Expert Insight: Vanessa Horton

Insights into a worrying ransomware trend and what organisations can do about it from our cyber incident responder.

Vanessa Horton holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications. She has worked for the police as a digital forensics officer, where she was involved in complex crime cases, and was awarded a Diamond Award and an Excellence in Service Delivery Award.

Vanessa is now part of GRCI Law’s cyber incident response team, helping clients with their cyber security requirements.

We sat down to chat to her.

What have people been asking you about lately?

When talking to clients or taking questions at the end of webinars, ransomware is often the first thing I get asked about. It seems like organisations are really worried about it – and understandably so. After all, ransomware has lately been featured in the news a lot, particularly these big attacks like MOVEit.

Speaking of news, I do try to look at cyber news every day. I like to keep up to date, particularly in this industry, so I can support clients better. I also like to take the time to research things where I can.

In terms of ransomware, I’ve been seeing a couple of worrying trends.

First, LockBit seems to have changed the way cyber groups operate. Ransomware gangs are far more organised now – these days, many have their own logos and conduct job interviews, and there have even been calls for research papers on the dark web! As a result, these groups have become even more dangerous than they already were.

Second, in the past year, particularly in the past few months, these gangs seem to be putting all their efforts into data exfiltration, moving away from data encryption in the process. Or they do both, in what’s known as a ‘double-extortion’ attack. This really is a worrying development for organisations.

Why is this development so worrying?

Well, historically, one of the best responsive measures to ransomware was to take regular backups. There’s no need to pay a ransom to have your files decrypted if you can simply restore them yourself.

However, if your data has been exfiltrated, you can still be held hostage by the attackers.

In fact, threat actors are really putting the pressure on organisations now by spending more and more time in their victims’ systems, trying to find the truly sensitive data. This makes organisations not just more likely to pay, but also gives attackers leverage to demand higher ransoms to begin with.

Of course, the UK government advises against paying ransoms, but doesn’t legally enforce this, unlike some other countries.

What’s your personal advice on paying ransoms?

That’s very tricky to answer.

Ethically speaking, you clearly shouldn’t, as paying the ransom funds further criminal activity. Besides, they’re criminals. What’s to stop them selling the data, whether immediately or further down the line, even if you do pay?

However, paying could prevent sensitive data from being sold on the dark web, thereby reducing the impact of the breach. I do want to stress the could here though – again, there’s no guarantee the attacker will keep their side of the bargain.

So, I think the organisation needs to weigh up the risks to make the right decision for their specific situation. I don’t think the answer to your question is a clear-cut ‘don’t pay’, but not paying will likely be the best action to take in most cases.

Going back to the trend we were discussing earlier, besides applying more pressure on their victims, why else do you think ransomware groups are favouring exfiltration over encryption?

Exfiltration is doubly profitable for ransomware groups: not only are the victims more likely to pay up but they can also sell the data on the dark web. In fact, the stolen data can be more valuable than the ransom payment itself.

But I think there’s more to it than that.

The ‘traditional’ method of data encryption is a really difficult program to code, because for the attacker to be able to blackmail their target, their encryption needs to be really sound. You’ve got to cover all the infrastructure.

Exfiltration, on the other hand, requires the attacker to simply obtain access to their victim’s systems, get the data on it, then demand the ransom.

In short, from the criminals’ perspective, exfiltration requires far less effort. And it certainly offers a far better return on ‘investment’.

So what can organisations do if their data has been exfiltrated?

It’s tricky. The criminals already have the data, so that’s not going to help you recover from this attack.

However, a fast response remains critical to both minimise the impact of this attack and prevent future incidents, particularly of a similar nature.

One of the most important things to do is conduct an initial forensic investigation. That means figuring out:

  • What happened?
  • What was the root cause?
  • What data has been breached, exactly?
  • When did the initial attack happen?
  • Did the attackers put a back door in your systems, so they could easily re-access them later? This is something I’ve actually seen with a client, though I can’t tell you the specifics due to client confidentiality, obviously.

By conducting this type of early investigation, you’re not just meeting your legal and regulatory obligations, but also gathering the information you need to take the right measures to prevent such situations from recurring.

What else should organisations think about?

Well, legal notification requirements aside, I really want to remind people that data breaches affect more than just the organisation’s finances and reputation. It’s also horrible for the people that data belongs to – your data subjects.

It’s really hurtful to have your data available on the dark web to the highest bidder, particularly if the data is of a personal nature. Those people entrusted you with their data, and failing to adequately protect it damages your relationship with them.

So be considerate. You can’t undo the breach, but you can mitigate the damage by being open and transparent about what happened, exactly whose and what data was compromised, and so on. You can also offer your subjects advice and support in actions they can take to at least mitigate the impact to them personally.

People do remember and appreciate such honesty and transparency, and this will help your organisation’s reputation. Equally, people will also remember attempts to hush things up – and the truth does tend to get out, even if it’s not until years later. And the headlines speak for themselves – organisations really can suffer enormous damage, and can even go out of business, by doing the wrong thing.

Do you have any final words of advice?

At the end of the day, prevention is always better than a cure. You need to take reasonable steps to stop opportunistic attacks, at the very least, which can be really cheap to do, too. Measures like passwords, MFA [multifactor authentication], regular patching, anti-malware software, firewalls, and many more are all easily accessible.

But if you suffer a breach anyway, it’s obviously too late to prevent the incident altogether – this time round, at least.

That’s why forensic investigation is so important: figure out what happened, what vulnerabilities you need to fix, where staff education is lacking, and so on. Make sure you learn some valuable lessons, so you won’t suffer the same incident again.

We hope you enjoyed this week’s edition of our ‘Expert Insight’ series. Please do leave a comment below to let us know what you think, and if you have any questions you’d like our experts to answer.

We’ll be back next week, chatting to another expert within the Group.

In the meantime, if you missed it, check out last week’s Expert Insights blog, where IT Governance Europe’s head of GRC (governance, risk and compliance) consultancy, Andrew Pattison, gave us his expert insights into the cyber landscape and risk management in preparation for the DORA (Digital Operational Resilience Act).