Ransomware is one of the most significant cybersecurity issues facing us today, as cyber criminals hack into businesses, schools, hospitals, critical infrastructure and more in order to encrypt files and demand a ransom payment for the decryption key.
Despite warnings not to, many victims pay these ransoms, under the impression that it’s the quickest way to restore their network, particularly if the cybercriminals are also threatening to leak stolen data. But all these means is that the attack cycle continues, with ransomware groups using their ill-gotten gains to finance more ambitious attacks.
Beyond this, there’s another problem. Many ransomware incidents are simply kept under wraps, so it’s hard to get a good picture of what’s really happening in the world. Even when companies do admit to a cyberattack they are very often vague about what has happened, and seem most reluctant to describe any incident as a ransomware attack.
A ‘serious cyber attack’, a ‘cyber incident that has caused some disruption’ and ‘data being encrypted by a third-party’ – those are just some of the statements put out by victims of ransomware attacks to describe what happened – but never mentioning ransomware.
Some victims eventually become more open about what happened, but only months or years after the incident – and some never publicly acknowledge it was ransomware at all.
It’s frustrating not being able to get a comprehensive and clear picture about what’s going on – even if by reading between the lines of the vague statements about a ‘sophisticated cyber incident’ that has ‘disrupted services, it’s clear that it’s a ransomware attack.
And the lack of transparency about ransomware attacks and other cyber incidents is damaging to everyone.
Some victims are very quick to disclose that it’s ransomware and I’ve interviewed victims of ransomware attacks who, after the incident has passed, are willing to speak on the record about what happened and it’s interesting to hear CIOs and CISOs open up about what happened.
The common thread among these cybersecurity leaders choosing to speak up about the organizations being hit by ransomware is that they want to help prevent others from becoming the next victim by detailing the lessons they learned around bolstering cyber defenses to prevent future incidents.
Lessons like applying security patches on time, providing users across the network with multi-factor authentication (MFA), plus regularly updating backups, are moves that can help stop ransomware attacks in their tracks. And the best time to take action is before the attack takes place.
Ransomware isn’t just a tech problem: ultimately, these cyberattacks impact everyone, and we are often left in the dark about why the services we rely on aren’t working.
In some cases, it looks like this is already changing; recently, Los Angeles Unified (LAUSD), the second biggest school district in the US, was hit by a ransomware attack, immediately disclosing the incident to the authorities, as well as keeping the wider general public up to date about the situation.
Their approach was praised by the director of the Cybersecurity & Infrastructure Security Agency (CISA) Jen Easterly, who said LAUSD “clearly knows the value of transparency when responding to a cyber incident – their speed, clarity & focus on partnership is commendable” and described them as a “Great example of how to keep stakeholders informed, including potential impacts & what to expect next.”
Dealing with a ransomware attack is a challenge, but the way organizations frame the experience is just as important as the technical response. By detailing what has happened and how the incident is resolved, they can actually generate positive feedback and show that the ransomware gangs do not always have to be feared.
And it just might prevent others from suffering the same fate. In the fight against ransomware, it’s going to be better for everyone if there’s more transparency around attacks.