Tag: cyber attack

Ransomware needs to be on your radar. Here’s why. Ransomware review Ransomware is a cyberattack where cybercriminals take over an organization’s computer network with malware. Once they assume control, the criminals demand a ransom to restore the victim’s encrypted data access. With an estimated generation of $412 million in 2020 alone1, the frequency  of these attacks is growing. At Experian, we handle many data breach cases and know that 7 of 10 breaches involve ransomware. This summer, NetDiligence dedicated a panel at its Cyber Risk Summit on the Lifecycle of a Ransomware Event and invited us to talk about our solutions to help business leaders prepare to minimize interruptions spurred by ransomware. The lifecycle of a ransomware attack includes five stages: 1. Attack Bad actors attack to discover assets, take data, extort it for direct payment, or profit from reselling data on the dark web. They can also launch a ‘double-take’ attack: first collecting ransom to access data and demanding secondary payment to keep it off the dark web. Hackers prey on company networks, searching for vulnerabilities and accessing encrypted files through phishing or planting malicious links to infect the network with malware. More than double the global rate of 14%2, U.S ransomware attacks have become more aggressive, accounting for 30% of all cyberattacks in 20202. At Experian, we’ve seen an even higher occurrence, with 59% of the events serviced 2021 to date involving ransomware. 2. Discovery Once attackers infiltrate a system, they demand a ransom for the decryption key to unlock the encrypted files. Companies usually discover the attack through a ransom note emailed to an executive, a file left on a server, or even a flashing warning on all connected computers. If they leave a message including their contact information, ransom sum, payment delivery time, and consequences for unmet conditions, such as tipping off the media, releasing stolen data, or selling it on the dark web. Next, companies will contact their cyber insurance carrier to log stolen information, get systems back online, navigate legal issues, and facilitate hacker negotiations. Since only about one-third of companies have cyber insurance, most will rush to hire cybersecurity counsel post-attack3, amounting to more stress and delays since it can take months for large companies or those without backups to determine the extent of the damage. At Experian, almost all events involving ransomware take about 20% more time to begin breach notification. Whether there is an incident plan in place or not, companies experience immense panic. 3. Negotiation Typically, a company will hire a professional, either directly or through their cyber insurance, to negotiate with hackers. While hackers expect price haggling, the ransom price could still be hefty. According to the cybersecurity firm, Coveware, the average ransom was $154,000 in Q4 2020, down from $230,000 the year before4. But hackers can drive up the price. Prime example: JBS, the world’s largest meat processor, paid an $11 million ransom in June 2021 to prevent customer data from being compromised. In a perfect world, the ransomware negotiation process goes this way: Establish communication with the attackers Obtain proof of decryption Obtain data exfiltration proof Negotiate a (huge) discount Celebrate Unfortunately, negotiations can be tricky, and the process rarely goes this way. Sometimes attackers go “dark” or request additional payments. Additionally, decryption tools may have bugs that skip mapped network drives or skip folders with long paths and unusual characters. An investigation is key to determine how hackers got in, what was exposed, and if they still have access—knowing exactly how and what was compromised will help in the negotiation. 4. Settlement After the ransom negotiations are over, companies must carefully consider the strategy behind the decision to pay or not to pay the ransom. The FBI generally discourages ransom payments because they may entice other criminals to engage in ransomware and paying does not guarantee data recovery. Additionally, the Office of Foreign Asset Control (OFAC) has payment bans and restrictions that support national security that must be upheld or face fines. At this stage, companies need to ensure that the ransom settlement does not violate constantly evolving regulations. If companies settle, the payment will typically be delivered via cryptocurrency like Bitcoin since it is harder to detect the payees. The hackers will mix the bitcoin for others diluting the currency flow and making it difficult to trace. 5. Post-Event For many companies, the settlement is just the beginning of ransomware attack costs. Companies will also have to pay to restore back-ups, rebuild systems and implement stronger cybersecurity controls to avoid future attacks. As discussed at the Cyber Risk Summit, here are five recommendations for companies to enforce tighter cyber control: Advanced Endpoint Monitoring System Restrict Remote Desktop Protocol (RDP) Regularly Update Software and Operating Systems Implement Password Management Policies Establish and Update Incident Response Plan and Ransomware Playbook Ransomware is just getting started. To minimize the impact of an attack, companies create a proactive preparedness plan. Determining to protect and scan for threats, establish negotiation and payment rules, and external breach communications, is critical. Breaches are our business at Experian. We know ransomware breaches have more complex FAQs, letter versions, and increased call center escalations. To learn how Experian’s Reserved Response solution can prepare your business for a data breach, click here. Sources:  1 Washington Post, “How Ransomware Attacks Work”, July 2021 2 Verizon 2021 Data Breach Investigations Report 3 Washington Post, “Ransomware Axa Insurance Attacks”, June 2021 4 Covewave, “Ransomware Marketplace Report”, Q4 2020

“Are we next?” That’s the question companies around the world are grappling with as more high-profile data breaches make headlines. At a time when one in four organizations experience cyber-attacks, mishandling the response can do more damage than the breach itself. We take precautions against dangerous situations every day. With years of practice either in school or at work, most of us know what to do if there’s an emergency. We conduct drills repeatedly because when we immediately know how to respond to a threatening situation, we can minimize destruction. Because of the high probability of a cyber-attack, businesses need to treat breach responses like internal drills, repeatedly practicing until it becomes instinctive. Prepare your data breach response drill A well-prepared incident response strategy should first define all breach scenarios (e.g., ransomware, malware, phishing, etc.) and their specific steps. Assembling a qualified team is also critical, individual roles and responsibilities should be defined and clearly communicated. After finalizing the essential components of your incident response plan, regular testing is crucial to ensuring your organization is equipped to handle the unexpected. Practice makes perfect Below are six principles to help guide your data breach response drill effectively: Bring in an outsider. Enlist the expertise of someone outside your organization to run the drills and serve as a moderator. A third-party facilitator allows you and your team to focus on individual tasks and responsibilities. Put aside plenty of time. At a minimum, give your team half a day to do the exercise and to debrief. It’s an exercise for everyone. All internal and external team members who will be involved in a data breach response need to participate in this activity. Expect the unexpected. Your drills should include various likelihoods and situations. Another benefit to bringing in an outside moderator is that they can throw unpredictable scenarios at your team. Debrief. After the exercise, the entire team should review, discuss each mock situation in detail, and identify any areas in need of improvement. Repeat every six months. Keep your team aware of the latest developments in the world of cybersecurity and prepared to tackle cyber threats by conducting drills every six months. Executing these drills are invaluable and help prove to your stakeholders, customers and employees that your company takes data security seriously. The more you practice putting your plan into action, the better prepared you’ll be in a real-life situation. Visit our website for more information about our offerings and how Experian can help you prepare and respond to data breaches.

Like an unimmunized person in a roomful of flu patients, the healthcare sector continues to be at high risk of catching something unpleasant. Cyberattacks and data breaches jeopardize the well-being of healthcare organizations of every size, and too often their exposure is a result of not doing everything they can to immunize themselves against attack. In our 2017 Data Breach Industry Forecast, we predicted the profitability and uneven defenses of the healthcare sector would cause cybercriminals to continue to focus attacks on healthcare organizations. Numbers from the Identity Theft Resource Center indicate our prediction was right; by mid-year, 151 healthcare breaches have compromised more than 1.9 million records, accounting for nearly 22 percent of all 2017 breaches thus far. We also predicted: Ransomware would emerge as a top threat for healthcare organizations. Cybercriminals would expand their range of targets within the sector, causing mega breaches to broaden their focus from insurers to other organizations, including hospital networks. Electronic health records and mobile applications would increasingly be targeted. The year so far In mid-May the WannaCry ransomware cyberattack became the largest ever, affecting computer systems in more than 150 countries. Ransomware uses malicious code to infect systems, seize control and shut down user access until the affected organization or individual pays a ransom to unlock their systems. Britain’s National Health Service (NHS) was one of the largest victims of WannaCry, which infected medical devices as well as administrative PCs. The impact was widespread, affecting critical operations and causing hospitals to reject patients, doctor’s offices to shut down and emergency rooms to divert patients. Like a patient with a compromised immune system who ignores his doctor’s advice to get an annual flu shot, the NHS allegedly disregarded multiple security warnings to update and protect its systems. Cybercriminals have also expanded their targets for mega breaches beyond insurers. So far in 2017, the largest known healthcare breach in terms of number of compromised records occurred at a urology practice in Austin, Texas. ITRC statistics show nearly 280,000 records were compromised through the breach of the practice, which has eight locations in the greater Austin area. According to the practice’s official data breach notice, a ransomware attack encrypted data stored on the organization’s servers. Electronic health records were the target of cyberattacks at numerous healthcare organizations, including a fertility and menopause clinic in New Jersey, where more than 17,000 records were compromised, ITRC reports. The number, scope and impact of healthcare cyberattacks will only grow. The industry that focuses on taking care of Americans’ physical and mental health should proactively take steps to safeguard its own health by updating security measures and data breach response plans. Learn more about our Data Breach solutions