Targeted Ransomware Attacks on the Rise

At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”

Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.

Easy Money

So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.

However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.  

Protect and Prepare

Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.

Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.

However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.

Cyber Resiliency is the New Cyber Security

Here is the bottom line: when it comes to cyber threats, wshould of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at some point, someone will get into our systemsThat’s why many cyber experts are beginning to use the new term “cyber resiliency.”  

The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack. 

The Basics of Cyber Resiliency 

In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basic goals: 

1. Anticipate 

According to the NIST framework, the first goal of cyber resiliency includes preventative measures often included in cyber security policies. However, anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack. This includes having an incident response plan in place, as well as changing your system often in order to preempt attacks.

2. Withstand  

Withstanding a cyber attack should involve steps taken to limit the overall damage an attack has, even if you haven’t detected the attack yetIn general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activitiesYou should also be prepared to entirely remove and replace systems that are badly damaged. 

3. Recover 

Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly

4. Adapt 

At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats.  If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.  

Leaders are best equipped to drive cyber resiliency efforts 

It is important to understand that these four cyber resiliency goals were designed to encourage communication between leadership-level business risk management strategies and the rest of the organizationWe’ve written before about the importance of proper governance and business leadership when it comes to cyber security and the same goes for cyber resiliency.  

Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.  

That’s why Accenture Security’s 2019 State of Cyber Resiliency Report emphasizes the three skills business leaders have that make them essential to any cyber resiliency policy:  


The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.  




Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacksBusiness leaders are therefore key for investing in and maintaining robust training programs.  




Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.  

The Take Away

At its root, cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updated intrusion detection systemsand a strong incidence response plan that is tested and revised regularly. Cyber resiliency takes a village but depends first and foremost on leadership team that takes the task seriously. 

Calling for Backup

It’s common knowledge that we should all be backing up our data. It’s important not only in case of system errors, but also in the event of stolen data and other security breaches. But what isn’t talked about as often is testing these backups.  

This is something that Arizona Beverages found out the hard way. Earlier this year, the company found themselves victim to a ransomware attack that wiped information on more than 200 servers and networked computers. But the real trouble began when IT staff realized that their backup systems where misconfigured, effectively making it impossible to recover their data without outside help. Because of the mistake, the company spent hundreds of thousands of dollars on new hardware, software, and recovery services.  

While there is nothing good about suffering a ransomware attack, having backups of your data can severely limit the consequences of the attack — as long those backups actually work. This is why it’s essential to regularly test your backup systems. 

In order to ensure their systems are backed up frequently, organizations will often automate this process. And while this can be useful, it’s important to not just assume that everything is working as expected.  

And there is more to backing up your data then the actual backup process. You want to make sure that not only that you properly backedup targeted data, but that it can be successfully restored. This includes ensuring that no file corruption occurs in the process of backing up and restoring that data. There’s no worse feeling than restoring your data only to find it completely useless.  

How frequently you test your backups should be decided by each organization depending on regulatory constraints, risk-assessment, and business strategy. However, whatever is decided should be incorporated into your cybersecurity policy and carried out consistently 

Nothing keeps IT professionals up at night like the thought of irredeemably losing system data. Not only could months or years’ worth of work vanish in an instant, but it could end up costing tons in regulatory fines and recovery services. 

Simply put: test your backups, sleep easy.  


Reducing the Cost of a Breach

The thought of a data breach is enough to send a chill down any business owner’s spine. And rightly so. Last month The Ponemon Institute released its annual Cost of a Data Breach Report, showing that the cost for companies that experience a breach continues to rise. According to the report, data breaches cost U.S. companies an average of $8.19 million per breach — far above the global average of $3.92 million.  

And the news is even worse for small businesses. The report found that smaller organizations suffer higher costs relative to larger ones. While a data breach will cost a large organization $204 per employee, smaller organization see that cost jump up to $3,533 per employee.  

The report also shows that a single breach can have a long-term impact on a business. New in this year’s report is an analysis of so-called “longtail costs” that show how organizations feel the impact or the breach years after it occurred. It turns out that only 67% of the cost of a breach comes in the first year, with 22% in the second year, and 11% in the third.  

Reducing the Cost of a Breach

So that’s the bad news. Luckily, the report also lays out a number of steps that have proven to significantly reduce the cost of a breach.  

Incident Response Plan and Simulation 

By far, the most effective way to reduce breach costs is to respond quickly. The report found that on average it took companies 206 days to identify a breach and another 73 days to contain it. However, those that were able to find and stop a breach in under 200 days saved a whopping $1.2 million.  

The best way to ensure you’re able to response fast is to have a detailed incident response team in place and conduct periodic tests of your response plan. According to the report, the combination of an IR plan and regular incident simulations leads to greater cost savings than any single security process — saving an organization an average of $1.23 million 


The report also shows that properly encrypting your most sensitive data will help reduce the cost of a breach. Encrypting data essentially scrambles up your information so that it can’t be read without a key to unencrypt it. According to the report, companies that encrypt their data on premise, at the endpoint, in transit, and in the cloud reduced the cost of a breach by an average of $360,000. 

Security Automation 

More and more organizations are using security automation such as machine learninganalytics, and incident response orchestration to fast identify and contain system vulnerabilities. According to the report, the cost of a data breach is 95% higher for organizations without security automation in place. There are a number of automated security processes available, but even just conducting regular vulnerability scans will go a long way toward reducing the cost of a breach.  

Customer-Centric Governance

The report also found that companies with effective governance and leadership in place, such as a chief privacy officer or chief information security officer who focuses on preserving customer trust is a key driver in reducing breach costs and maintaining a companies key asset:  it’s reputation.

Keep Things Simple  

Another interesting aspect of the report is that it shows that, when it comes to security technology, more is not always better. Excessive use of third parties, extensive cloud migration, and system complexity all increase the cost of a data breach. It’s therefore important to minimize the complexity of your security technologies where possible.  


All in all, business owners can’t just cross their fingers and hope nothing bad happens. This past year, the chances of a company experiencing a breach in within two years increased to nearly 30% — a statistic that has jumped up by a third in just five years. As the report shows, preparing now can greatly reduce the financial impact if the worst does happen. The thought of experiencing a data breach is enough to make anyone feel powerless, but, from impact reduction to a fully prepared incident response team, there are concrete steps anyone can take to take back control of the situation.  

Invasion of the Data Snatchers

As you’ve probably heard by now, this week Capital One became the latest company to experience a massive breach of consumer information. According to the company, the breach includes the compromised data of over 100 million individuals. Those effected includes both Capital One customers and those who submitted a credit card application within the past 14 years. Most notably, the information stolen includes about 140,000 Social Security number and 80,000 bank account numbers. However, information such as names, addresses, reported income, and credit scores were also compromised in the attack.  

One of the most interesting aspects of the breach is that the hacker reportedly responsible for breach, once worked for Amazon Web Services, which hosts the Capital One database that was compromised. Paige Thompson, the woman allegedly responsible for the attack, gained access to the database by making use of credentials for the web application’s firewall. This makes the attack just the latest in a long list of breaches involving insider threats via a third-party.  It is also the latest in a long line of breaches where the access was gained through a web application.

Too Early for Key Takeaways Except for One Big Takeaway

A lot remains unknown about the role Ms. Paige was playing, how she moved through the AWS space (Capital One was not the only company she gained access to) and what her motives were.  However, it does show that Capital One’s Incidence Response team was prepared to move quickly once the incident was made known.  In some cases, being very good at dealing with a crisis is perhaps your strongest (and maybe only) defense.

Practice Makes Perfect

Given the increased threat of cyber-attacks facing organizations today, it’s not only important to have protections in place to prevent attacks, but also make sure you’re prepared if the worst actually happens. Having an incident response plan is an important first step, but frankly it’s not enough. You don’t want the first time you need your response plan to be the first time you use it. Running periodic incident response simulations is therefore a must. 

Here are some steps you can take to perform your own incident response simulation: 

Review Your Plan 

  • Identify a response team. Make sure a you’ve designated a team to respond to any incidents and that every member knows their role within the overall response procedure. 
  • Conduct an inventory of your data. Make sure you know where your data is and what types are most sensitive. If you collect personally identifiable information or personal health information, for instance, you’ll definitely want to know where to find it in the event of a breach. 
  • Know what regulation and contractual requirements will govern your response. This often entails prompt notice of a breach to certain entities outside your organization. Insurance carriers, forensics teams, states attorney generals, and clients might need to be notified should something happen. Moreover, regulations vary from state to state and country to country, so it’s important to understand where your clients are located in order to know how to respond accordingly.  
  • Know who you need to contact that is outside of the organization.  Your insurance carrier?  Forensics?  Clients?  The FBI?  Make sure those contacts are documented so you do not have to hunt for them when the malware hits the fan.

Run Through a Scenario 

  • Malicious insider action, breach of sensitive data, host application compromise, denial of service attack; lost or stolen IT assets, and ransomware attack. are all examples of possible scenarios you could face. Of course, not all organizations will be vunerable to the same types of incidents, so take some time to identify the scenarios that could responsibly happen to you.  
  • Bring your response team together and walk through what steps need to be taken for every possible scenario, and make sure everyone know who will be responsible for what.  
  • After a run-through, note any questions or issues what need to be resolved. For example, are you unable to know if your backup works because they haven’t been tested? Are you capable of identifying exactly what data was exposed? Do you need a retainer for a forensics company to ensure prompt help? Comb through every detail and make sure every question is answered.  

Rinse and Repeat 

You’re probably not going to nail the response on your first try. That’s why it’s important to keep practicing these simulations until you feel confident that you and your team will be ready to respond quickly and effective should the worst happen.  


Doing simulations can actually help save costs in the event a breach occurs. According to The Ponemon Institute’s 2017 Cost of Data Breach Study, a fully functional response teams save on average 14% of total data breach costs, and fast responses to a breach can save up to 26% of response costs. Taking the time now to make sure you’re prepared can save time, money, and your reputation.