The Ransomware Paradigm Change — Lessons from Insurers and Breach Coaches


Posted on in Podcasts

 

Throughout 2020, ransomware was consistently amongst the most challenging cyber exposures for organizations to manage. The insurance market can provide critical insights on how to understand the evolving ransomware landscape, given the volume of insurance claims being seen and emerging data on loss and exposure trends. This session will bring together experts from across the cyber insurance and breach coach space and give end to end insights on the financial and organizational impact of ransomware, risk implications, and challenges that will be seen in the market.

 

This podcast is sponsored by Axonius. Axonius is the cybersecurity asset management platform that gives organizations a comprehensive asset inventory, uncovers security solution coverage gaps, and automatically validates and enforces security policies.


Podcast Transcript

Introduction:
You're listening to the RSA Conference podcast. Where the world talks security.

Kacy:
Hello, listeners. Thank you so much for joining us today for this episode of our RSAC 365 podcast series. We have a great conversation lined up for you today with a special guest moderator, Ben Di Marco. But before I turn it over to Ben, I wanted to take a moment to recognize our sponsor. Today's episode is brought to you by Axonius. Axonius helps organizations immediately know what assets they have and shows which devices, cloud instances and users, adhere to or deviate from security policies. Try it for free at axonius.com/rsac. And now I'd like to turn it over to Ben, to advance the conversation by introducing himself and our panelists.

Ben Di Marco:
Thank you very much, Kacy. And thank you to RSAC for the opportunity to have this podcast today. The topic that I'll be exploring with my co-panelists, is the ransomware paradigm change, lesson from insurers and breach coaches. To set the scene, what we really wanted to do, is give people a high-level understanding of what's generally happening in the ransomware incident response space, what those crisis events are looking like and also to try and come at it from the lens of the insurance and the breach coaches, who are living these events every single day.

Ben Di Marco:
I'm incredibly fortunate today to be joined by an exceptional group of panelists. Today, I'll be talking with Christina Terplan. Christina is a Founding Partner and President of Atheria Law. Her practice focuses on technology, IP and privacy law. She works on a broad range of claims brought against technology and media companies. She's also an expert in the cyber breach incident response space. And a number of her working crew is helping insurers and carriers, understanding these events, working as a coverage council and also providing support to organizations as they go through ransomware and other critical events.

Ben Di Marco:
We also have today Marcello Antonucci from Beazley, who is a Cyber and Executive Risk group leader providing insurance coverage across the technology, intellectual property, media, advertising, privacy and cyber liability space. Marcello sits as a Global Cyber and Tech Claims leader for Beazley, working out of their New York Office. His expertise crosses across data privacy, cyber security matters and also working with organizations as they go through the ins and outs of addressing these cyber events.

Ben Di Marco:
My name is Ben Di Marco. I'm a private practice lawyer by trade, but work with Willis Towers Watson, a risk advisory in insurance company. My expertise extends across the incident response, data privacy, cyber loss quantification and the way in which insurance policies support organizations during cyber and other events. So that's a brief introduction of us in the panel. What I'm going to do now is turn to our first question.

Ben Di Marco:
And to start the discussion, I want to look at the types of losses and financial harms we're seeing organizations face, where they have grants and events at the present moment. We hear a lot about systems being this is being crippled. We hear a lot about huge extortion demands. And the first question that we're going to throw to you is, how much of this is fact? How much of this is fiction? What's hype? And Christina, I'll get you to start with this one.

Christina Terplan:
Well, I'll start off. And unfortunately, I think it's bad news, in that ransomware is extremely high frequency right now. And I was even reading it on the New York Times yesterday, where there had a report. And the figures are that last year there was a successful ransomware attack once every eight minutes. So that's 65,000 successful attacks. So it is a really high frequency type of event right now. I do think though, that the media hype where they're focusing on these being really, really significant events, with extortion payments are in the millions. That's not as common. The more frequent events is that they are smaller demands being associated with these types of attacks. But unfortunately, it is happening all the time. And it is oftentimes locking up companies and shutting them down completely.

Ben Di Marco:
Marcello, did you have any thoughts on that hype, fact or fiction?

Marcello Antonucci:
So Ben, I think unfortunately, that one is fact. And as Christina mentioned, this is an everyday occurrence in terms of ransomware. The surface area of information security, the exposures gives the bad actors and the threat actors a lot of opportunity. And we're seeing ransomware events from very large, to small on an everyday and weekly occurrence. I agree with Christina, the big ones are less frequent, but we're also seeing cycles. So not only is it very steady, but we've seen over the last three years, periods of time where the velocity of volume and severity increases. And a number of threat actors that are involved and their extortion attempts getting more sophisticated and more severe.

Christina Terplan:
Thank you. And I might add that maybe this might be one of those cycles right now. I mean, on June 2, the Biden Administration issued a memo on ransomware. And it's literally entitled, What We Urge You To Do To Protect Against The Threat of Ransomware. I think we're probably in the midst of one of the cycles right now.

Ben Di Marco:
Reflecting what organizations need to do and how to challenge or respond to ransom events, I think one of the issues is poorly understood is the types of work streams, or the types of [inaudible 00:05:37] processes that an organization would go through when they have a ransom attack. Marcello, could you start by just giving the audience some insights into what these processes look like?

Marcello Antonucci:
Yeah, absolutely. And this is where I have nothing but the utmost empathy for organizations going through these issues. Because it's not like the past events just continue. It's also a reminder that ransomware is a subset of something much larger, which is cyber extortion. And that's really a lot of what we've seen over the last three to five years. And certainly over the last year, in terms of not just a disruptive event that aims to cripple a business as you mentioned, Ben. To create an event where the daily loss of profit or revenue, is easy to calculate and certainly is more expensive than paying the ransomware demand.

Marcello Antonucci:
As companies got more robust over the last two years, in terms of backup tapes and their ability to recover, the bad guys have evolved their cyber extortion to include exfiltration of data, shaming and other really nasty behaviors to get people to pay. And so, what we've seen then is opening up a whole stream of work for the organization to do. Get back up and running, the breach response part. We're very much back to breach when you have an exfiltration in terms of whether you have a privacy event.

Marcello Antonucci:
And then also whether or not you want to pay or need to pay the ransom demand and some sophisticated data recovery efforts. So you have four or five work streams that involve different parts of the business, sophisticated outside experts, all trying to coordinate and make the best decision in a few hours or a few days. It's a very difficult situation for folks that keeps evolving out of the threats, evolve as I mentioned.

Ben Di Marco:
And also, Christina, what do you typically see on the web stream element? And what's happening in that immediate period after an organization's hit by a ransom attack?

Christina Terplan:
Yeah, I mean, on the work stream, I think you really see like three parallel tracks happening right away. So you have the negotiation and decisions of whether or not we pay a ransom or not. So you have that going on. At the same time, you have a separate then work stream of, can we rebuild? Is there some type of way to rebuild without paying? So some type of data rebuild. This is disaster recovery operations of how to operate while things are locked down.

Christina Terplan:
And then, on top of that, there's that legal analysis where you're working with lawyers and forensic experts, to try to see what impact of the information has evolved. And is there any legal ramifications and breach notification obligations either to the public, to customers or to regulators, as a result of attack as well. So like Marcello was saying, that in different areas of a business, are all operating at 150% capacity at the same time immediately after one of these attacks.

Marcello Antonucci:
And one other thing I would add to what Christina mentioned, you have this stacking of work streams that are really complicated. They're trying to coordinate and make the best decision. The whole world knows you're down. And you guys don't have maybe even operating systems and so very difficult to communicate. And one thing that has definitely changed over the last year to 18 months is, sometimes you think you've got a good handle of it temporarily. You're back up and running, you don't need to pay and then it changes and it shifts.

Marcello Antonucci:
The ex fill cyber extortion that could come in a week later, or even a shaming site that comes in two weeks later, has elongated this already complicated process. It means that this sort of cyber extortion decision-making process, can be not just hours and days like it was, but weeks. And then you have business interruption and data recovery that can take months, or even longer to really understand.

Ben Di Marco:
Just to pick up on one of the point you made Marcello, was the concept is some of the shaming and some of the other types of extortion actions that are occurring in the space. Did you want to just quickly for the audience, explain what you mean by that shaming or that kind of double, triple extortion attack method that we see now?

Marcello Antonucci:
Yeah, absolutely. I mean, this is where it's really unpleasant. These threat actors have invested a lot, they have high expectations for their return on investment and they're not taking no for an answer. Whether it be, no we're not paying a principal or no, we're not paying because we can get back up and running or no, we don't care about that data. They start to reach out in some instances, to the clients, or the folks that are mentioned in some of the data they've exfiltrated. Saying, "Hey, the company that you thought was protecting your data, isn't. And you should talk to them about paying this demand rather than me dumping it on the dark web."

Marcello Antonucci:
Additionally, they'll stand up on social media or other dark web sites, shaming sites and say, "Hey, we have the data of so and so organization, they won't pay us. They're not really protecting your data and information the way you should and they certainly are being cheap about solving the problem is only come out." This is where some of these threat actors try to play this. In fact, they're testing the data privacy and Information security world. So it can be very challenging at those stages.

Ben Di Marco:
Christina, one question that I suppose a number of people in the audience will have is, how do you actually negotiate or deal with a ransomware actor when the nature of the threat is that they might go to your client, or that they might do something, in a publication sense, it could trigger legal or other types of privacy liabilities? Do you have any thoughts on the way in which those issues play out at the moment?

Christina Terplan:
I mean, how does one negotiate? I mean, I think it definitely puts the victim and I see a lot more inclination to pay when there's that type of threat. At least initially, I am starting to see a hit out of becoming more common, there's a little bit more pushback where this is becoming more of a norm. And so it may not just be this, okay, we'll pay and they'll all go and disappear. From the downstream liability side though, what's interesting is that it's probably too early to really see how it's going to play out.

Christina Terplan:
ut the courts have not shown that the lawsuits will be less catastrophic in terms of costs. And or that lawsuits won't even be filed if a company pays versus doesn't pay. I mean, I'm still seeing where a company pays a ransom, the information gets destroyed and not posted on the dark web. Those companies unfortunately are still getting sued. And I'm not seeing the court take is like missing the lawsuit, because the victim paid the ransom.

Christina Terplan:
I mean, the idea that the information still went out there, the bad guys still had it. And why will the plaintiffs really believe when the bad guys pinkie swore that they destroyed it? I mean, it doesn't hold up from a legal liability perspective. So that's one thing is that, from the liability side, I'm not saying the decision to pay versus not pay, have a meaningful impact on the outcome of that. Though Marcello, if you have anything different?

Marcello Antonucci:
No, no I think it's a really good point about what you're paying for in the [inaudible 00:13:08] right? It's just the promise not to dump the detailed information onto the dark web. It's not your promising to make this go away. You very well may have a privacy issue that you need to notify folks about. Can I weave a liability? Is still going to have a conversation about what is the root cause. And whether you are in any way negligent in your information security procedures, practices or purchases.

Marcello Antonucci:
So you're really paying for a very small slice and ultimately, trusting a bad actor not to dump it anyway. And so, I think it's a really tough call for folks to try to figure out a way to value that promise. I mean, what's the problem with having all this information out there? Some of it is about the value of sensitive information, some of it is about proprietary information or client information. And folks have to make really difficult calls about making sure to try to protect things that are that sensitive and pay millions of dollars sometimes for it. Again, very difficult decision.

Marcello Antonucci:
This is where I would plug experts, right? There are expert privacy counsel, who are starting to litigate these things, help people make these valuations. They can benchmark a bit about what the threat actor does, doesn't do. We're having negotiated. Additionally, the ransomware negotiators have a ton of data about tactics, behaviors, negotiating strategies, how much folks will negotiate when they've hit their bottom line from a bad guy perspective. They're invaluable in testing a strategy about whether to pay, how much to pay and when you sort of make the call to pay.

Ben Di Marco:
[inaudible 00:14:57] Marcello around the privacy as well as that the legal and the regulatory. This is probably something that isn't really understood in the wider market. So firstly, when we're thinking about the legal and regulatory issues that arise from sovereign rights movement, have there been any recent changes in this space? And again, you've made this point, Christina that paying the ransom might necessarily reduce legal exposure. Do you think that message has got out to the wider community? Or do you think this is still something that's not really well understood?

Marcello Antonucci:
Why do you say, I mean, try to break things down fundamentally a ransomware event and as we discussed in the work streams, are issues that have been addressed in breach response and data breach regulatory and class action. It's not surprising that what we see after ransomware event, regulatory inquiries about what happened, what data was an issue and how things were addressed. But additionally, the class actions would be filed particularly in areas in which class action attorneys are active, like hospitals, wondering what happened? What data was at issue, if any? What services weren't able to be rendered?

Marcello Antonucci:
So they tend to vary much morph, well, the facts are different. But they tend to morph a lot like data breach class action would. And so, we have seen a maturation over the last couple of years. And they start to play out very much the same way. But that doesn't make them any less difficult. It also means that even how long do you take something that was extremely challenging for days and weeks to make a decision about. And then you have business disruptions. And now you're dealing with litigation, class action, settlements, the press continues for potentially years. That's an unfortunate reminder how the tale of these can also be quite difficult to deal with.

Ben Di Marco:
Is that reflecting your experience and what you've been seeing Christina?

Christina Terplan:
Yeah, definitely. And I think on top of that, another big regulatory issue immediately following attack is, all the OFAC concerns. So if the OFAC guidance solve issue on ransomware in October and highlighting the fact that you have to ensure that these money is not going ... If a ransom payment is going to be made, it's not going to anyone that's on the SDN list or to an embargo jurisdiction. And so, that's just another added complication and potential regulatory issue now, that the entity has to deal with and consider in the immediate aftermath of one of these attacks.

Ben Di Marco:
Just picking up on that point you made Christina, with the sanctions into place and some of those other tensions. Can you explain so that the audience has to think of that and how you analyze those issues when you're in the throes of a ransomware crisis?

Christina Terplan:
Very carefully. I mean, it's something where the ransomware negotiators, they have that expertise. And that is where all this tracking of information. I mean, I think, there's obviously ransomware is happening a lot, which is bad for the economy and the community at large. But on the positive side, that's more and more in fact points now that can be tracked. And then, the ransomware negotiators are tracking all this information.

Christina Terplan:
Any intelligence information about the strains of ransomware and which groups are they attributed to, making sure that there's involvement with law enforcement and that you have a negotiator who can do the OFAC and all of the checks, with respect to the threat actor, is really critical. And that seems to be his best approach at this point.

Marcello Antonucci:
One thing I would add here, I don't want to be overly doom and gloom really. There are some signs of hope in terms of, over the last like three years, 13 months, three weeks, Niche Solutions are being and have been created to address a lot of issues we're talking about, in terms of whether to pay or not to pay and having ransomware facilitators. That industry has literally cropped up over the last two or three years and it's quite robust now.

Marcello Antonucci:
Data recovery, becoming a much more part of this equation. We're seeing more and more robust and tailored and narrowly targeted vendors. And Christina mentioned, the OFAC sanctions compliance work. There are vendors who do work in terms of understanding where the payments are going to be made from a chain analytics perspective. There are lawyers that are focusing on literally developing workflows as we speak, to deal with what they're seeing and the issues and the facts. So that's one thing I would say is, while this is very challenging and difficult and unfortunate, there are solutions and your various partners in the law, financial services and insurance can help direct you to who's the expert at what you do at face.

Ben Di Marco:
So another good point to highlight Marcello has made, would you obsess around sometimes the concept of whether you should or whether you shouldn't pay the ransom? And that's obviously, a very significant issue for any organization with a whole bunch of stakeholders. They've got to consider that by itself, as we've talked about, is only a small part of all the crisis challenges that go on. And really, I think a good message for people listening is, if you're going to do cyber tabletops, if you're going to think about these exercises, or even if you're going through a real event. Obviously, the due diligence we do at these events and that crisis is important.

Ben Di Marco:
But often, it's all these other challenges that sit around recovery, that sit around response, and that sit around managing legal and other risks that can be even more exhausting and challenging so. I think a good message to take from this section is maintaining that wide view and dealing with all of these other issues, is absolutely critical to what's going to be an effective response. Going to a slightly different point now, another key challenge for organizations is, how they're thinking about this cyber insurance policy where they're going to be responding to a major ransom event.

Ben Di Marco:
What work typically needs to be done, in order to get the reimbursements and payments of ransom and extortion amounts from a company's insurance cover. Christina, I'd like to throw to you firstly.

Christina Terplan:
I think the most important issue, is to make sure that the insurer is notified very early. So I mean, I'm not saying it's that way, because you get the consent from the insurer as to any payments are being made, any vendors that are engaged, that's going to make the recovery process much easier. And it's not even just to emphasize making sure you get the money back, but also the cyber insurers deal with it all the time. So they have a lot of expertise, a lot of discounts. As an entity, if you're suffering with the tax, to take advantage of that. And so I think the biggest and most important thing, is to notify the insurer and work with them, in order to ensure that there is no complications on the recovering process.

Marcello Antonucci:
Yes, Christina I absolutely agree as well. Early and often, even with small events, notification is important. It helps to make sure that you're communicating. You're getting the value of their expertise. And obviously clearing any conditions about consent that may be required, flagging any issues. And that's where I really, again, highlight the value of objective external partners, who help you to navigate these issues. But also, can kind of flag areas of concern, or help you to navigate a business decision, or the decision to pay is an important one. And from our perspective, it's the policy holder’s decision. Whether it be a principle one, or a practical one, or one that they're making based on business calculations.

Marcello Antonucci:
But you should also understand how your insurance works. It's not all about the cyber extortion cover to pay that ransom demand. It may also be about the business interruption coverage, or the data recovery costs that could be also covered, or how the third party liability part of the policy plays. You really want to have a full understanding of how your policy can respond and dovetails and covers the various decisions you may need to be making in a holistic way. I think that's a really key part, so that you don't overly focus on one part of the process. You can make a business decision that you feel comfortable with over time.

Ben Di Marco:
I'm certainly okay what you said Marcello. And another issue outside just to some of the listeners, is understanding the way in which that ransomware cover within the insurance policy is designed to work. We have a number of clients where they assume it will be the insured that we'll make the payment on their behalf to a malicious actor, with the nature of the different financial reporting obligations, insurers have that firstly position that they don't want to be in.

Ben Di Marco:
But also, when you look at the mechanics around it, how many of these policies work as a reimbursement function? So I think your message that the organization itself needs, are in the decision and it is the organization's decision needs to be front and center. Insurance is certainly a very important support. But again, organizations that have the expectation that the insurer will just make the payment for them in five or six hours, that's not really realistic, at least. That's kind of my view, unless either of you think differently.

Marcello Antonucci:
No. And I would just highlight another sort of part of this that, at least from our perspective and on my policies are reimbursement only, I know the most of them are. So that means you do have to find the money and make sure that you have someone that can get the Bitcoin. There's also a banking element here. The banks only work certain hours. They also have their own checks these days and based on some of the things that Christina mentioned.

Marcello Antonucci:
So it's another part of this logistical challenge that you need to be mindful of, of making sure you have the money, getting into the right place in time and clearing whatever the banks want, so that you can meet the demands of the threat actor. It's certainly another reason why you want to have a really seasoned ransomware negotiator. They know all of these ins and outs that can help you get ready for whatever you want to do.

Ben Di Marco:
I love the fact that even though it's an emerging industry, we've already got seasoned ransomware negotiators.

Christina Terplan:
Yeah. It's true. They haven't been doing it for 20 years, but they've been doing it for a few years.

Marcello Antonucci:
For sure.

Ben Di Marco:
What changes now? And this concept is the threat actors, what their work whether you can trust them? Obviously, sometimes we need them just to get the decryption key so we can go about and do our work. But even when that happens, or even when it's a publication threat, there's always this hanging sort of Damocles over you, over whether there might be a reinfection or there might be a future attack. How do you both think about the issue of firstly, can we trust them? And secondly, if you make the payment, does that just puts you in the on-red light just being a soft target for a future attack. I might throw this to you firstly Marcello.

Marcello Antonucci:
Yeah. No. I mean, there does appear to be some honor among thieves. And again, the ransomware negotiator and facilitator is an important person in this, to help you navigate whether you can trust them, whether there has been any issues about producing the key, or not living up to promises in terms of exfiltration. But from our experience, when a threat actor has been identified as a repeat player, that can be trusted, they're often trust. I'd say one caveat is, if they shut down, get shut down, or are operating as a ransomware as a service, lose their license in the process, they may not be there to do the things they promised.

Marcello Antonucci:
We have seen that in real time, where they get shut down and everyone's just left, where they are with an encrypted system and no way to recover. But for the most part, they do live up to their promises. And there's a way to negotiate and ways to verify that. And particularly with new threat actors making sure that they're verifiable. And that's why you really need an expert to help you navigate this problem.

Ben Di Marco:
Just a coordinate before about, losing their license. To people in the audience, could you just explain that?

Marcello Antonucci:
There are a variety of business models in the ransomware game. Some where the groups appear to be fairly well structured and they have the technology and they have the services from a demand and payment perspective. And it's all seems to be contained in one place. Others have a business model that is much more of a licensing and a ransomware as a service. They take their technology and they deploy it when there's a licensing and that transaction costs. And other folks through how the dark web, are the ones deploying their technology and services.

Marcello Antonucci:
And in those cases, it's much more diffused. And if they have their licenses pulled in real time, you may lose the ability to recover. So again, something that ransomware negotiators and facilitators can really help you understand about what type of organization you're dealing with, who the threat actor might ultimately be. And again, help you navigate that risk of whether that could be a problem in the end. One thing I would mention also about the sort of re-engagement is, sometimes we do see two things. One, if the problem isn't fixed, other threat actors come in.

Marcello Antonucci:
If you leave the door open and one thief comes in, he tells about the other thieves come in. So we have seen that. So you'd have to correct your information security issues. We do on rare occasions and it can be tied to certain threat actors. They will come back for another round for various reasons. Maybe they are actually more successful and they reinfect. And so, that's something to be mindful. And again, talk to the expert about in real time, about what the risks of that continuing of that are.

Ben Di Marco:
Thanks Marcello. Christina, from your side, do you agree with Marcello's comment on the cottage industry of trust that is ransomware?

Christina Terplan:
Yeah, I completely do. I mean, shockingly, I would say the vast majority are trustworthy and that they are usually follow through with their promises. If the companies do not believe that they're really going to get the decryption key, or if they're going to pay and the information is still going to exfiltrated, so why is a company ever going to make a big payment? It's not worth it. And so, you are seeing the threat actors for the most part, follow through with the promise.

Christina Terplan:
Though I am like Marcello, also seeing there are some threat actors where they're known for re-extorting. And so, maybe they give the decryption key, but then they say oh, what you don't want to exfiltrate also, you will pay an extra amount. I'm starting to see that for sure. And on the rare occasion where they just don't follow through with the promise and we can only hypothesize about what happened. Did they lose their license? Did they get arrested? What happened? But the communication channel is shut off.

Marcello Antonucci:
And there's one caveat here, I think. In terms of whether they'll live up to their promises, the assumption that Christina and I are operating under, is that this is a transaction, right? And that the ransomware was intended to ask for money. There was the possibility that someone doesn't want money, they just want disruption and that has happened. The non-petty event is an example of time where it wasn't even about money, there was ransomware but there was no cyber extortion.

Marcello Antonucci:
And so, all these companies were left with it's been widely and highly publicized, is just disruption. And so, it's another reminder that ... And then you mention tabletop and you should plan. Do you want to principled approach? You're not going to pay, or you're going to take a more practical approach and you would pay, but sometimes you may not be able to pay because of the type of attack. But there could be a sanctions issue. So you have to still plan for everything.

Ben Di Marco:
Marcello, one of the points that you just mentioned and not picture is a great case study is that, there are situations where you're simply not going to be able to get decryption keys or where making the ransom payment isn't going to terminate or any action. Do you think organizations are aware of the challenges where this happens? And if you were to be in the shoe of an organization, having one of these ransomware attacks and the extortion threat just doesn't turn, that just doesn't end, what are the key things that you'd be focused on all the key bits of advice that you'd be giving?

Marcello Antonucci:
Yeah. No. I mean, I think business continuity and disaster recovery, are the new part of breach response. And so, I do think there has been a lot of education and improvement there, as this ransomware epidemic has picked up over the last three years. And again, what I mentioned why the threat actors have to move to nastier bits of cyber extortion. I think there's a continuing evolving area in terms of, what are you doing from a disaster recovery and business continuity perspective and migrations to cloud. Making sure that you have off site and remote backup.

Marcello Antonucci:
I think the key here that we have seen is, even though you say you have it all, have you really tested against a ransomware event? Have you gone to an expert to help you really make sure that all of your plans and the details are going to work out? We have seen folks with best laid plans have been disrupted by how nasty and persistent the threat was, in terms of the ransomware event. And so again, some future proofing, is what I would advocate very specific to a ransomware event. Not just the traditional, oh, we don't have access to our systems and a traditional business continuity and disaster recovery impact.

Marcello Antonucci:
And then one last thing, I would just say, have plans from a communication record keeping perspective. You may not have access to your traditional systems and computer. So work with folks on understanding like, how are we going to stand up a shadow world, it's a shadow system? How are we going to leverage our external vendors? I think those are really key bits of work that folks can do.

Ben Di Marco:
Anything that you add there, Christina?

Christina Terplan:
No. I completely agree. I mean, I feel like it's a lot of the tabletops or the [inaudible 00:33:35] recovery disaster plans, are assuming that a payment will be made and that decryption key received within a week. And that you're working off of that. And I would think the prudent plan would also include the real likely possibility that no payment is made and that you're starting from scratch. And that I mean, from scratch. Like no one has work email. Their work phones aren't working because their voice over IP. I mean, it's really interesting to see companies when they're responding to one of these events and everyone has to come up with a Gmail address, or you're creating a whole new ecosystem, even to start working on your disaster recovery plan. So to really be conscious of the payment may not be made and you're going to be starting from scratch.

Marcello Antonucci:
Yeah. And I would just highlight we've had clients who've lost data forever. And sometimes they can manage through that those legacies and needed any way kind of deal. But you want to make sure that you don't lose what you really need forever. And then you're in a position to recover as quickly, efficiently and as clean as possible.

Ben Di Marco:
I'd certainly go back those points. And another thing, certainly that we see from our experience is, there is a confidence people have in their disaster recovery and backup processing, that is probably born slightly with good intention but also naively. We had an issue with one of our clients a few weeks ago, where again, they had very good backup processes, things going to take constantly. But because they didn't have the quality of logs, they couldn't work out when the actual underlying infection was.

Ben Di Marco:
And so, if you don't know when the infection is, you don't know what backup to go to. And in their case, even though they had these amazing disaster recovery processes, they've done all the tabletops, I mean, practical like that. And that they're acting completely outside of what they would have assumed would have been the process. And they had to rebuild from scratch. Good lesson that unfortunately, these things aren't as simple aren't too clear cut as often as we present them today.

Marcello Antonucci:
But you can seek help, right? You can seek help in your planning process, right? The lawyers are involved in the forensics. And maybe you've now involved the ransomware negotiator and facilitator. But it's the one we would advocate for a data recovery expert to help you. Make sure that you are future proofing for the event that you may call on them to help you recover from. And so again, bringing a different vendor and objective outside person to really test you, is something that we advocate for.

Marcello Antonucci:
Data recovery has been a pretty mature market, very localized. It's becoming even more responsive to this thread. There are folks that focus on ransomware events. And they can help you certainly after the fact, but we advocate for a proactive approach and what type of tools, systems and practice, are available to you. And they can help you recover as fast as possible.

Ben Di Marco:
Taking a slightly wider view now. There's obviously a huge amount of focus both in the US and internationally, on some of the major US cyber incidents, when we're recording this on your pipeline. It's only about a month old and it's still doing the rounds. Looking at it though globally Marcello, do you think there's any difference in terms of how ransomware events are playing out in the US, as opposed to what we're seeing in the rest of the world?

Marcello Antonucci:
Yeah. And we have a global book. So we do get to see the full view. Certainly, this problem is very prevalent in US and migrated into Canada. And we've already talked about the volume and severity. We are starting to see activity pick up through Europe, Asia and Australia and so no one is spared. I would say that from an event perspective, there's not a lot of different. These are the same actors migrating from country to country. There are folks that are specific to certain jurisdictions as far as we can tell.

Marcello Antonucci:
And so, the ransomware strains are very similar. Their tactics are similar. Companies operate in very similar ways and use similar vendors. So it's a lot of the same logistics which is helpful in some ways to certain markets where you may be able to learn from what's happened in the US over the last three to five years. One thing I would say is, there's a cultural elements that are different in terms of approach and access to vendors, but also in principle.

Marcello Antonucci:
We do see in certain parts of the world, folks saying we are not going to pay. And then some of their regulators have been more forceful in saying that we don't think you should pay. And we do see more data recovery and business interruption law in this jurisdiction. They are just less likely to pay and more likely to try to figure it out over time. So that would be the one distinction that we see globally.

Ben Di Marco:
I think from our perspective Marcello, I agree with you, that it's the same issues. It's the same actors. And while a couple of years ago, people would have said that, if you were in Asia or parts of Europe, ransomware was just a US problem. That's just not reflected in what we see. And certainly, the scale of extortion demands now in our region, are getting much closer to the very big figures bandied about in the US.

Ben Di Marco:
But the other thing I'd add too, it is that, if you want to think about that ransomware as a cottage industry, the cottage industry has obviously grown a bit. So there's more actors, there's more players, so there's obviously a need to go to different markets. And one of the things I always find particularly interesting speaking with some of our global colleagues is, they are dealing with the very same ransomware actors in Europe or in different parts of Asia that we're seeing in Australia. So unfortunately, this is most definitely a global problem.

Ben Di Marco:
The next question I've got, is focusing specifically around the notion of confidentiality, leaking of ransomware and ransomware events getting into the media. Christina, I'll throw this to you firstly. But why do we think so many of these ransomware events and attacks are in the media now? And is there anything we think organizations can do to manage the risk of leaking or this information getting out?

Christina Terplan:
I think the media element right now unfortunately, it's a self-fulfilling prophecy is that, now that the media started cover ransomware more. If they hear about another event, it's more likely to make headline news. And you're also starting to get situations where there's more of an incentive to leak the information, because it's something that's newsworthy. It's a sexy topic at this point. The bigger issue is like why are those leaks? And where are they coming from? I have no clue where they're coming from. That's like the million-dollar question.

Christina Terplan:
But the reality is, is that when there's these attacks, everyone within the company knows that something is going on oftentimes. And no one can work. So it's really hard to keep every employee silent about it. And then the vendors probably know that something is going on as well, because they can't get paid and there's not transactions happening. I mean, payroll isn't happening. So it's really, really difficult to keep all of the employees and touch points silent about a ransomware incident.

Marcello Antonucci:
Yeah. And there are reporters dedicated to cybersecurity who record on what they are hearing both on the ecosystem and the dark web, that could alley you. So it's very challenging. And again, another plug for an expert in terms of crisis communications. Like if someone else that's stepping up to help folks whose team, the internal team may not have computers, how do you navigate a multi-dimensional, a multi-layered crisis plan, in terms of what's going on, when you're going to be up, what's that issue, data issues?

Marcello Antonucci:
A lot of it is local, some are local communities, they can be regulatory. And as we've seen, you might be speaking to government. And you might be brought before Congress. You really need to be thinking carefully about your communication, when you're in real time and then when you're before various governing bodies.

Ben Di Marco:
One of the things that I'll add, Marcello is, when we look at a lot of our clients, not just in Australia but globally, it is interesting how undercooked some of those complaints are. They might have a good SOT, they might have it at good holding statement for what they'll say in day one, or day two. But as you've said, if you think about a ransomware that's potentially impacting you for months more, if you think about the fact that it will impact stakeholders, your ability to pay suppliers, most of those other columns in some cases, the most commercially sensitive columns that haven't really been thought of.

Ben Di Marco:
And I do think that one of the reasons why we see so many of these is that, the complaint organizations they're using just aren't well enough developed. And they just aren't robust enough to survive particularly the more complex and the more fundamental ransomware attacks.

Marcello Antonucci:
It's a great point Ben. Who's planning for, are you going to continue to exist as a business? I think it's just a fundamental challenge that folks need to be thinking about.

Ben Di Marco:
I find it particularly interesting though a lot of organizations think a standard business continuity plan, is going to work for a cyber event. A cyber event from certainly our experience, is one of the few that actually impacts every single element of the business. It goes to the very, very core, so far meaning it's so dynamic. And one of the things that we say to the organizations, is to actually plug through your general BCP processes for catastrophic cyber event. They're not going to work particularly well. Hopefully, that's an area where we'll see a little bit more robust investment in the near future.

Ben Di Marco:
So the next question. I was wanting to think about this idea of attackers and ransomware attack is going down to supply chains, which we hear about more in the media. So do we think there are any key risks for organizations, where they're clients or there's some type of service provider of an organization that's hit by a ransomware attack? Are we seeing any connection between subsequent ransom attacks being brought against a downstream client or client and social engineering for its following ransom events? That's quite a long question, Marcello. So I'll throw it to you to unpackage.

Marcello Antonucci:
Yeah. No. We're definitely seeing the supply chain and vendors being targeted and attacked. I think the threshold reason was, not only would they have a reason, just as a business to want to pay because of the disruption, but then they were disrupting their whole client ecosystem and the ripple effect of all of that was something that they thought they could leverage and they were fairly effective in leveraging it.

Marcello Antonucci:
I'd say in your second question about whether the bad guys are following the data and what they learn for new opportunities. We don't know. But there are signs sometimes that an attack then starts to move into the same vertical or space or sense of relationships that seems too coincidental. The only thing I would say that there's certainty, is most ransomware report on those connections are seeing definite connections of attribution. They also move from vertical to vertical and from size of company, to size of companies so fast. That it's very difficult for us to derive a trend to say, this is what they look to be doing.

Marcello Antonucci:
And one last thing, the whole time we've used they or these entities and haven't named them, we really don't know them that well. They represent themselves with brands and strains and research, but we really don't know who they are. And it's very difficult to get a lot of information and detail there.

Ben Di Marco:
Your thoughts, Christina?

Christina Terplan:
Yeah. I mean, would definitely like Marcello said, it's almost like it's too soon to tell with respect to the service providers and suppliers when they're getting attacked, whether or not it's standing out. I mean, it's definitely receiving the shaming that Marcello talked about where they might contact supplier's clients and say, we had your data, or we might post it, or there might be a subsequent extortion as a threat against those clients, to keep the data from being exfiltrated. But I'm not sure that there's enough information yet to know whether or not the information is being used to propagate subsequent ransomware attacks on those customers. So it's definitely a theory. And I think that the fear and it's not sure that it happened yet.

Marcello Antonucci:
Just one last point. I only see my place. And Christina only sees her slice. And Ben you only see your slide. So putting it all together, is difficult even with other vendor partners. And that's why I do think some of the various governments initiatives and task force, work to compile data, is an inventory that is important as a starting place and for a future sort of understanding about what actually is happening.

Ben Di Marco:
I agree completely, Marcello. I think the two that fell out to this point is, the concept of malicious actors going down supply chain, is not necessarily a new one. We can go as far back as things like cloud hopper where we know that if there is certainly an IT provider, there's a lot of ease in terms of writing down that supply chain and impacting effective customers. I do agree there's a bit of concern that what we're saying at the moment is more hype.

Ben Di Marco:
The other thing that I find particularly interesting as well, is we're probably taking the issue slightly narrowly, where really the wider issue is for these malicious groups, as Marcello mentioned earlier. They want to be paid. What they're looking at is more and more creative ways of getting paid. And one of the ones that stood out in my mind was an incident we had with the client at the start of the year, where in this case here, they were able to get very sensitive, personal information for people that sat within the directory in C suite level. And using that, they undertook a whole bunch of frauds against family members. They tried to set up a bank account. They tried to set up different types of things on trading platforms.

Ben Di Marco:
And one of the things that struck me as we looked at the variance that occurred in that particular event here was, anyway where they can get paid, they will likely explore it. And when you start to think about in those types of terms, supply chain is certainly possible. But I think the identity fraud and what you can actually leverage off some of those identity fraud impacts, is an area that we're not thinking about enough. And is an area that we'll probably see more activity in the next six to 12 months. Any comments or knowledge or any concluding comments, Christina, Marcello?

Christina Terplan:
The bad guys are smart and they're creative. And they want to get paid. And these attacks will continue to morph, because they've incentivized the companies that continue to make payments.

Marcello Antonucci:
Yeah. My closing comments are that it's a really serious situation. And now, it's getting a lot of attention from various parts of the cyber security and cyber risk and government, which hopefully we will help create some solutions. And I just always remind folks that, there is help. These companies are our victims, they should be supported by the various experts. And there's help solutions for folks that go through this.

Kacy:
That's a great point, Marcello. And it's why we're here today, right? To help to bring your expertise to our listeners. So Christina, Marcello, Ben, thank you so much for joining us today. Listeners, I'm sure that you much preferred and enjoyed Ben's amazing Australian accent over mine. So thank you Ben for being our guest moderator of the conversation today.

Kacy:
Thank you listeners for joining in. Please keep the conversation going on your social channels using the #rsac. And be sure to visit rsaconference.com for new content posted year-round. Also subscribe to the RSAC podcast on SoundCloud or your preferred podcast app. And stay tuned for our next podcast. Interested in being a guest on our podcast? Visit rsaconference.com/becomeacontributor, to learn more. Thank you all so much.


Participants
Marcello Antonucci

Global Cyber & Tech Claims Team Leader, Beazley

Benjamin Di Marco

Cyber Specialist, Willis Towers Watson

Christina Terplan

Founding Partner and President, Atheria Law

Risk Management & Governance

business continuity & disaster recovery consulting & professional services cyber insurance identity management & governance ransomware risk management


Share With Your Community