In 2021, ransomware attacks rose to a level of ubiquity not previously seen. As ransomware entered mainstream consciousness, organizations’ responses have come under greater scrutiny. As ransomware attacks have evolved, so have the communications tactics necessary for responding.
The State of Ransomware in 2021
While ransomware itself is not new, threat actor tactics have evolved. The emergence of ransomware as a Service (RaaS) and triple extortion have aided in its proliferation.
Ransomware as a Service (RaaS)
RaaS is a cybercrime business model in which developers, in exchange for a cut of profits, sell their strain of ransomware to affiliates. This model has lowered the barrier to entry for threat actors and made it more difficult to track them and prove culpability, perpetuating a criminal enterprise.
From Double to Triple Extortion
In 2019, Maze pioneered the now-commonplace practice of double-extortion – encrypting a victim organization’s systems and exfiltrating data to post on shame sites. Triple extortion involves directing a ransom demand not only toward the victim organization but to its stakeholders – including employees, customers and the media. In some instances, a threat actor may also pursue a victim organization’s vendors and business partners, threatening their business relationships. Triple extortion may also involve the deployment of DDoS attacks on an organization’s corporate website, rendering it inoperable at a crucial moment when stakeholders are looking for clarity. Although not yet common, some threat actors have begun threatening to publish exfiltrated data should the victim organization engage law enforcement.
Impact of a Ransomware Attack
When faced with a ransomware attack, business continuity remains critical. However, the impact of an attack can be wide-reaching and affect a range of stakeholders.
Operational Impact
A ransomware attack’s impact is typically first felt at an operational level. There may be widespread outages impacting an organization’s ability to maintain business as usual – affecting corporate email, websites and other critical tools. It’s important to keep stakeholders apprised of the latest developments in the remediation process and to arm employees in customer-facing roles with the resources they need to articulate ransomware-related outages to customers. Any outages may be noticeable externally and could generate media attention at this stage.
Financial Impact
Ransomware is costly. Research conducted by Sophos found that at the average cost associated with recovering from a ransomware attack was $1.85m in 2021. The substantial costs stem from an immediate loss of revenue due to outages and downtime and the costs associated with recovering from the attack, lost business opportunities and ransom payments.
If the attack is not disclosed in a timely or transparent manner, organizations leave themselves open to costly legal action or sanctions. The SEC has signaled that cyber-attacks present existential business risks and may have a material impact warranting disclosure (source).
Reputational Impact
The reputational impact of a ransomware attack may be the most long-lasting. Recent HSBC research found that 73% of organizations underperformed the market after a ransomware attack. Effective communications, however, can help mitigate reputational damage. Stakeholders may not judge an organization for becoming a victim of a ransomware attack, but they will judge them based on their response.
How Can Communications Strategies Evolve to Meet the Challenge?
Develop a Preparedness Plan
Organizations should develop cybersecurity crisis preparedness plans with an eye towards ransomware and based on their current risk and regulatory environment. It should complement existing crisis response plans and emergency protocols. Plans should be reviewed regularly to maintain viability and continually assess regulatory environments. In the US and elsewhere, regulatory bodies are placing an increased emphasis on cybersecurity regulation and have signaled, in some cases more implicitly than others, the desire to hold threat actors accountable.
Map Out and Understand Your Stakeholders
As ransomware becomes more pervasive, incidents are regularly reported in the media. As such, stakeholders, including the public and regulators, possess a greater awareness and understanding of ransomware. Communications strategies should bear in mind this baseline knowledge.
Internal stakeholders are of particular importance given that everyone in an affected organization – from frontline employees to the C-suite – is a communicator and a critical vehicle for message distribution.
Be swift and Transparent
Stakeholders expect to be kept informed, particularly if a ransomware attack has impacted an organization’s day-to-day operations. A lack of transparency can generate speculation, stymieing an organization’s work to respond. Similarly, delays in communication can be costly, both in terms of reputational damage and, in some cases, financial repercussions should a loss of clientele ensue. Instead, understand your stakeholders’ needs – and reach them in a way they are accustomed – to maintain your valued relationships and tackle misinformation.
2021 underscored the omnipresent threat of ransomware. The ubiquity of these attacks has necessitated an evolved communications strategy informed by preparation and an understanding of stakeholders and characterized by swift, transparent and forthright communication.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.
FTI Consulting, Inc., including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm.