At our recent webinar, guest speakers laid out the extent of the problem, and what organisations can do to protect themselves.

Hosting the webinar, Recovery and Renewal: Preparing and protecting your business from the threat of cyber attack, was Malcolm Buchanan, Managing Director, Corporate & Commercial Banking, Royal Bank of Scotland. He was joined by Chris Ulliott, Chief Information Security Officer at Royal Bank of Scotland, and Jude McCorry, Chief Executive of the Scottish Business Resilience Centre (SBRC).

As part of his job, Chris Ulliott gets a day-to-day understanding of how criminals collaborate to stage ransomware attacks. Stock images would have us believe that hackers are lone actors – perhaps sat at a laptop, in the dark, wearing a hoodie – but, as Chris explained, ransomware attacks involve far more people with highly sophisticated and professional skill sets. Hackers invest in each other to create an ecosystem that sees gangs specialise in particular areas:

• Services: Criminal recruiting, hosting and infrastructure, and malware packaging services.

• Distribution: Exploit-kit development (to attack vulnerabilities in an organisation’s systems), spam email distribution, social network and instant message spamming.

• Monetisation: Money mules, money laundering and cryptocurrency services.

The consequences of an attack, of course, can be devastating to a business, and Chris pointed out that ransomware is probably the biggest threat facing companies at the moment. Not only will hackers encrypt data as part of a ransomware attack, they will also try to erase back-ups and threaten to release data if a ransom is not paid. Following an attack, it may take many months before a business is able to trade normally again.

According to figures from cyber-intelligence firm IB Group, ransomware attacks have risen by 935% since 2020. And research by CrowdStrike suggests the average ransom payout increased from $1.10m in 2020 to $1.79m in 2021.

While there are suggestions that remote working during the pandemic may have created an environment where ransomware attacks have been able to thrive, Chris said the ransomware threat was growing fast even before 2020. Businesses should take the threat seriously – and be mindful that a return to office-working is unlikely to slow the increasing threat. Preparation and protection are key.

Put simply, there is too much of a financial incentive for gangs to ignore, with criminals selling stolen domain admin credentials for up to £95,000 on the dark web, according to digital risk protection specialists Digital Shadows. One piece of research from Digital Shadows that Chris shared involved an offer on the dark web of $3m for a certain Windows exploit. “That feels like a lot of money for what is essentially a foothold in someone’s network,” said Chris. “However, when you look at some of the ransoms that have been paid, I think the biggest single ransom I know of was a company in the US that paid $40m.”

The life of a cyber attack can be broken down into five sequential stages:

1. Reconnaissance: The adversary conducts preliminary research to pinpoint key servers and valuable data.

2. Exfiltration: Sensitive corporate data is withdrawn to adversary-controlled off-site storage.

3. Deployment: Ransomware is deployed across the enterprise, including workstations and shared network drives.

4. Extortion: If the ransom is not paid by a set deadline, the adversary increases the pressure by threatening to release data.

5. Consequences: Should the victim still fail to pay the ransom, the adversary publishes the stolen data in a public forum.

Watch the video: The evolving attack sequence.

Despite the risks Chris shared, he recommended that IT teams focus on a core set of defences, including:

• Web filtering and content inspection

• Email inspection

• Anti-virus and anti-malware protection

• End-point behavioural analytics

• Strengthening authentication of accounts
  

Watch the video: How to defend your organisation.

“It’s often very difficult to get people’s attention on this subject,” commented Jude McCorry, Chief Executive of the Scottish Business Resilience Centre (SBRC), who focused on a series of free resources that organisations can access in order to protect themselves. “And it’s usually whenever they get targeted or attacked that attention is given to it.”

SBRC partners with the Scottish government, Police Scotland and the Scottish Fire and Rescue Service to equip organisations with the skills they need to protect themselves against cyber attacks. So Jude was well placed to share good-quality information and resources that businesses can use to prepare and protect themselves from the threat of ransomware attacks:

• Check out guidance from Cyber Scotland and the SBRC.

• Have a positive and healthy cyber-safe culture within your organisation that promotes honesty rather than blaming people for errors.

• Sign up to the SBRC’s Exercise in a Box sessions to find out how resilient your business is to cyber attacks and practise your response in a safe environment.

Watch the video: Exercise your board.

• Educate your board and non-executive directors by signing up to SBRC’s Executive Education hub.

• Think about how you can operate your business if you are the victim of an attack.

• Have your incident response plan ready (there is a template on the Cyber Scotland website).

Watch the video: Incident response plan.

• Check out and test your cyber insurance, and ask what happens if you are attacked.

• Download the SBRC App for threat intelligence and updates.

• Save the SBRC incident response telephone number (01786 437472) so you can quickly call for assistance.

• Report anything suspicious to Police Scotland on 101.

Watch the video: How to educate your organisation.

Both Chris and Jude addressed the topic of cyber insurance and what organisations need to know when investing in this type of policy. While they can help a business overcome the financial distress of a ransomware attack, in the past hackers have targeted companies that have a cyber insurance policy. And depending on the nature of the policy, making a claim may mean that an organisation is contractually obliged to keep the attack secret.

“When you look at cyber insurance, I believe it is useful in so far as you should be very careful [that] you get a package that suits you as an organisation,” said Jude. “And it may be a way of getting support that you don’t have in-house that you would need in an incident.”