May 2020 – Paul Wright authour of the Article in the CXO Insight Middle East "Is Your Organisation Ready For The Next Ransomware Attack?" https://bit.ly/3tzwC6o

1. Is Your Organisation Ready For The Next Ransomware Attack?
Ransomware is one of the most prominent cyber threats in the Middle East region, with cyberattacks
becoming increasingly more sophisticated as cyber criminals modify their attack methods for even bigger
rewards. In the first half of 2019, ransomware saw a 38% increase in the UAE compared to the same
timeframe of 2018, according to research from Kaspersky.
Ransomware assailants typically demand that victims pay a ransom in order to recover their data. Affected
companies must ask themselves whether they should continue to tangle with cybercriminals, which could
result in them having to pay a bigger ransom, or to just pay up and go back to business as usual.
They should also consider the cost-benefit, bearing in mind the severity of the security breach, the
magnitude of the ransom, and the projected cost of recovering data without the cybercriminals’
assistance. Repeatedly, as in the case of public utilities or healthcare providers, interruption of services can
have effects far larger than simple financial harm.
Despite this, there is a danger that paying the ransom, even when financially practical, may result in certain
external risks. For example, with successful payments, cybercriminals can continue to mount larger or
more determined attacks. Moreover, there is always a risk that the cybercriminals can simply take the
ransom and neglect to remove the encryption. There have been examples where, upon being paid the
funds, cybercriminals simply commanded a second ransom. And finally, once the word gets out that there
is big money to be made in ransomware attacks, it is likely to inspire a new wave of cybercriminals to
engage in this form of blackmail.
The average payment more than doubled from just over $40,000 to nearly $85,000 in 2019. For 2020, the
besieged infiltration of business networks will continue to rise and in due course give way to two-stage
blackmail demands. In the first instance, cybercriminals will deliver a devastating ransomware attack,
forcing victims to get their data back. In the second instance, cybercriminals will target the recuperating
ransomware victims again with a second extortion attack, but this time they will threaten to divulge the
sensitive data stolen during the initial ransomware attack.
Organizations can become victims of opportunistic cybercrime where the ransomware attack is propagated
through user-initiated actions, such as clicking on a malicious link in a spam e-mail or visiting a malicious or
compromised website. On the other hand, directed cybercrimes can take place when the victim is a target
of choice, or post an opportunist attack, when the cybercriminals realize that the victim has more value.
They will then explore the network to identify the most critical data, seek to escalate privileges, while also
identifying and targeting data backups, so that the victim cannot easily regain control of the network or
restore their files.
Attackers may give up and move on to another target very quickly if they are not achieving their objectives,
unless the organization is a target of choice. In most instances, they may be more successful by conducting
a high volume of attacks against poorly protected organizations that may only provide small wins rather

2. than one big success that hits the news. This means that those at greatest risk are generally organizations
who feel they may never be targeted and thus ignore the threat.
In case of a ransomware attack, the targeted organisation should try to understand how the ransomware
got there, what it is doing, the extent of the intrusion, and how to stop future infections, as well as the
dangers of not paying the ransom.
Should the ransom not be paid, the end result could well be personally identifiable and sensitive
information being offered for sale or posted free for all to access.
This recently happened to Brooks International, a worldwide professional services company that has clients
across business sectors. They refused to pay the criminals who were operating Sodinobikibi (aka REvil)
ransomware and subsequently, for the purchase price of just over two dollars, 12GB if their information
was made available via a hacker forum.
Data has been sold in hacker forums so it can be utilized in other cybercrime attacks. Nefilim Ransomware
launched a site called “Corporate Leaks”, to dump data from victims who do not pay a ransom. CLOP
Ransomware has also released a leak site called “CL0P^_- LEAKS” that they are using to publish stolen data
for non-paying victims.
Cybercriminals are taking this to the next level, and unless otherwise proven, victims need to assume that
the attackers have accessed everything within the organization and there is a risk of it being sold or
disseminated to others for free. In response to this, the sustained publication of data obtained as a result
of a ransomware attack on leak sites has to be treated as a data breach.
To prepare for such attacks, organizations should put up their policies, procedures and processes for
review and testing. Organizations should be adding these to their strategic planning, along with keeping
technology up to date, adopting cyber insurance to protect their businesses from such events, and training
employees to spot the risks.
C-level management can be well suited to help quantify the financial and reputational impact of
cybercrime and ensure that countermeasures are appropriate. To do so, they need to implement
comprehensive strategies, not only to help the organization stay in good stead with stakeholders, the
board, regulators, and interested third parties, but also provide them with an outline of what to do in the
event of an incident.
In general, organizations do not have a team of internal first responders – or first aiders – that can ensure
the initial response to an incident does not cause the loss of intelligence and/or evidence. Then if required
and proportionate to the circumstances, specialist investigators can be brought in to provide the decisive
capability to contain, remediate and eradicate the problem, with the goal of minimizing losses,
reputational damage, and downtime. Proactively, this specialist team will consult with the right points of
contact within the organisation to provide guidance and insight and create plans to prevent and respond to
an incident in the future.
The extent and the scale of cybercrime occurring today may indicate that criminals are profiting and
constantly evolving their modus operandi. This is particularly pertinent at this time when Interpol is
warning people about fraudsters who are exploiting the anxiety and uncertainty around the COVID-19
outbreak to commit cybercrimes. An Interpol alert on 4 April warned of cybercriminals using ransomware
to hold hospitals and medical services digitally hostage; preventing them from accessing vital files and
systems until a ransom is paid.

3. Instead of playing ‘catch-up’, organisations need to understand how they can close the gap. To do that, C-
level management need to assess the security of their businesses to see if their capabilities are ‘fit for
purpose’. The risk of no action, in this case, is greater than that of acting.
Paul Wright
Senior Advisor Forensic Technology
Accuracy