The number of ransomware cases investigated by Kroll quadrupled over the last seven months of 2019. In fact, ransomware surpassed business email compromises as the threat type most commonly reported to Kroll during the month of September and maintained this dubious monthly distinction throughout the end of the year.
“In Kroll’s investigative experience, and according to open- and closed-source intelligence, ransomware actors were traditionally more interested in collecting ransoms than in collecting sensitive data. That all changed in November 2019,” said Ben Demonte, North America Leader of Kroll’s Cyber Risk practice, who has spoken on the issue at recent industry events.
The group behind Maze ransomware publicly exposed a victim company’s data in November 2019 after the company failed to pay the ransom. In mid-December, the same group created a public website naming what it claims to be additional victim companies and threatening to expose their data if ransom demands were not met (Figure 1). Since then, the group has made headlines multiple times with successful attacks and have honed their extortion scheme.
Threat actors behind other common ransomware variants are following the same path. In mid-December, an actor known as REvil (aka Sodinokibi) ransomware claimed their attacks will be "accompanied by a copy of commercial information.” According to the post, if payment demands are not met, the data will be exposed. At this point in their post, they added the term “GDPR,” possibly playing on organizations’ fears that such exposure could incur GDPR fines.
Bumpier Ride Ahead
Experts have previously offered best practices for ransomware mitigation and recovery. “Multifactor authentication, least privilege policies, vetting and securing all remote access applications (including connections with managed service providers and other third parties), creating and protecting backups, and reinforcing a cyber security culture throughout the enterprise should be at the top of every organization’s security list,” added Ben.
Organizations must be able to simultaneously grapple with regulatory requirements related to data breach notifications. According to Ben, “I don’t think there’s a worse time than in the midst of a ransomware attack to have to assess whether—or how many—aspects of the organization’s network have been compromised. Aside from simply not having access to systems, recovery efforts can often obscure or obliterate vital forensic evidence. One ransomware event can ultimately lead to considerable regulatory obligations.”
Best Practices for Data Exposure
Now that ransomware attacks bring the simultaneous prospect of a data breach, organizations must understand that today’s stricter, and often, multijurisdictional data privacy laws will also start the clock ticking for potential notification. In addition to recovery activities, initial response efforts will likely need to include forensics and eDiscovery to ascertain the type and scope of data affected.
According to Michael Quinn, the value of incident response planning cannot be overemphasized in these situations. “Once you realize your data or network has been compromised, there is no time to spare. If you have taken time to create, and regularly test, an incident response plan, your team will be better able to react quickly and confidently. Staff will know the experts and other resources to call in, as well as when and how to escalate response to the next level if needed,”
“Leaders may also want to consider incident response retainers, which can remove some uncertainty out of the equation. These proactive steps and planning pay additional dividends as part of a defensible cyber security strategy when communicating with regulators and other stakeholders if notification becomes necessary,” he added.
According to Brian Lapidus, global leader of Kroll’s Identity Theft and Breach Notification practice, most inhouse teams will need the help of experts in diverse disciplines for their notification efforts to be effective and compliant. “First, it’s imperative to determine the exact scope of a breach incident,” said Brian. “We have seen where original estimates of affected individuals have been substantially higher, and in some cases lower, after the forensics reports come in. Experts in data scrubbing and deduplicating can further refine the scope of notification.”
Brian continued, “The characteristics of the data—is the data generally identifying, protected health information or credit-related?—will also affect notification, as will the jurisdictions where affected individuals reside. With many data privacy laws compressing the timeframe for notification, being able to rely on experts who can expedite overall decision-making and the operational essentials of notification can bring enormous peace of mind.”
Kroll, a division of Duff & Phelps, is the leading global provider of risk solutions. For more than 45 years, Kroll has helped clients make confident risk management decisions about people, assets, operations and security through a wide range of investigations, cyber security, due diligence and compliance, physical and operational security, and data and information management services.
Kroll was founded in 1972 by Jules B. Kroll as a consultant to corporate purchasing departments. The company focused on helping clients improve operations by uncovering kickbacks, fraud, and other forms of corruption.
In the 1980s, Kroll became known as “Wall Street’s private eye” as a result of its high-profile investigative due diligence work in the financial sector. The company later gained worldwide renown for its success in searching for assets hidden by Jean-Claude Duvalier, Ferdinand and Imelda Marcos, and Saddam Hussein.
In December 1997, Kroll merged with armored car manufacturer O’Gara-Hess & Eisenhardt and became The Kroll-O’Gara Company, a public company listed on NASDAQ.
In the late 1990s and early-mid 2000s, the company embarked on a series of acquisitions that expanded its areas of expertise and suite of services. During this time, the company also sold the O’Gara businesses. Following this sale in August 2001, the company’s legal name was changed to Kroll Inc., and its ticker symbol became “KROL”. In July 2004, Kroll was acquired by professional services firm Marsh & McLennan Companies, Inc.
In 2018, Duff & Phelps acquired Kroll from Corporate Risk Holding. Kroll is now a division of Duff & Phelps and remains the leading global provider of risk solutions.