96 per cent of malware attacks now involve ransomware, says a Kroll cyber risk director
The pandemic has proven to be fertile ground for cyberhackers. Despite this, fewer organizations surveyed by the Canadian Internet Registration Authority (CIRA) expected to increase human resources dedicated to cybersecurity in the next 12 months, according to its 2020 Cybersecurity Report.
Fewer resources may be a mistake, according to Jaycee Roth, the newly appointed associate managing director of the Cyber Risk practice, based in the Toronto office of Kroll, and who works extensively with lawyers and, by extension, their clients.
The pandemic “created a whole new pool of potential victims for cyber attackers,” Roth says, as employees began to work remotely and use email more – making them more susceptible to attacks – and increasingly sophisticated ransomware attacks began to emerge.
In the cyber risk practice of Kroll – which provides services and digital products related to governance, risk and transparency – about 48 per cent of attacks they see are classified as business email compromises, says Roth; this is a type of cyber fraud in which fraudsters impersonate individuals such as C-suite managers by way of email for the purpose of giving instructions for the movement of funds or otherwise disclosing valuable commercial data to the fraudsters.
Another 20 per cent or so of what Kroll’s cyber risk practice deals with is malware, of which 96 per cent of that is ransomware, says Roth, which has become increasingly sophisticated and dangerous for companies.
The Maze ransomware gang “changed the game” when it came on the scene in 2019, she says, becoming the first high-profile hacking group to exfiltrate sensitive files from victims and threatening to publish them if the ransom was not paid. Before this, a ransomware attack could be controlled more easily by way of a corporation paying the ransom demands in return for the “keys” to unlock hijacked files and folders – and companies could even avoid paying ransom if they had a regular and robust backup system. But the Maza ransomware involved data exfiltration – copying, or making an unauthorized transfer of data from a computer system – followed up by a threat to publish the data on its own website if the ransom was not paid.
Although the Maze ransomware group announced it was ceasing operations as of September 2020, other groups began copying Maze’s approach with their own data leak sites, and it has become a more common element of ransomware attacks.
“What this means … is that now not only are your files all locked, but if you are a company that [for] years prior had backups, … you now have this threat of a bad actor who might post or do something with that data looming over your head,” says Roth.
The trend is toward “a correlation between higher ransom demands in cases where exfiltration has occurred,” she adds, based on what the extorters believe organizations can pay. “We're also seeing that threat actors are getting a lot smarter about exactly what type of information they're taking out of the door with them: usually sensitive in nature, or financial data that helps strengthen their side of the negotiation.”
Cyber attacks happen to all types of organizations, and, globally, big-name corporations and non-profits alike have been bilked of billions of dollars. “No information is immune, and ransomware is size- and industry-agnostic,” says Roth; yet, she says, from what they have seen, only 64 per cent of organizations have a structured incident response plan to a cyber attack.
“I can't tell you the amount of times I've been on calls” where the wrong people are on the call – i.e., no IT staff -- and “where clients don't know where their critical data is sitting in their environment,” or whether they have a tested backup system.
In addition to an incident response plan, organizations can work with “breach” coaches ahead of the potential event, to better prepare them, for example, “to be upfront with partners or employees” about the breach.
Cyber risk management is a growing field, Roth confirms; “data exfiltration is not going away,” and cyber attackers may become more sophisticated in circumnavigating advanced security measures that have been put in place to prevent it.
· Fewer organizations expect to increase human resources dedicated to cybersecurity in the next 12 months with one-third planning to do so, down from 45 per cent in 2019.
· About three in 10 organizations have seen a spike in the volume of attacks during the pandemic.
· Slightly more than half of organizations implemented new cybersecurity protections directly in response to COVID-19.
· One-quarter of organizations experienced a breach of customer and/or employee data last year. Another 38 per cent did not know if they had or not.
· Organizations were less likely than in 2019 to inform a regulatory body of a data breach, with only 36 per cent doing so compared to 58 per cent in 2019.
· Decisionmakers are divided in their concern about changes to PIPEDA, with 54 per cent saying they are concerned.