• Ransomware and the cyber pandemic – your money or your life

Ransomware and the cyber pandemic – your money or your life

18 October 2021

Ransomware is the new highwayman; imposing chilling new dichotomies and posing significant risks to businesses as well as a genuine threat to life.

Ransomware can force you and your business to choose between striving to maintain your reputation, or your bank balance. However, you can only take effective action if you are vigilant: without a robust defence, you may not be in a position to save either. It is no exaggeration to say that the world is facing a cyber-pandemic as well as the COVID pandemic and that due to the number of people working remotely, businesses are more vulnerable to an attack as their end-points are far more exposed.

We explore this further in the key areas summarised below:

Picture the scene

It is business as usual at the (home) office. You receive an email from your client, with a link to an innocuously named document. It may appear to be a purchase order, or something similar, that you half-expect to receive at any given time as a matter of course.

Seeing nothing out of the ordinary, you follow the link, then download and open the file. The damage is done in that moment. You discover you are unable to access any of the files on your system. Sensitive and business-critical files on your computer, and likely held on the central network to which you are connected, have been encrypted and are being held hostage.

That email has almost certainly come from a third party purporting to be your customer, client or colleague (having spoofed their email account). They have caught you through an appeal to action. This communication was in fact part of a ransomware attack designed to extort money from your business in exchange for the safe return of your data. In this scenario, you were a single point of failure for your entire organisation.

What is ransomware?

Ransomware is nothing new and is a relatively straightforward concept in its simplest form. Cyber actors propagate malware designed to encrypt data, or otherwise deny access to their victim’s systems. The attackers then demand payment for the release of the data. In almost all cases, this payment must be made in a cryptocurrency such as Bitcoin; this makes it difficult to trace by virtue of its pseudo-anonymity.

It is worth noting, however, that there is typically no guarantee that payment of the ransom will result in the restoration of the victim’s data. Moreover, perpetrators have increasingly begun to incorporate other types of extortion - such as blackmail - into their attacks. For example, it is now common for hackers to exfiltrate an organisation's sensitive data (such as customer financial data) and threaten to release it into the public domain or on the dark web unless the victim pays an additional fee.

Ransomware is a well-known cyber threat, and is as difficult to eradicate as human error. Something as simple as an employee clicking a link, like the scenario outlined above, provides attackers the opening they require. Even absent human error, all too often entities large and small fail to devote the requisite resource and expertise to implement even a basic defensive strategy.

An entity affected by ransomware will, almost certainly, suffer a loss with common examples including: 

  1. An instant loss of productivity (for example trading/ecommerce, or even healthcare)
  2. A loss of time on managing and recovering assets (again impacting productivity)
  3. Resources spent engaging a specialist third party to intervene (such as BDO)
  4. Money spent rebuilding infrastructure
  5. In cases where recovery is not possible, money is lost paying the ransom (through a negotiator).

Back to top

Ransomware is big business

Ransomware is a profiteering mechanism which is so effective that it is essentially a business in its own right. Cybercrime boasts a huge economy involving multiple parties. There are typically four threat actors involved in any ransomware attack, each carrying out their own phase:

  • Seekers - hackers who collect the credentials/vulnerabilities
  • Buyers - individuals/entities who buy the above information
  • Executioners - hackers who infect the organisation
  • Escrows - dealers who set the price on the ransom demand, and Crypto Wallet owners.

As with any business, substantial investment from these cyber criminals drives an increase in ransom demands, with a view to generating a return on their investment.

Ransomware is bad for our health

In 2017, the NHS and other large public sector entities fell victim to the infamous ‘WannaCry’ ransomware attack which, according to reports, cost the UK approximately £92m due to 19,000 cancelled medical appointments.

Attacks on the health sector have extremely serious implications which cost lives. Software-dependant medical equipment such as pacemakers, when infected with malware, afford threat actors the ability to kill from afar: with a simple click of their mouse, or even a tap on their smartphone, the results could be fatal.

Since the ‘WannaCry’ attack, and particularly during the last nine months, we have experienced an unprecedented shift in the way we live and work, with more aspects of our lives taking place online. As a consequence, the nature of cyber-attacks, and the ways in which they are perpetrated, have changed. 2020 saw a sharp rise in the number of ransomware related incidents: according to one report, the number of ransomware attacks in the UK rose by 80% during the 3 months to October 2020. With no return to normality expected in the near future, if at all, the ransomware forecast for 2021 appears bleak. 

Worryingly, a recent article by the BBC suggests that the health sector is set to become the primary target for ransomware hackers. This appears to result from a perfect storm created by the Coronavirus pandemic: increased spending in the health sector and changes to its operations, has made it a more lucrative target. For example, clinical services have been moved online, sometimes at a faster rate than the corresponding security could be bolstered; and efforts to curb the spread of the virus mean that data is being shared more widely, making malware easier to propagate. What’s more, heightened clinical urgency means that, to an even greater extent than usual, medical institutions can ill-afford to be non-operational, making them a target for attackers who could significantly disrupt public services.

All of these factors appear to combine with the net effect that ransomware attacks on the health sector have become easier to perpetrate, they can command greater ransoms, and offer criminals improved chances of a quick pay-out.

How to reduce the likelihood and impact of a ransomware attack

Preventative/pre-emptive measures:

  • If an email appears too good to be true, it probably is - do not open links, suspicious emails or attachments from unknown sources
  • Educate your personnel on their responsibility in aiding and ensuring cyber-safety
  • Ensure a sufficiently robust and sophisticated firewall and cyber security suite is in place across your organisation, and it is regularly updated to the most recent version
  • Do not postpone any product or vendor updates
  • Regularly backup data to lessen the effect of any data loss
  • Keep backup data safe by storing it either offline or on a segregated network, otherwise a ransomware attack may also compromise the backed-up data
  • Purchase cyber security insurance. This should cover associated costs including: potential ransom (in the event it is deemed prudent to meet the hackers’ demands); legal and consulting fees; loss of earnings due to down time or loss of data; and reputational damage.

In the event that your organisation does suffer a ransomware attack, you should focus on recovery (for example deploying backup data) whilst an experienced and reputable specialist third party performs any negotiation on your behalf. However, some general rules of thumb:

  • Do not refuse to pay off-hand, as this may result in the destruction of data
  • Obtain proof of the attacker’s capacity to reverse the attack
  • Assess the risk of the attacker reneging on their promise to decrypt the data, or even demanding further ransoms.

Why choose BDO

BDO has a dedicated team of Forensic and Cyber Incident Response specialists, available to you remotely or on-site when fraud or cyber related incidents occur. We assist organisations by deploying our BDO Compromise assessment methodology to triage, contain, recover, and remediate an incident quickly and effectively. Our detailed, post-breach reports contain detailed summaries on the ‘what, why and how’ the incident occurred. We also provide support on cyber insurance claims.

This material has been prepared for informational purposes only, and is not intended to provide, and should not be relied on for cyber, forensic, legal or accounting advice. 

Sannan Khan
Director – Forensic Services
+44 (0)121 265 7283 (DDI)
[email protected]

To assist you in negotiating the changing fraud landscape we bring together further insights, articles and other useful resources to help combat fraud on our Fraud Hub.

Return to the Fraud Hub for more fraud insights and articles

Back to top