Over the last two years, there has been a surge in the number of “human-operated” ransomware attacks. In this type of attack, criminals gain access to an organisation's networks and deploy ransomware to encrypt data –often to devastating effect – before attempting to extort organisations into paying seven or eight figure ransoms. There has also been a major shift in tactics with attackers now stealing and exfiltrating organisations' most sensitive data, before deploying ransomware, to further extort victims. This has significantly complicated how organisations respond. These attacks represent a greater challenge than previous well-known cyber threats, as they are carried out by skilled and adaptable criminals, who can overcome defences, as well as evolve their tactics to maximise their chances of getting organisations to successfully pay out. Recovering from these attacks can take organisations months and cost millions, all while they are unable to operate and provide key services.
The cyber security function’s core focus is to both prevent a cyber attack from reaching critical IT services, and to rapidly detect and contain it should prevention fail. It rarely considers how to recover if an attack cannot be contained.
The IT and business resilience teams focus on avoiding downtime, but are commonly built around "failure modes" which are physical in nature and limited to a single location (e.g. natural disasters impacting a data centre) and fail to consider cyber security threats.
This organisational disconnect results in gaps in both IT resilience and cyber security capabilities which are rarely understood or articulated.
Resilience solutions, which do not take cyber threats into account by design, may inadvertently facilitate the spread of ransomware across the IT estate via data replication technologies, including to disaster recovery facilities which are then also infected and cannot be relied upon.
Resilience solutions may also not be secured against deliberate tampering by an attacker (e.g. to prevent their use for recovery). In the event of an incident this means that resilience solutions either fail, are ineffective or even exacerbate the problem.
The end result is that the business cannot restore its IT services in the timescales or state needed, and operations are significantly interrupted. In some cases, this interruption can be severe enough to create a “going concern” risk for the business.
These efforts require concerted engagement from both technology and business teams to deliver holistic resilience to ransomware.
Ransomware attacks are unique in the immediate scale of impact they can have across an entire organisation. Staying afloat in the face of a catastrophic ransomware attack will rely on a well-organised, well-rehearsed response from technical front line to C-Suite and Board and across the supporting functions such as Corporate Affairs; everyone needs to play a part.
However, the initial response to a ransomware attack is only the beginning - recovery takes weeks, if not months.
End to end exercising will help you understand the potential routes and validate the timelines to recovery, including the processes which are required to recover both with and without paying a ransom.
The first step to reducing the exposure for your organisation to ransomware disruption is:
PwC provides a multi-disciplinary best in class team of cyber incident response, crisis management, crisis communications, and business resilience experts who can rapidly baseline your current exposure to ransomware risk, and help you plan to improve your resilience and your ability to respond effectively.
PwC’s specialist teams bring experience and insights from the front-lines of assisting hundreds of clients respond and recover from real ransomware attacks. This is used to deliver realistic exercises and reviews focused on the cyber security capabilities and technology design decisions which make a real difference in a ransomware scenario. Below are just a few examples of exercises and reviews PwC has conducted for clients.
Performed a Ransomware Readiness Review for a UK retailer to assess their vulnerability to human-operated ransomware attacks.
Developed a series of priority tactical and strategic projects to reduce their risk of attacks, and improve their ability to respond and recover.
Simulated attacks with security testing to validate improvements and that the risk of ransomware attacks has been reduced.
Delivered a series of escalating Ransomware Response and Recovery exercises for a professional services organisation.
Exercised how the IT Major Incident and cyber response teams would work together to respond against challenging timeframes.
Simulated the complex decision making and leadership challenges Executives would face when responding to catastrophic attacks.