2019 was not a kind year to organizations in healthcare, education, and government when it came to ransomware attacks. Over 1,000 schools across the US fell victim to ransomware and hospitals were forced to divert patients to other facilities and cancel non-critical surgeries, returning to pen and paper at some facilities for weeks. Several hundred clients of managed IT providers were unable to access critical business systems after those that they had entrusted to take care of their IT were compromised to distribute ransomware. Some companies, like The Heritage Company with 300 employees, even had to close their door and lay off staff after falling victim to a ransomware attack that impacted their business operations so much that they were unable to recover.
Things are getting worse for victims
At the end of 2019, several ransomware groups upgraded their attacks and started to steal data in an effort to force victims to pay. Because of the number of attacks and increased awareness of the dangers of ransomware, many organizations started to invest in backup systems and because they were able to restore systems from backup, they could avoid paying a ransom even if they fell victim to an attack. But now with this new twist, companies now face the release of information, a data breach, and the legal ramifications of a breach including client notification. Before the exfiltration of data by ransomware operators, many businesses could quietly restore systems and not necessarily inform clients that they had suffered an attack. Now if the company does not pay or does not pay quickly enough, the news may break publicly through the very people that committed the crime.
In the case of Medical Diagnostic Laboratories (MDLab), the group behind their attack published a 9.5 GB of data stolen from their computer systems after they were attacked. And Atlanta, Georgia company Southwire had 14GB of information published, some after they filed a lawsuit against the anonymous attackers. For Germany’s Gedia Automotive Group which had to shut down IT operations following the attack, the company will now face a GDPR issue as the group has stolen several GBs worth of data and are threatening the release.
In addition to stealing data, several ransomware operators have setup websites to publicly name and shame victims who do not pay the ransom.
What to Do?
One of the recurring themes of many recent ransomware attacks has been unpatched vulnerabilities. As cyber-criminals are quick to pick up news of vulnerabilities and create exploits, enterprises as well as small businesses must move more quickly to disable vulnerable systems when patches are not available and apply patches when they are. The likelihood of suffering an attack increases near exponentially the longer that a vulnerability remains open.
The other thing for companies to consider is performing third-party risk assessments. Whether it is an IT service provider or a cloud software service, companies need to do their due diligence and assess the cybersecurity protections and strategy of their partners and also have in their own strategy, a plan to address situations where something goes wrong with those third-parties and services may be unavailable.