty of ârun-of-the-millâ attacks too. There are even daily ransomware victim feeds!
Admittedly, threat actors can and do claim attacks that didnât happen or are exaggerated. Nonetheless, the risk of a cyber incident is significant, and as data leaks such as the âmother of all breachesâ suggest, sooner or later, every organisation will âget doneâ.
Anecdotally from the news, ransomware attacks appear to be growing. This trend was confirmed by the 2024 Data Breach Investigations Report: Verizon found a significant jump in ransomware/extortion attacks compared to the 2023 report.
So, I sat down with cyber incident responder Vanessa Horton to get her expert insights into this trend.
About Vanessa Horton
Vanessa holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications.
Sheâs worked for the police as a digital forensics officer, where she was involved in complex crime cases. Vanessa was also awarded a Diamond Award and an Excellence in Service Delivery Award.
Now, sheâs part of our cyber incident response team, helping clients with their cyber security requirements.
Previously, weâve talked to Vanessa about anti-forensics, and picked her brain on cyber incident response.
In this interview
To what extent do you track industry news?
I try to look at cyber news every day. I like to keep up to date, particularly in this industry, so I can support clients better. I also research things where I can â such as anti-forensics, or bigger ransomware trends.
What ransomware trends have you noticed?
First, ransomware gangs are much more organised now. Many have their own logos and conduct job interviews, and there have even been calls for research papers on the dark web! As a result, these groups have become even more dangerous than they already were.
Second, gangs seem to be putting all their efforts into data exfiltration, moving away from data encryption in the process. Or they do both, in whatâs known as a âdouble-extortionâ attack. This really is worrying.
Why is this such a worrying trend?
Well, historically, one of the best responsive measures to ransomware was to take regular backups. You donât need to pay a ransom to have your files decrypted if you can simply restore them yourself.
However, if your data has been exfiltrated, you can still be held hostage by the attackers.
In fact, threat actors are really putting the pressure on organisations now by spending more and more time in their victimsâ systems, trying to find the truly sensitive data. This makes organisations not just more likely to pay, but also gives attackers leverage to demand higher ransoms to begin with.
Of course, the UK government advises against paying ransoms, but doesnât legally enforce this, unlike some other countries.
Whatâs your personal advice on paying ransoms?
Thatâs very tricky to answer.
Ethically speaking, you clearly shouldnât, as paying the ransom funds further criminal activity. Besides, theyâre criminals. Whatâs to stop them selling the data, whether immediately or further down the line, even if you do pay?
However, paying could prevent sensitive data from being sold on the dark web, thereby reducing the impact of the breach. I do want to stress the could here though â again, thereâs no guarantee the attacker will keep their side of the bargain.
So, I think organisations need to weigh up the risks to make the right decision for their specific situation. I donât think the answer to your question is a clear-cut âdonât payâ, but not paying will likely be the best action to take in most cases.
Want to receive future interviews like this â and other blogs â straight to your inbox? Subscribe to our free weekly newsletter: the Security Spotlight.
Letâs go back to the trend we were discussing earlier. Besides applying more pressure on their victims, why else do you think ransomware groups are favouring exfiltration over encryption?
Exfiltration is doubly profitable for ransomware groups. The victims are more likely to pay up and the threat actors can sell the data on the dark web. In fact, the stolen data can be more valuable than the ransom payment itself.
But I think thereâs more to it than that.
The âtraditionalâ method of data encryption is a really difficult program to code, because for the attacker to be able to blackmail their target, their encryption needs to be really sound. Youâve got to cover all the infrastructure.
Exfiltration, on the other hand, requires the attacker to simply obtain access to their victimâs systems, get the data on it, then demand the ransom.
In short, from the criminalsâ perspective, exfiltration requires far less effort. And it certainly offers a far better return on âinvestmentâ.
What can organisations do if their data has been exfiltrated?
Itâs tricky. The criminals already have the data, so thatâs not going to help you recover from this attack.
However, a fast response remains critical to both minimise the impact of this attack and prevent future incidents, particularly of a similar nature.
One of the most important things to do is conduct an initial forensic investigation. That means figuring out:
- What happened?
- What was the root cause?
- When did the initial attack happen?
- What data has been breached, exactly?
- Did the attackers put a back door in your systems, so they could easily re-access them later? This is something Iâve actually seen with clients, though canât share the specifics due to client confidentiality.
By conducting this type of early investigation, youâre not just meeting your legal and regulatory obligations, but also gathering the information you need to take the right measures to prevent such situations from recurring.
Interviewer note: Real-world examples
Vanessa previously shared real-world examples to demonstrate just how important it is to take the time to investigate root cause.
Understandably, when you suffer a business disruption, your first instincts are to get your systems up and running again. And yes, continuing your business-critical operations is very important to minimise the hit to your organisation.
But, as Vanessa previously highlighted with a real-life case study: if you restore your services without investigating root cause, youâll âget doneâ again. Possibly just weeks later, and by the same threat actor, leaving you back at square one.
Worse, organisations that suffer multiple incidents in quick succession are more likely to hit the headlines. Journalists love writing about the ones that make for a better story.
What else should organisations think about?
Well, legal notification requirements aside, I want to remind people that data breaches affect more than just the organisationâs finances and reputation. A data breach is also horrible for the people that data belongs to â your data subjects.
Having your data available on the dark web to the highest bidder is really hurtful, particularly if the data is of a personal nature. Those people entrusted you with their data, and failing to adequately protect it damages your relationship with them.
So, be considerate. You canât undo the breach, but you can mitigate the damage by being open and transparent about what happened, exactly whose and what data was compromised, and so on.
You can also offer your subjects advice and support in actions they can take to at least mitigate the impact to them personally.
People do remember and appreciate such honesty and transparency, and this will help your organisationâs reputation. Equally, people will also remember attempts to hush things up â and the truth does tend to get out, even if itâs not until years later.
And the headlines speak for themselves â organisations can suffer
enormous damage, and can even go out of business, by doing the wrong thing.
Do you have any final words of advice?
Prevention is always better than a cure. You need to take reasonable steps to stop opportunistic attacks, at the very least, which can be really cheap to do, too. Measures like:
- Passwords and MFA [multifactor authentication];
- Anti-malware software;
- Regular patching; and
- Firewalls.
And many others are all easily accessible and affordable, and go a long way towards reducing the likelihood of an incident.
But if you suffer a breach anyway, itâs obviously too late to prevent the incident altogether â this time round, at least.
Thatâs why forensic investigation is so important: figure out what happened, what vulnerabilities you need to fix, where staff education is lacking, and so on. Make sure you learn some valuable lessons, so you wonât suffer the same incident again.
Cyber Incident Response Investigation service
If youâve suffered a cyber incident, we can give you and interested parties (e.g. insurance providers) assurance the incident is being dealt with quickly and efficiently.
Our Cyber Incident Response Investigation service will help your organisation answer key questions such as:
- How the threat actor gained access; and
- The steps needed to contain, eradicate and recover from the attack.
We hope you enjoyed this edition of our âExpert Insightâ series. Weâll be back soon, chatting to another expert within GRC International Group.
In the meantime, why not check out our previous interviews with Vanessa on cyber incident response and anti-forensics?
If youâd like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.