The fraudsters who wield ransomware as a weapon have Caribbean firms in their sights. Ransomware attacks against established Caribbean-based organizations are happening and the impact is being felt acutely. A previous Hitachi Security blog mentions a report by PricewaterhouseCoopers (PwC) warning that Caribbean firms were “not paying enough attention to cybersecurity risks”. Businesses based in the Caribbean must take action to prevent the impact of ransomware attacks already experienced by other areas of the world: Impacts that affect finances, reputation, motivation, and regulatory posture, and that can be a make or break for businesses already under pressure from Covid-19 pandemic challenges.
Ransomware is one of the most feared of all malware-based attacks and rightly so. The malicious software will encode files and documents, not only on the infected device but across the entire network and cloud repositories. Even backups, if not properly isolated, have been known to be infected and documents lost because of ransomware. Ransomware is such a ubiquitous problem that a report predicts that by 2021, a business will be impacted by ransomware every 11 seconds.
When ransomware hits a company, the impact is all-encompassing. The five key areas that this impact is felt across are:
When a ransomware attack happens, systems go down. As soon as the ransom note is seen on an infected desktop, the first action is to attempt to isolate the infection. This means disconnecting devices and servers across the network. The result is downtime and employees unable to access documents and files, leaving them unable to work. In the 2017 WannaCry global ransomware attack, many healthcare institutions were affected. This results in hospitals being closed to new patients, canceled operations, and doctors unable to prescribe medicines. Other organizations affected by ransomware end up shutting their doors for good. This was the case in 2019 for The Heritage Company of Arkansas, USA. The company was a victim of ransomware that affected its accounting systems and mail center to the extent the firm could not process or receive funds and was unable to send out statements. The result was the company was forced to lay-off 300 employees.
The average impact time due to ransomware is 16.2 days according to a report from Coveware. That is over two-weeks of dealing with the aftermath of a ransomware attack, including system downtime, clean-up of devices, recovery of files, etc.
The Caribbean Council released a statement this year that points to a Center for Strategic Studies and McAfee study on Latin America and the Caribbean (LAC). This study reveals how the region is now a “new frontier for cyber-attacks and crime at an estimated cost of around US$90 billion per year.” The obvious impact of a ransomware attack is that it involves extortion. However, the ransom is only part of the financial burden of ransomware. The average amount a ransomware attack costs is around $730,000 including business downtime, lost orders, and operational costs. If the ransom is paid, this increases to an average total cost of $1.4 million.
Ransomware results in lost and exposed data. This impacts a number of data protection regulations such as GDPR, CCPA, and HIPAA, because unauthorized persons have gained control of the protected data. However, a less obvious regulatory impact of ransomware is discussed in a recent notice from the US Department of the Treasury. The advisory specifically states that “Facilitating Ransomware Payments on Behalf of a Victim May Violate the Office of Foreign Assets Control Regulations (OFAC)”. The OFAC of the US Department of the Treasury administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United States. Paying a cybercriminal because of ransomware may breach OFAC regulations. The note goes on to say:
“financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” and that “companies that engage with victims of ransomware attacks” should implement a “risk-based compliance program to mitigate exposure to sanctions-related violations” to “account for the risk that a ransomware payment may involve an SDN or blocked person, or a comprehensively embargoed jurisdiction.”
Privacy of data is a fundamental right across many global jurisdictions and enshrined in a myriad of data protection laws. A ransomware attack on any business puts data privacy at risk. The cybercriminals behind the attack may not just encrypt data, they may also expose it. Ransomware is not just about encrypting data. The REvil group behind the ransomware attack on conglomerates in the Caribbean and around the world is notorious for auctioning off stolen data. Ransomware fraudsters are criminals and know the vulnerabilities of their targets. If they can make further advances from an attack, above and beyond a ransom payment, they will. Once the data is sold, the privacy of the individuals is lost, and security put at risk.
Customer confidence after a ransomware attack is threatened. Researchers found that more than two-thirds of customers would go to a competitor if an organization does not restore systems within three days after a cyberattack.
The above scenarios may seem overwhelming, but more and more firms can fight back using good cybersecurity measures. Putting structures in place to mitigate a ransomware attack also overlaps with protecting against other malware infections too. This includes making sure your business has ransomware-resistant backups, robust authentication, email and URL scanning and filtering, and prompt patching of software and systems.
Cybercrime does not recognize country borders or jurisdictions. Cybercriminals simply follow the money. The World Bank describes the Caribbean as having “significant economic potential and growth opportunities” despite the impact of Covid-19 on tourism. The region has already seen the impact on a major organization, Ansa McAl, now is the time to batten down the cybersecurity hatches and make sure that ransomware is a crime that does not pay.
Hitachi Systems Security