Building Better Resilience Against the Persistent Threat of Ransomware Attacks

Ransomware is a critical risk for companies across all industries, with the frequency, sophistication and business impacts of attacks increasing significantly over recent years.

Ransomware cannot be underestimated for its ability to inflict significant business interruption and financial and reputational damage on a targeted company. As the methods used continue to evolve in scope and complexity, strategies used to combat ransomware need to also advance at pace.

The nature of ransomware is changing

The increase in ransomware attacks is exponential. In 2023 attacks were up 214 percent on a year-on-year basis in Q4 and 1281 percent when indexed against ransomware frequency before the pandemic (Q1 2019).[1] Ransomware attacks in Asia Pacific were up 200 percent on the prior year.[2]

Neither the public sector nor private organisations — regardless of size or industry — are immune, and many organisations only have basic levels of cyber hygiene and defence. It is encouraging to observe many companies across Asia Pacific report that core controls responsible for managing ransomware attacks — e.g. access management, business resilience and endpoint systems — have improved markedly from ‘basic’ to ‘managed’ levels in recent years.[3] However staying out of the attack path will continue to present new challenges as criminals are increasingly sharing hacking tools and selling malware between groups. Proactive defence has become urgent.

Extortion on the rise

The emergence of double and multi-extortion tactics highlights that secure back-ups cannot be solely relied upon to deal with ransomware demands. Increasingly attackers focus on targets not only because they can easily exploit known vulnerabilities to demand ransom payments, but because they have calculated the potential for a more substantial payday through the threat of a data leak.

Ransomware payments in 2023 varied dramatically in average size between USD $275-$1.946bn depending on the threat actor and campaign[4]

Even when back-ups have not been compromised, attackers can still apply pressure on the victim to pay the ransom by selectively publishing sensitive data as extortion leverage. Complying with the ransom payment demand to gain access to decryption keys is no guarantee against subsequent data leaks, and there are cases of payments being made and criminals later monetising exfiltrated data by auctioning it on the dark web.

Ransomware isn’t simply a ‘pay’ versus ‘don’t pay’ calculation

As the frequency of ransomware attacks increases, business leaders must consider the broader implications of these events beyond the operational impact of encrypted technology systems. As the objectives of bad actors widen to include double extortion and targeting of impacted data subjects to maximise negotiating leverage, decisions on how best to address the implications of an attack become increasingly more complex for executives.

“The response to ransomware has become increasingly more complex,” said Adam Peckman, Head of Cyber Solutions, Asia Pacific at Aon. “Bad actors continue to target sensitive data and leverage online platforms to amplify reputational harm on the targeted business and data subjects — at times through direct harassment of employees, customers, or executives. Risk leadership needs to balance a range of decision-making criteria to navigate through this complexity — the operational and legal challenges of making a payment, the financial and operational impacts of not making a payment, and the duty of care to data subjects (employees, customers) that includes considerations of their mental, and at times physical, wellbeing. Alongside these there are also a range of legal consequences and fiduciary responsibilities to shareholders.”

Recent high-profile attacks in Australia and Asia are emblematic of the myriad of issues that arise following these events, from impacted financial performance, increased regulatory scrutiny, eroded shareholder value, and exposed corporate officers.[5]

Assessing ransomware risks

As an ever-expanding threat, a cyclical approach to assessment will enhance an organisation’s view of mission critical assets, but also allow weaknesses to be easily identified.

This provides the blueprint to make better decisions, whether for vulnerability prioritisation, patching frequency, or new technology investment to achieve risk reduction goals. Alignment with corporate risk registers along with executive-level understanding of the strategic security investment program will enhance governance protocols associated with ongoing improvement and business resilience. Insurance coverage must be a natural complement to this strategy.

Insurance considerations

Insurers continue to seek technical underwriting information from companies to ensure they can demonstrate their preparedness for a ransomware attack and have appropriate levels of security control maturity.

Insurers experienced an uptick in ransomware losses in 2023 compared to 2022, with ransomware events increasing in each quarter[6]

Insurers are reviewing ransomware exposure via specific supplemental questionnaires and use of scanning technology. Their focus is on business continuity and disaster recovery planning, privileged access controls, multi-factor authentication, proactive scanning/testing, and overall incident response readiness.

In addition, insurers are continually adjusting their underwriting approach, reviewing terms and conditions of coverage, and re-evaluating capacity deployment. Careful preparation of an organisation’s underwriting submission is vital to maintain access to insurer capital.

In 2024, cyber insurance growth aspirations, increased appetite, and softening pricing are likely to come under pressure from the rise in ransomware attacks. To remain an attractive risk for insurers, organisations must continuously improve their cyber security posture.

Cyber insurance is an important risk mitigation measure for the corporate balance sheet which means that correct levels of transparency with insurance partners must be fostered, developed and maintained.

Trends to watch

Aon’s Q4 2023 Global Insurance Market Insights predicts ransom strategies will intensify. Threat actors will continue to innovate and utilise asynchronous paths to apply extortion pressure to encourage victim companies to pay ransom demands.

How threat actors attempt to extort funds from victims, which started with conversations in chat rooms and email, has evolved to include aggression and targeted harassment of employees, customers and board members.

Companies may also experience increased insider risk as employers enforce return-to-office requirements and as economic challenges and layoffs in the Information Technology security industry continue to impact staff. Ransomware threat actors will continue to recruit company staff and pay for their credentials for remote access to facilitate an attack.

How can organisations mitigate the impact of a ransomware attack?

The following tips can help build cyber resilience and mitigate the risk of falling victim to ransomware:

1. Test your preparedness — Ensure incident response, disaster recovery, and business continuity plans/playbooks have been assessed, reviewed and updated. Most importantly, ensure they are tested through simulated exercises across realistic scenarios to help improve familiarity within the core leadership group. Participation in these exercises should be extended to critical partners across legal, insurance and security.
2. Educate employees on cyber security awareness — Companies must create a culture where all employees feel responsible for enterprise security. Individuals should be encouraged to detect and defend against threats, risks and attacks. Phishing is still a leading cause of unauthorised access to corporate networks, serving as the entry point for many ransomware attacks. Training colleagues is a critical step in detecting an early-stage attack and reducing exposure.
3. Employ multi-factor or ‘two-step’ authentication — Multi-factor authentication across all forms of logins and access to email, remote desktops, external-facing or cloud-based systems and networks should be considered as a requirement for everyone. Multi-factor authentication has the capability to help prevent the exploitation of stolen login credentials.
4. Keep systems patched and updated — Unpatched vulnerabilities can allow attackers to compromise corporate networks. They often identify vulnerable systems with a simple online scan. Attackers engage in this exercise broadly and indiscriminately, looking for exploitable systems on which to unleash ransomware and other cyber attacks.
5. Install and properly configure endpoint detection and response tools — Tools that focus on endpoint detection and response can help decrease the risk of ransomware attacks. They are useful as part of incident investigation and response. Properly configured security tools provide a much greater chance of detecting, alerting and blocking threat actor behaviour.
6. Design company networks, systems and backups to reduce the impact of ransomware — Ensure all privileged accounts are strictly controlled. Segment networks to reduce the spread of adversaries or malware. Strong logins and alerts offer better detection and evidence in the event of incident response. Establishing a technical security strategy that is informed by architects that know the latest attacks and adversary trends is important, as is the use of continuous threat intelligence monitoring in open source and on the dark web.
7. Consider risk transfer options — Because ransomware attacks can threaten reputation with customers and regulators, it is a complex risk to fully mitigate via technical controls. Companies should consider obtaining appropriate cyber insurance coverage by reviewing how it addresses indemnification for financial loss, business interruption, fees and expenses associated with the ransom and incident response. The starting point for such an evaluation should be to quantify the corporate cyber risk profile. To inform decisions on coverage and limit adequacy.
8. Pre-arrange your third-party response team — An effective ransomware response will often include all or some third-party expertise across the disciplines of an experienced breach coach, legal counsel, crisis communications, forensics and incident response, and ransom negotiation and payment. As time is of the essence during a ransomware attack, it is critical to pre-vet and pre-engage a team of professionals to monitor and be ready to respond to an attack when it happens.

Mitigating the risk of ransomware is a challenge for all businesses, large and small. But with the right risk management strategies in place, companies can be better prepared and more resilient.

[1]  Aon analysis of Risk Based Security Data as of 1/1/2024; Claim count development may cause percentages to change over time.

[2] Aon analysis of Risk Based Security Data as of 13/03/2024; Claim count development may cause percentages to change over time.

[3] Aon, 2023, APAC: Regulators and Companies Respond as Ransomware and Reputation Risks Intensify

[4] Aon analysis of Chainalysis on-chain crypto payments 13/03/2024

[5] Aon, 2023, APAC: Regulators and Companies Respond as Ransomware and Reputation Risks Intensify

[6] Aon, 2023, Q4 2023 Global Insurance Market Insights