Cyber: What enterprises need to know about ransomware

14 February 2022 Consultancy.uk

With the number of ransomware attacks on UK organisations spiralling, many firms are still unaware of what the digital threat means for their operations. Louise Barber, a Senior Consultant at risk management company Turnkey Consulting, answers frequently asked questions on ransomware, and what can be done to stop it.

At the end of January, KP Snacks became the latest high-profile victim of a ransomware attack, joining a long line of organisations, including Accenture, the Colonial Pipeline and the NHS.

The number of ransomware attacks on British institutions has doubled in a year, according to GCHQ in October 2021. But while ransomware has become increasingly common parlance, the details of what it means and its implications are not always well known.

Louise Barber, Senior Consultant, Turnkey Consulting

What is ransomware?

Ransomware is a specific type of malicious software used by criminal gangs to deny an organisation access to its files by encrypting them. This is followed with a ransom request for payment, often in bitcoin, in order to release the encryption key, which provides access again.

Increasingly, the criminal gangs that adopt this technique have taken to also exfiltrating a copy of the data onto the dark web before they launch the ransomware, enabling a double extortion; the initial pressure is to re-enable access to the data, while the second push is for the copy data to be deleted, rather than sold on the dark web (which could potentially hit the enterprise with a GDPR violation, and a subsequent dent to its reputation).

Organisations that pay the ransom may get the legitimate encryption key to decrypt their files but it is more common to receive nothing, or to find a full restoration is not been possible with the provided key. There is also no assurance that the exfiltrated copy of the data will be deleted, and the criminals could still go on to sell the data anyway.

Ransomware is a major industry for criminals with Ransomware-as-a-Service increasingly popping up and ransomware attacks on the rise. The criminal groups that deploy ransomware are getting more sophisticated and there are far more targeted attacks than the blanket style campaigns of the past such as WannaCry.

How does ransomware affect targeted organisations?

Ransomware can have a major business impact, as being locked out of files disrupts any systems and processes that rely on that data. Taking the cyber-attack at KP Snacks as the most recent well-known example, although it is not currently public knowledge which systems have been affected, it is known that it halted the company’s ability to process orders and dispatch goods. (Many news articles lead with the supply chain shortage angle, forecast by some to be in the region of eight weeks.)

It is also now known that the Conti Ransomware Gang is responsible for the cyber-attack, and has copies of KP Snacks’s data, with snippets being found on private areas of Conti’s site by Darkfeed, a darknet intelligence provider.

Previous ransomware attacks within the food and drinks industry have seen the criminals target business-critical systems, thereby impacting production lines; these can attack the production systems directly, or compromise the supporting systems that order raw materials for those processes. (In this case, if KP Snacks cannot buy bags, nuts or other elements, then the logistic supply chain cannot fulfil the production line demands.)

What vulnerabilities are likely to be exploited by ransomware?

The most common attack vector is penetration via the people working in the organisation; distribution of malware via Business Email Compromise (BEC), which relies on social engineering tactics to trick employees and executives, is the most usually exploited mechanism.

While it is possible to scan for technical vulnerabilities that can be compromised over the internet, many of the business-critical systems that are of interest to ransomware hackers exist behind multiple layers of firewalls or are only accessible via internal networks – hence the employee-based approach. Suppliers can also present a risk to the organisation, third party IT support for example may have access to these networks, which provides a mechanism to penetrate the enterprise.

Production sites of manufacturing organisations are another common area for exploitation, providing bad actors with a route in to traverse to the corporate network. These typically run Operational Technology (hardware and software systems for industrial organisations such as SCADA) and older equipment, which is vulnerable due to its age, and the many third parties that typically have access to it in order to maintain and support the machinery.

The often-unique combination of software and machinery, to which modern zero trust or security by design principles cannot be applied, means that plants do not always conform to corporate security practices. However, if Operational Technology is affected in any way, recovery efforts are hindered by the difficulty in tracking down OS, other software, and hardware parts that may not have been produced in many years.

What are the business impacts of a ransomware attack?

The deployment of ransomware is becoming highly targeted; attackers look for systems that will have a major impact on business operations, thereby applying significant pressure to the organisation to pay the ransom. The delays in KP Snack's supply will certainly lead to lost revenue, but this is only one element of the financial loss, which also includes significant expenditure on investigation of the attack, as well as service recovery and improvements. Ransoms can be covered by cyber insurance, but these related costs are often not completely factored in.

In addition, there is likely to be scrutiny from regulatory and legislative bodies especially if any lost data is GDPR relevant, and external audit agencies if senior management or shareholders want extra assurance.

How are ERP systems such as SAP affected by ransomware?

Organisations within the global supply chain have complex IT environments with business-critical ERP systems such as SAP being a tempting target for ransomware gangs.

Depending on the nature of an attack, databases or servers on which SAP runs could be encrypted, requiring systems to be restored from backup; any downtime can require critical financial data points to be re-keyed to get back to ‘live’ data in the system, which can be costly and time consuming.

SAP, like all ERPs, runs many elements of a business meaning that logistics, production planning, materials management and the related financial accounting elements may all be impacted.

How can the risks of ransomware be mitigated?

The only way out of a ransomware attack may appear to be paying the attackers and trying to salvage files. However, this only encourages criminals to carry on targeting organisations, potentially more than once if the first ransom demand was successful. Prevention is therefore better than cure. Maintaining cyber hygiene, especially by training users and making the aware of the risk, is key to avoiding being an easy target for an attacker.

However, the modern ransomware gang is persistent and has a lot of tools at its disposal. Combine that with the large attack surface that a modern connected organisation has exposed, and there is always a chance that attackers will be successful in gaining access to enterprise systems. As well as keeping attackers out, ransomware protection strategies should look to detect and respond to suspicious or malicious activity on the network.

KP Snacks provides a good example of how to react quickly by investigating the incident, enacting a cyber response plan and bringing in third-party forensic expertise. If a ransomware attack gets this far, strong recovery processes put an organisation in a good position. Backup strategies, tested business continuity and disaster recovery plans, and a PR plan should the worst happen, all help to limit the damage of a ransomware attack.