New ransomware tactics: what they mean for crisis management teams
How to respond to changing ransomware tactics as a crisis management team.
... > Crisis and Resilience services > How to deal with changing ransomware tactics as a crisis management team
How crisis teams can respond to new ransomware tactics
Cyber criminals are constantly changing their tactics and finding new ways to compromise their victims. This makes it a nightmare for crisis management teams to adequately plan and prepare for how they may respond to cyber attacks.
Ransomware attackers are shifting away from traditional phishing towards fake Google ads and help desk social engineering, according to Principal Security specialist Paul Pols.
In this article, Secura’s Senior Crisis Consultant Luke Fletcher explores four ways these new tactics impact crisis management teams. He also details how your organization can deal with this impact.
1. New ransomware tactics should guide your crisis simulations
Ransomware was traditionally spread through phishing emails with corrupt links and attachments but attackers are stepping up their game and using sophisticated social engineering tactics, like pretending to be an IT help desk to gain user login credentials.
The FBI & CSIA recently published a threat advisory on a cyber-criminal group called Scattered Spider. The group have gone as far as convincing mobile network carriers to transfer control of a targeted user’s phone number to a SIM card they control. This granted them control over their phone and access to Multi-Factor Authentication (MFA) prompts.
Use up-to-date threat intel
This presents a dilemma for crisis teams, Fletcher suggests. 'How far might the attacker have gone or be willing to go? What additional information might they have obtained? Could a key member of your leadership team, or even one of your crisis team members be compromised?' In short: how can crisis teams prepare for these new tactics?
'Organizations should try to include social engineering tactics like these in their crisis simulations,' he advises. 'Not only will this help raise awareness of these tactics, but it also means crisis teams can discuss potential impacts and response options.'
A good example of this is the Threat Intelligence-Based Ethical Red Teaming frame work (TIBER-EU) adopted across Europe: 'The core concept of this framework is that it uses the latest intelligence on threat actor tactics, to simulate an attack on an organization and to learn lessons and improve resilience.'
But you might even take it a step further: 'You could use the outcomes of cyber security tests, like red teaming, to inform scenarios for crisis teams. This will ensure simulations are as close to reality as they can be.'
To pay or not to pay
In October 2023 LockBit 3.0, announced new rules for ransom negotiations among the members of the group in a bid to secure larger ransom amounts and increase the likelihood of payouts. These rules state a minimum amount that an organization can be ransomed for. This is based on their revenue with a maximum of a 50% discount that can be applied to the initial ransom following negotiations.
Organizations can use this information as a basis to proactively estimate what kind of ransom may be placed on them if they were subject to an attack, Fletcher advises. 'Of course this information can also be used in simulations, to allow participants to determine the cost implications of recovery versus a payment of ransom.'
2. Remember that attackers use publicity to pressurize you
Cyber criminals know that publicity means pressure and many have moved to announcing the attacks on their victims through public leak sites. The number of organizations published on leak sites in the first nine months of 2023 was as high as the entire number for 2022.
A specific example of this is the Clop ransomware group, says Fletcher: 'Since May this year, this ransomware group has been publishing data on leak sites that belong to hundreds of organizations who refused to pay ransom demands. This was following their successful compromise of the safe file transfer system MOVEit.'
'Clop experimented with sharing this information through torrents, but adapted their approach to publication following reports of slow download speeds, limitations on access and law enforcement website takedowns. They have now made access to the data of organizations that did not pay the ransom much more public and readily accessible.'
Senior Crisis Consultant
Making sure you have the right early warning systems in place, supported by tried and tested plans and playbooks, will go a long way to relieving some pressure for your crisis teams when an attack occurs.
Getting ahead of the game
This cyber-criminal group tactic of attack publication means crisis teams are playing catch-up from the minute the crisis has begun. If your organization is the victim of an attack, you might find even yourself in the position where your customers or partners are advising you of a cyber-attack before you know you’ve been impacted yourself.
This means getting ahead of the game is one of the key objectives of any crisis management team, Fletcher says. 'The team wants to try to predict what’s coming next and take steps to prepare. This might include the drafting of holding statements and communications messages ready to deploy to their internal and external stakeholders.'
'Making sure you have the right early warning systems in place, supported by tried and tested plans and playbooks, will go a long way to relieving some pressure for your crisis teams when an attack occurs.'
3. The decision on whether to pay a ransom should be a crisis team consideration
There are two clashing interests when it comes to ransom payment: the interest of the organization and the larger interest of society. Paying the ransom may limit organizational impact but it does not benefit society.
Ideally, multiple stakeholders should be involved in the ransomware question, Fletcher states. 'To make an informed decision, stakeholders within the business need to come together as a team to review the facts, discuss the consequences of decisions and ultimately take the decision that’s right for them.'
Cybersecurity functions need to be ready to brief the wider crisis team on the attack, providing intelligence on how much worse it could get.
Your IT teams need to present a clear view on what their current recovery capability is for critical infrastructure.
Your senior department managers need to be able to portray how effective their resilience and continuity plans are.
Your supply chain function needs to be able to articulate how the supply chain could be impacted or indeed utilized to maintain services.
Your communications department needs to understand the consequences of either decision and be able to advise on the most appropriate communications strategy.
'The list goes on', Fletcher emphasizes. 'The input of each of these departments should ultimately help the crisis team determine the best course of action.'
Structure and organization
Bringing this all together in a time of crisis requires structure and coordination, says Fletcher. 'That means it's important to ask yourself: does my organization have a crisis management framework and response structure in place to coordinate and communicate in a crisis? From the cyber response team through to the CEO? And have my staff been able to practice how they would collate information and brief the crisis management team?'
The international crisis management standard – ISO22361 can help guide organizations in establishing an effective crisis management framework, plans and procedures. Crisis exercises can also be used to put response structures into practice.
4. Prepare for key decisions, like: do we even negotiate?
Many organizations hire third-party ransomware negotiators to liaise with threat actors in the hope that ransom payment demands can be reduced. Cyber criminal groups are becoming wary to this, coordinating with each other to ensure fixed prices or even refusing further discussions once they identify negotiators are involved.
The very decision to even negotiate in the first instance can have consequences, Fletcher says: 'We saw this with Lockbit’s ransomware attack against the Royal Mail in January of 2023. Lockbit published the whole negotiation conversation online.'
Organizations that have proactively considered what key decisions may be required in scenarios such as ransomware attacks will be much better placed to respond, he says: 'Also important: document which key decisions you need to make along with who is authorized to make the decision and what information is required to make that decision.'
If you decide to negotiate, you should work on the assumption that the communications you have with the threat actor will be leaked. So it is important to be aware of what you say, as this could have reputational consequences.
The key takeaways for crisis teams
Changing ransomware tactics can be a challenge to deal with as a crisis management team. Fletcher advises taking the following measures to make sure you stay ahead:
- Run regular cyber crisis simulations using latest threat actor tactics and outcomes from wider organizational cyber security tests. Together, these will help your crisis teams stay informed and well prepared.
- When (not if), your company is impacted by a cyber incident, organization and structure will be key. Ensuring you have a well embedded crisis management framework in place will save time, ensure communications are effective, promote an accurate level of situational awareness and give crisis teams the confidence to make informed decisions.
- Proactively consider what key decisions might need to be made in such scenarios and the information your crisis teams will need to gather to make that decision. Document these decisions in a plan or playbook and walk it through with key stakeholders.
Would you like to learn more about our Crisis and Resilience services and what we can do for you? Please fill out the form and we will contact you within one business day.
Secura is a leading cybersecurity expert. Our customers range from government and healthcare to finance and industry worldwide. Secura offers technical services, such as vulnerability assessments, penetration testing and red teaming. We also provide certification for IoT and industrial environments, as well as audits, forensic services and awareness training. Our goal is to raise your cyber resilience.
Secura is a Bureau Veritas company. Bureau Veritas (BV) is a publicly listed company specialized in testing, inspection and certification. BV was founded in 1828, has over 80.000 employees and is active in 140 countries. Secura is the cornerstone of the cybersecurity strategy of Bureau Veritas.