“Legal advice must be sought if ransom payment is being considered”
Lyndsey Charlton, COO, Daisy Corporate Services
What would you advise customers who are hit by a ransomware attack in 2024? Are there any circumstances where they should consider paying the ransom?
Key to minimising impact in a ransomware scenario is to maintain focus in what is undoubtedly a high-stress situation. As tough as it will appear, enacting a structured response requisite with a supporting plan and a team that understand their roles and responsibilities is essential. If you have access to third party cyber incident recovery specialists, either through cyber insurance provision or an existing supplier relationship, engage them as early as is practicable. Actions executed during the initial stages of an attack can be critical in terms of impact reduction. Having subject matter experts on hand can be invaluable in maximising the effectiveness of your response and providing specialist input to root cause analysis and cyber forensic activities.
Depending on the severity of the ransomware attack, the question of ransom payment may raise its head. The default advice and the view shared by the NCSC (National Cyber Security Centre) is that ransoms should not be paid under any circumstances. Even if in an unfortunate position where a ransom payment appears to be the only way to regain access to data, organisations must be aware that payment will not guarantee resolution. There have been cases where ransom groups have cut and run following payment. Critically, legal advice must be sought if ransom payment is being considered, particularly if this involves transfer funds to a DP (Designated Person). A DP is an individual or entity subject to financial sanction by the UK government. Ransom payment to DPs could expose an organisation to civil and criminal liability.
Will advancements in AI help or hinder ransomware levels, and in general do you expect ransomware attacks to continue increasing?
The advance of AI is a double-edged sword for cyber security and has an impact on ransomware proliferation. One the plus side AI is making strides in how we can rapidly analyse data at scale. This empowers AI enabled security detection toolsets in extracting quality data from a multitude of monitored sources within our environments and leveraging those findings in automation of effective incident response actions.
It’s also important to consider that AI provides additional capability to cyber criminals. There are already documented cases of bad actors using AI generated malware and harnessing the power of this technology to author credible phishing emails as a basis for focused cyber-attacks. Unfortunately, when used in this manner AI capability acts as an enabler, lowering the entry gate for many aspiring attackers in engaging in effective cybercrime campaigns.
The grim reality is that ransomware attacks are showing an exponential year on year increase, with no sign of this trend abating. More than ever, organisations must be prepared to institute effective cyber security controls to counter this persistent menace.
Is there a silver bullet you recommend to customers to prevent, or at least minimise the chance of, being hit?
With ransomware and cyber-attacks in general there is no magic wand when it comes to eliminating risk. Organisations can get on the right foot by entering into a mindset of “assuming breach”. Work from a basis that your organisation will be attacked frequently and some of those attacks will be ultimately successful. With this realistic approach, focus on the development of a cyber incident response plan specific to your organisation’s risk profile. Key to success here is to fully understand your organisational assets, their function and criticality in maintaining business operations and the existing controls you have in place to protect them. Identify your “crown jewel” services and prioritise the resources you will need to effectively mitigate and remediate targeted cyber-attacks against those assets.
Importantly when it comes to ransomware, always consider the lowest common denominator in having an effective data protection strategy in place. The unfortunate fact is that in any given ransomware event, the quality of your backups might be the difference between make or break. Evaluate your data protection capability and consider important elements such immutability and air gapping your backups from your production network to avoid them being encrypted at the point of ransomware attack.
