The view from CYK: held to ransom and how businesses can respond

Held to ransom? The self-protection options for business in the face of a growing global threat

By Sam Roberts and Elizabeth Meade

Ransomware poses an ever-increasing risk to businesses around the world. The number of ransomware incidents globally rose by more than 60 percent in 2020, according to data from the 2021 SonicWall Cyber Threat Report.[1] The spate of attacks seen over the course of recent months suggest that 2021 may in fact be another record-setting year for this type of cybercrime.

The attacks keep coming

This month, an attack on IT firm Kaseya impacted between 800 and 1,500 businesses across 17 jurisdictions who use Kaseya’s services – from the operation of supermarket cash registers in Sweden to the computer systems of schools and kindergartens in New Zealand.[2] The criminal hackers behind the attack have demanded a random of USD 70m, thought to be the biggest demand on record.

In June, multi-national meat manufacturer JBS USA was targeted in an attack which temporarily shut down all of its plants which together process roughly a fifth of the nation’s meat supply. The company paid USD11m in bitcoin to the cybercriminals to avoid further disruption.[3]

And in May, an attack on Colonial Pipeline led to the shutdown of America’s largest fuel pipeline for six days. The shutdown resulted in panic-buying, gas shortages and spiking prices.[4]

All three major attacks were carried out by criminal groups thought to be operating from Russia that are not believed to be state-backed. Speaking in June, Lindy Cameron, the chief executive of the UK’s National Cyber Security Centre (a branch of GCHQ) confirmed that the primary threat to “UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers […] is not state actors but cyber criminals”.

On the diplomatic agenda

It is an issue that is gaining increasing political attention. At the recent G7 summit, leaders noted in the summit communique that they committed to work together to “urgently address the escalating shared threat from criminal ransomware networks”. They have called on states to “urgency identify and disrupt” networks operating within their borders and hold those accountable for their actions.

US President Joe Biden separately raised the issue with Vladimir Putin at the first face-to-face summit between the two on 16 June, with Biden said to have given Putin a list of 16 critical American infrastructure facilities which had been the subject of recent ransomware attacks, allegedly carried out by Russian criminals. On 9 July, Biden spoke again to the Russian leader, making it clear that the USA is prepared to respond if the attacks are not stopped, telling journalists after the call that he had made it clear that when the USA expects a ransomware attack “is coming from his soil, even though it’s not sponsored by the state, we expect them to act if we give them enough information to act on who that is”.

Technology precautions for business

While the world will have to wait and see whether concerted international action can disrupt the operation of criminal ransomware networks, businesses are for now left to attempt to make sure they are in the best possible position to avoid a potentially devastating attack. While ideally, a business would be able to detect malware before it has a chance to infect its organisation, it is important to assume that malware will be able to reach devices within an organisation and make plans to prevent it from running, or failing that, to limit the damage caused.

In terms of preventing attacks, continual employee training is required to enable staff to recognise phishing attacks. This is particularly vital in the pandemic age, with experts considering that the sudden transition to home working for large parts of the global workforce has contributed dramatically to the recent rise in attacks as staff working outside the safety of office networks face more risks and create more possible ‘open doors’ for criminals to gain access to networks. For example, the Colonial Pipeline attack has been attributed to a breach of an older model VPN network, commonly used by employees to connect remotely to their corporate system. This highlights a second key protection – ensuring all software is kept up to date. Using service providers who are dedicated to IT security and making use of all available anti-virus and anti-ransomware tools will also help ensure protection.

Attacks are however becoming increasingly sophisticated, and despite all best efforts, it may be impossible to protect a network from penetration. For this reason, ensuring that regular and multiple backups are run is the best measure that can be taken against attacks. The more frequently such backups are carried out, then the more up-to-date the data that can be restored, meaning the more quickly company operations can return. Businesses should also ensure that at any given time, one or more backups are offline. Offline or ‘cold’ backups will remain unaffected should there by an incident which effects the live system, so it is important that not all backups are connected at the same time.

Dealing with the fallout

If a business does fall victim, specialist advice should be sought without delay. Legal advisors will be able to work with technical experts to consider how best to mitigate the reputational and operational damage that can flow from ransomware. Technical experts will be able to advise on when and how a business should go about meeting a demand for a ransom, if that is considered to be the best approach. Legal advisors can assist immediately in determining whether there is adequate insurance coverage and whether the incident has given rise to a breach under the General Data Protection Regulation and whether the ICO and customers need to be notified. In the aftermath, a victim of an attack might find itself subject to claims for breach of contract if it has been unable to perform its obligations as a result, and may also want to explore its options in terms of seeking compensation. CYK has experience in acting for both victims and third parties[5] caught up in cybercrimes – should further information on any of these matters be useful, please do get in contact. In the meantime, we will be watching the international political situation in this area with interest.