Ransomware: 10 Important Questions for Businesses Answered

Ransomware attacks — a type of cyberattack where an attacker uses malicious software to block access to a victim's systems and data until the victim pays a "ransom" in exchange for the release of such data — are on the rise. In 2021, about 37% of organizations globally reported that they were hit by a ransomware attack, according to IDC's 2021 Ransomware Study. That number, according to most experts, will continue growing in 2022.

A high-profile ransomware attack that made headlines last year was the Colonial Pipeline Company attack, which led to panic buying of fuel on the East Coast. In that case, the attackers gained entry through a compromised password on Colonial's information technology (IT) system. When the company discovered the breach, it shut down IT networks as well as operational technology (OT) networks (i.e., the networks that controlled Colonial's pipeline operations) for several days out of an abundance of caution. With the assistance of the FBI, Colonial Pipeline was able to recover a significant portion of the $4.4 million ransom it had paid.

Ransomware attacks have crippled operations at companies in nearly every industry and at businesses both large and small. And the software that powers ransomware attacks is becoming more ubiquitous, with VirusTotal reporting more than 130 different ransomware strains detected between January 2020 and October 2021.

With ransomware attacks on the rise, businesses need to be prepared if they are hit. Below our cybersecurity experts answer the most important questions businesses need to know about ransomware.

What is ransomware, and how does it differ from other cyberattacks?

Ransomware is a type of cyberattack that couples unauthorized access to a company's systems and networks with a demand for payment. Typically, data or systems are locked through encryption of a victim's files, with businesses unable to recover data and get systems running again until they pay a ransom.

Traditional cyberattacks are used to steal information, conduct espionage, and cause destruction and disruption. Cyberattacks historically have included the theft of passwords, personal information, trade secrets, and other intellectual property; destruction of servers; and overloading systems with traffic. But ransomware is different in that data or systems are held hostage with payment demanded.

What is a double extortion ransomware attack? And do I need to be worried?

The bad actors that develop and use ransomware continue to learn and evolve over time. One way they have done this is by upping the pressure on a victim organization to pay a ransom in a certain amount of time. Let's call that a single extortion attack. Malicious malware software is injected, data is encrypted, and a demand is made.

Double extortion involves data exfiltration from a victim's network. This means the data has been taken by the bad actors and could potentially be released to the public, destroyed, sold, or held. Triple and quadruple ransomware extortion attacks are also on the rise, and those involve either re-victimization or victimization of customers and business partners.

Ransomware threat actors have moved to double, triple, and quadruple extortion attacks for a few reasons. First, there's a chance a victim will pay with each level of extortion. Secondly, organizations' cyber resilience has improved. Data backups are much more commonplace than they were 10 years ago. Bad actors may not be able to do much if a victim has a backup, but the victim may pay if threatened with their data being released to the public.

Small business owners don't have to worry about ransomware attacks, right?

Wrong. Businesses of all sizes are targets of ransomware attacks. Malicious actors have targeted small and large businesses alike, and they can be highly specific in whom they target. All kinds of companies are on the receiving end of phishing campaigns, where emails or text messages go out with malicious links. Identifying dangerous emails is becoming more and more difficult as cybercriminals become more sophisticated. A bad actor might feel like they can secure a larger payday from a bigger target, but every company is at risk.

According to Trend Micro research, the top five critical sectors targeted for ransomware attacks in 2021 were financial services, government, manufacturing, healthcare, and food and beverage. Ransomware threat actors moved quickly and aggressively. How aggressively? Trend Micro said it detected more than 7 million combined emails, URLs, and file threats last year.

What is the link between ransomware and cryptocurrencies?

The actors perpetrating ransomware attacks will often seek to receive payment in cryptocurrency. This is because they believe cryptocurrencies are hard to track and offer more anonymity. Putting aside whether or not that's true, cryptocurrencies such as Bitcoin do allow for a transfer of value via a mechanism that doesn't involve the traditional banking system. Using digital currencies also allows the recipient to quickly move the payment out of the United States and make it harder for law enforcement to recover it.

Do most companies that are targeted for ransomware attacks end up paying? Are there alternatives to paying?

At present, there is not enough data on the number of attacks and the number of payments made to answer this question with a good deal of fidelity. But we do know that the absolute numbers are large and growing. Victims of ransomware attacks will need to make the difficult business decision as to whether it makes sense to pay the ransom against the operational, financial, and customer-related impacts of being shut down. The alternative to not paying is to rely solely on backup data or backup systems that are not affected by the breach, which is why it's important to prepare in advance for ransomware attacks. On top of this, ransomware-as-a-service (RaaS) has become more common. Cybercriminals like Darkside and REvil employ customer service teams to help victims make ransomware payments, navigate malware removal, and even negotiate the payment amount.

While victim organizations are forced to make difficult business decisions to pay a ransom, there are legal and regulatory obligations that organizations must be aware of. The U.S. Department of Treasury's Office of Foreign Assets Control (OFAC) has issued an updated advisory to highlight the sanctions risks associated with ransomware payments to specially designated nationals and proactive steps businesses can take to mitigate such risks. Ransomware victims may consider engaging an outside counsel before and during a ransomware event to better understand the legal and regulatory risks.

Will cyber insurance cover ransomware payments and the costs associated with recovering after a ransomware attack?

This depends greatly on your company's cyber insurance policy. Some policies may cover the costs associated with incident response, remediation, and potentially even ransomware payments. Others may not. One thing is clear, however: insurance premiums likely will increase as more claims of this type are filed, and the underwriting process for these cyber policies will likely become increasingly rigorous as well.

Do companies need to give the government access to their systems to thwart or recover from ransomware attacks?

Companies are not required to give the government access to their systems in exchange for help, but if they do give access, it should be the company's choice and not be mandatory. The Chamber strongly advocates that companies large and small work with government partners, such as the Department of Homeland Security's Cybersecurity Infrastructure Security Agency (CISA), the FBI, and the Secret Service. Companies should also get to know their local FBI, CISA, and other agency representatives in advance, so if a cyber incident – including a ransomware attack – occurs, there is a pre-existing relationship.

If my company is subjected to a ransomware attack, do I have a legal obligation to report it?

As of January 2022, there is no generalized federal mandate or reporting obligation for ransomware payments. However, individual regulated industries may have specific cyber incident reporting requirements, and businesses should know if they fall into this category. Federal legislation has been proposed to require businesses to report cyberattacks and ransomware payments, but this type of legislation has not yet become law.

Can my company get into trouble for paying a ransom?

In a word, yes. An organization can potentially run into issues by paying a ransom. As mentioned above, the U.S. Treasury Department's OFAC issued guidance in late 2020 that confirms companies could face sanctions for facilitating ransomware payments. This is because "OFAC has designated numerous malicious cyber actors under its cyber-related sanctions program" and seeks to discourage giving money or resources to these designated entities.

A good course of action for a company targeted by ransomware is to engage with internal and/or external counsel that is experienced in dealing with ransomware incidents. These experts can help ensure that a company does not inadvertently violate applicable laws or regulations in making a ransomware payment.

What are some best practices for businesses to prepare for a ransomware attack?

There are five first steps companies can take in order to help prevent and protect from ransomware attacks:

• Enable multifactor authentication throughout the organization's networks. Strong passwords are still a must, but multifactor authentication means that a password alone will not allow access to a network.
• Talk with employees about clicking on links in emails and text messages. Employees should generally know how to look out for suspicious activity, and they should have a clear process about what to do when they receive what they perceive to be a suspicious link.
• IT teams should work to encrypt data and create backups that are offline and not tied to primary systems. IT teams must also maintain an active employee directory and disenroll former employees from access to a company's systems. 
• Companies should build relationships with law enforcement agencies, the Department of Homeland Security, and other federal agencies. The U.S. Chamber can help companies with pertinent information to help facilitate relationships.
• Businesses should also be thinking about how they can move their systems and networks to "zero-trust architecture." This generally means granting access to the network on a per-session basis and granting gradual levels of access based on a user's position and need for such access.

For additional information, businesses can contact Christopher D. Roberti, senior vice president for cyber, intelligence, and supply chain security policy at CISD@uschamber.com.

About the authors

Sean Ludwig