Over two years on from NotPetya, ransomware remains a major threat to organisations which in some instances are losing millions after falling victim to attacks.

What was NotPetya? Basically it was a series of powerful cyberattacks using the Petya malware and began on 27 June 2017. It quickly swamped websites of Ukrainian organizations, including banks, ministries, newspapers and electricity firms. Similar infections were reported in France, Germany, Italy, Poland, Russia, United Kingdom, the United States and Australia.

But despite the damage done by NotPetya and WannaCry before it (May 2017), there are still fears that the world isn't prepared for the impact of another global ransomware outbreak.

The report by the Cyber Risk Management (CyRiM) project — a collaborative partnership including Lloyd's of London, the Cambridge Centre for Risk Studies, the Nanyang Technological University in Singapore, and others — uses a theoretical catastrophic ransomware attack to model the broader impact.

The simulation is as follows and sounds very scary.

  • The malware is potent, once one employee runs the ransomware , it's enough to spread the file-locking malware around the network, with a demand of $700 in cryptocurrency on each machine.
  • Around 30 million devices at organisations around the globe are locked in just 24 hours.
  • Organisations of all sizes in all sectors unable to perform day-to-day operations.
  • Some organisations opt to pay ransoms — including healthcare companies, due to the need to keep life-saving equipment online.
  • Other firms opt to replace devices instead of paying criminals — this also costs money,estimated cost at $350 per device.
  • Predictions of $193bn around the world as a result of cyber incident response, damage control and mitigation, business interruption, lost revenue, and reduced productivity.

Unlikely? Maybe but can you say forsure. Are you even ready? Can you say that your recovery process is strong?

With the Moller Maersk attack the cyberattack was so bad that it just didn't seem possible that something so destructive could have happened so quickly acording to people involved.

"I remember that morning – laptops were sporadically restarting and it didn't appear to be a cyberattack at the time but very quickly the true impact became apparent," said Lewis Woodcock, head of cybersecurity compliance at Moller-Maersk, the world's largest container shipping firm.

"The severity for me was really taken in when walking through the offices and seeing banks and banks of screens, all black. There was a moment of disbelief, initially, at the sheer ferocity and the speed and scale of the attack and the impact it had."

The company was one of the most badly hit of those caught in NotPetya, with almost 50,000 infected endpoints and thousands of applications and servers across 600 sites in 130 countries.

Maersk had to balance the need to continue operating – despite the lack of IT – and recovering and rebuilding networks. In many cases, it was a manual process that took days and what was described at the time as a "serious business interruption" is estimated to have cost Maersk up to $300m in losses.

It gets worse....

The last decade has seen significant growth in subscription-based services such as "SaaS" whereby vendors provide customers with the ability to rent or subscribe access to services. This has also transferred into the criminal worlds too.

Given the high demand for RansomWare in this day and age, creative cyber-criminal entrepreneurs followed this subscription based industry trend to and have created RansomWare As A Service (RaaS) to ease the burden (poor things) of cyber attackers having to develop their own attacks.

Would you be able to cope?

Do you have a plan?

While protecting networks and critical systems is the ultimate and is all well and good, a recovery plan must be in place. Failure to do so means that really you are only 50% ready.

A significant part of a recovery plan is that ability to really understand the core business processes and know everything about the systems and applications which run the operation.

Protect Secure and Recover – crucially in that order.

How to start?

A good place to start is here, the IRMI - International Risk Management Institute, Inc.

A cyber-incident response plan should be developed as part of a larger business continuity plan, which may include other plans and procedures for ensuring minimal impact to business functions (e.g., disaster recovery plans and crisis communication plans). Recovery activities encompass a tactical recovery phase and a strategic recovery phase.

Posted in Cyber Insurance blog on Aug 13, 2019