These attacks often are first known of when there is a disruption to an organisation’s system, such as a denial of service attack, that locks down the system and prevents access, or an indication that certain material has been taken and uploaded onto the dark web.
Often what is uploaded is a small sample of the material that has been stolen, to demonstrate that the theft has occurred, much like the delivery of the severed ear used in hostage situations in a time gone by.
In many cases a ransom or fee is demanded by the hackers to unlock the system, failing which a much wider leak of the stolen material onto the dark web is threatened along with the continuation of the lock out of an organisation’s computer system.
We have witnessed that this is not just something which is targeted to very large corporations. Although in Australia very large corporations have been the subject of very public attacks, much smaller businesses are also being attacked, albeit for smaller demands.
The disruption caused by such an attack can be significant for organisations, with it taking between hours and many weeks to restore services. It often comes with considerable expense to undertake that process.
Further, although it is suggested that payment of a ransom is something done by perhaps a third of targets (and this is something where the statistics are apt to be difficult to verify; targets are reluctant to admit this) payment of the ransom is not always a panacea. Payment does not necessarily protect an organisation from being the subject of a second demand. There is not always honour among thieves.
A ransomware attack, in addition to being disruptive and expensive (whether by payment of the ransom or by the restoration of the system without payment of the ransom) may bring Privacy Act obligations to bear on the target. This must never be overlooked, even if the ransom is paid. One needs to judge whether what has been stolen and posted may constitute an eligible (and therefore notifiable) data breach.
Alongside such an attack there is the question of reputational damage issues to manage for those attacked.
It is near impossible to be a modern corporation, interacting with the world, to be immune from the risk of attack. Rather, organisations should recognise the risk and take proper steps to minimise their risk. In short, make somewhere else an easier target!
There is much to be said for preparedness. Assume that the risk of attack is real and be ready for it and your response to it. Time is of the essence.
It is important that IT systems are in the best shape reasonably possible either to resist or identify at an early stage any ransomware attacks. Additionally, organisations should have fully formed plans of how they will react in the event that they are the subject of a ransomware attack.
Being ready early to respond may bring considerable benefits in the areas of reducing the severity of the attack and in mitigating the rectification and reputational costs and other impacts which may flow from being the subject of an attack.
We at Lavan are available to assist in the preparation of your response planning.
If you require assistance please contact Iain Freeman or Lorraine Madden.