|Josh Chodor, Meredith Griffanti & Evan Roberts co-authored this article.
For businesses hit by ransomware attacks, paying the ransom is often the most practical solution to recovering data and minimizing an extremely stressful situation.
However, paying a ransom, which can sometimes range into the millions, is easier said than done. In situations where a ransom isn't or can't be paid for a variety of business reasons—such as potential sanctions—organizations need to prepare for the avenues that threat actors will leverage to inflict significant reputational harm.
A common theme of today's ransomware attacks is double extortion: Not only will a threat actor lock a company's files and demand a ransom payment, but it will also threaten to release sensitive information that has been exfiltrated from a victim organization's environment. These threat actors may not truly care about the content of such data; it's simply a money-making operation.
|This article is featured in O'Dwyer's Nov. '21 Technology PR Magazine
(view PDF version)
Direct communication with key stakeholders
An evolution of the double extortion attack is particularly sinister: direct outreach to a victim company's stakeholders. This new strategy forces organizations, already under tremendous pressure, to act quickly to get ahead of the messaging around an attack in an attempt to reduce reputational risk and maintain stakeholder trust.
Over the past few months, cybersecurity industry publications have written about situations where companies faced this type of extortion from CI0p and REvil ransomware groups. In these scenarios, customers who provided email addresses to the target companies received messages indicating that sensitive personal and business information was contained among the stolen data.
Target companies, facing not only business disruption from encryption, but also damage to key stakeholder relationships, may be more likely to make the ransom payment to minimize stakeholder backlash.
Cyber actors also have increasingly relied on direct outreach to the press to tout their successes and publicly pressure impacted organizations into paying the ransom, something REvil leaders have admitted. As an added threat, cyber actors will do their homework and look into a company's financial records for insurance policies in order to determine how much money they can truly extort.
Cyber actors may also publish victimized company information on dedicated webpages on the dark web referred to as "shame sites," which not only provide proof that a company was hacked, but also allows for niche trade journalists to potentially share news of the company's incident with the general public—before the organization itself has a chance to do so.
If the threat of ransomware groups using double extortion techniques and directly communicating with stakeholders wasn't concerning enough, a new tactic has emerged called "triple extortion." This tactic, recently deployed by the Avaddon ransomware group, involves a Distributed Denial-of-Service attack on a company's website should they delay in paying a ransom.
A DDoS attack isn't a new tactic, but it has been weaponized to increase pressure on victim organizations. DDoS attacks are defined as malicious attempts to disrupt or overwhelm a server or network infrastructure by flooding it with false traffic. They can be particularly painful for a company hit by ransomware, as a vital artery for communicating with stakeholders is disabled. Cyber actors who organize DDoS attacks will leverage website access in exchange for a ransom payment, adding another hurdle to the crisis communications process.
How companies can respond
As threat actors continue to adapt and evolve, companies too must plan and document their cyber communications response strategy in advance. A key tenet of this is preparation: companies test and drill against their cyber communications plan proactively to answer and solve questions that could make or break a business.
Such questions should include: How do you plan to contact customers, employees, and other stakeholders when systems are taken offline? Who would lead the crisis communications response to a ransomware attack, and what advisors are already retained or need to be hired to support that response?
It's often too late to answer these critical questions once the worst has happened. Without an integrated and transparent communications plan and approach, organizations should not expect customers and other stakeholders to remain patient as the incident evolves.
While cyber actors may use many different tactics to exert pressure on a target company to get them to pay a ransom, providing continuous and proactive communications around the issue with important audiences will help to mitigate the company's reputational risk of being truly paralyzed by an attack.
Facts are your best weapons in the early hours, days and weeks of an incident—be truthful and transparent about what you do and don't know about the situation and continue to adjust and update as remediation and restoration progress is made.
No matter the tactic employed by cyber actors, companies can still retain employee and customer loyalty, and preserve their reputations, by clearly and authentically communicating about the path forward, even if the destination isn't yet apparent.
Josh Chodor is a Senior Consultant at FTI Consulting. Meredith Griffanti is Managing Director of FTI Consulting's Crisis and Issues Management practice. Evan Roberts is a Managing Director at FTI Consulting.