By Andy Auld and Jason Smart, PwC UK Cyber Threat Intelligence
In recent weeks there has been a rise in the number of public high-profile cyber security incidents, the majority being ransomware attacks involving exfiltrated data being leaked. This adds challenging operational issues on top of responding to COVID-19, but also sharpens focus on the connectivity and potential conflict between investigative findings (e.g. the potential absence of evidence of data exfiltration) and the possibility of regulatory action (e.g. following exfiltrated data being leaked).
But is this the work of threat actors seeking to take advantage of the disruption the pandemic has brought, or have there been longer term plans involved?
Though there have been several major cyber incidents reported in the past few weeks, initial access to networks is typically established well before such attacks are made public or identified by the victim organisation. Analysis by our Threat Intelligence team shows that the recent breaches have also come at a time when ransomware threat actors are increasingly setting up ‘leak sites’ specifically to post stolen data.
In December 2019, the threat actor in control of Sodinokibi ransomware began stealing data from victim networks prior to its encryption. They then posted links to the stolen data on a private, Russian-speaking dark web forum. At the beginning of January 2020, the actors controlling Maze ransomware took this one step further, creating a semi-public site specifically to post stolen data.
Since then, nine further ransomware actors have created their own leak sites and we expect additional actors to do the same. By 20 May, over 150 organisations globally have had their data published on leak sites; the majority of these (60%) have occurred after 11 March, when the WHO first declared the COVID-19 outbreak to be a pandemic. Of these, the overwhelming majority (80%) were leaked after 23 March, when the lockdown commenced in the UK.
Not only does this ransoming of systems mean companies immediately lose critical business functions at a crucial time, but leaking data adds a wide variety of external pressures and increases attention from information regulators. On top of changing operations to respond to the pandemic, companies don’t want their ability to protect customer and employee data coming into question, bringing the threat of GDPR fines.
The frequency of cyber breaches coupled with the obvious difficulties of recovering from these attacks highlights the need for businesses to create a well-defined incident response plan. This ensures they can respond quickly and effectively in the event of a breach, helping to minimise business impact and residual risk.
Overall, there could be a number of reasons why we’ve seen an increase in cyber attacks becoming public. These include:
Alongside the increase in ransomware and phishing attacks linked to COVID-19, businesses need to consider how the rapid shift to remote working might have increased the risk of a cyber incident. Organisations may have bypassed existing cyber security procedures and good practice or taken shortcuts which now need to be reviewed.
There are three areas organisations can focus on to reduce the immediate risk of a cyber incident:
You can find more information on priorities to respond to COVID-19 in our latest whitepaper, available here.