Ransomware costs double in 2023, have you invested in an incident response plan yet?

​Setting a new global record in 2023, cybercriminals made a staggering $1.1 billion from ransomware attacks, surpassing the previous year's total of $567 million according to the recent data from Chainalysis, a blockchain analysis firm.

While there was a drop in ransomware payment volume in 2022, the bigger picture from 2019 to 2023 shows that ransomware is becoming a bigger problem. It's important to note that this trend doesn't account for the economic impact caused by productivity loss and repair expenses resulting from these attacks.

To understand the impact of the global trend and the specific increase in Australia, it is crucial to review the latest Annual Cyber Threat Report 2022/2023 published by the Australian Signals Directorate (ASD). This report provides valuable insights into the changing landscape of cybercrimes in Australia, with a particular focus on the year 2023 compared to previous years. According to the report, ASD responded to 127 extortion-related incidents, out of which 118 involved ransomware or other forms of system, file, or account restrictions. Additionally, ASD notified 158 entities of ransomware activity on their networks, representing a seven percent increase compared to the previous year. These statistics highlight the growing prevalence and impact of ransomware attacks in Australia.

As per the report, Report Cyber received nearly 94,000 reports of cybercrime, reflecting a 23% increase compared to the previous financial year. The data highlights a significant rise in reported cybercrime incidents. Overall, the cost of cybercrime to businesses increased by 14% compared to the previous financial year.

Given these cybercrimes are rising, it is crucial to have an incident response plan in place to minimise the impact of such cyber-attacks. By being prepared and proactive, businesses can better protect themselves against ransomware threats and mitigate potential financial and reputational damages.

Responding to a ransomware incident

It's important for members to be proactive and ready for the possibility of ransomware attacks.

1.       Pre-incident response

 

  • Develop internal policies and ransomware playbook – Procedures for handling ransomware incidents should be incorporated into your incident response plan, taking into consideration factors that influence the decision to pay or not pay. Develop a playbook to guide decisions and response to a cryptocurrency ransom demand.
  • Know Your options – Recognise that as a victim of ransomware you will have three basic approaches to recovery – restore from backup, attempt to break the encryption, and pay the ransom and follow the threat actor's instructions.
  • Understand regulatory implications and potential sanctions – Obtain a documented position or perspective from external cyber and legal counsel on the potential legal implications of paying a ransom demand to a cyber threat actor, taking into consideration the affected data categories such as personal information, card information, and others.
  • Examine impact on LGIS cyber protection – Understand any cyber protection that you may have as it pertains to paying ransoms, as well as other resulting losses from a ransomware incident.  Discuss the operation of ransomware with your account manager.
  • External expertise engagement – To be prepared for cyber incidents, it is important to be aware of how to incorporate external expertise and seek their support during such incidents. This is crucial because, during an incident, time is of the essence, and effective engagement and integration processes should be considered in advance. By establishing relationships with external experts and understanding how to leverage their support, members can ensure a more efficient and effective response to cyber incidents.
  • Determine how to manage a ransom payment – Understand the basics of cryptocurrency. Determine whether your legal counsel or cyber forensics provider will be responsible for managing any potential cryptocurrency transactions on your behalf.  

 

2.       During the incident response

 

  • Minimise exposure – Choose the most appropriate containment strategy based on the specific incident case. For example, one effective strategy is to isolate the ransomware infection by turning off servers and computers throughout the enterprise. Additionally, consider disabling LAN and WiFi connections or blocking network traffic to prevent further spread.
  • Contact your protection expert – If you have cyber protection, contact Chubb's incident response hotline and LGIS or, if available, contact your existing IT service provider with cyber response capabilities.   
  • Gather evidence – Collect and preserve relevant information that can help in understanding the nature of the incident, identifying the source of the attack, and supporting any legal or investigative actions that may be necessary.
  • Follow your internal and external guidance – If you have an incident response plan within your workplace, follow one. If your local government has a pre-existing contract with a cyber forensics provider, consider separate contract arrangements if that provider is to support the ransomware incident.
  • Evaluate your options – Evaluate your options based on the incident category and the impact on your system. Consider which solution is best for recovering your system. Do you have a clean backup available? Do you have a secondary recovery system in place? Are you able to restore the system and data?
  • Execution on the ransom payment – Based on your options to restore the system and data, the final decision on whether to pay should be made through careful internal deliberation after sufficient legal advice and cyber forensic technical analysis.   If you decide to pay the ransom, confirm with LGIS before making the payment to confirm if the payment is covered.

 

3.       Post incident response

 

  • Update internal guidance – Make sure to document what you've learned from the attack, how it happened, and the steps you need to take to prevent it from happening again. Take a look at your ransomware policy and make any necessary updates. Don't forget to also update your IT disaster recovery plan.
  • Bring in external expertise – Engage a cyber defence service provider to perform an 'indicators of compromise' assessment of the entire network. Find and eliminate any remaining malware or associated files or artefacts. Consider using a provider other than the forensics company that supported the response. While discovery and eradication of indicators of compromise is part of the response effort, an independent and comprehensive post-incident assessment will provide additional confidence that ransomware has been eliminated.
  • Identify lessons learnt and weaknesses – Address network and system vulnerabilities or gaps identified during the forensic analysis to prevent a repeat attack. Conduct an after-action review and lessons learned (AAR-LL) session with all who were involved in the incident. Capture information on what went well and what did not go well, and identify corrective actions to improve the response process for future ransomware events. For each gap or weakness, identify a senior manager or executive to be accountable for the completion of corrective actions.
  • Review backup strategy – Review and refresh the data backup strategy, incorporating accepted best practices and lessons learned in the ransomware event. This may require re-architecting the data backup system if it falls short of data security needs.

LGIS' cyber risk program

LGIS recognises the support our members need in this highly complex and technical area, so in 2022/23 we launched our cyber pilot program. The risk program, currently in its second phase, aims at developing guidelines to explain ASD Essential 8 requirements and the implementation steps to achieve compliance with these requirements to the greatest extent possible. In addition to the ASD 8 guide, LGIS will also be releasing an Incident Management Guide to assist members build their own protocols.

Members also have access to Chubb's incident and claims management expertise.  The 24/7 hotline is manned by Clyde and Co. who can assist in triage and management of a cyber incident including legal advice, contractor selection and ransomware negotiations.   

To have a chat about your cyber risk practices and how to manage them, please get in touch with your LGIS account manager.