Ransomware Unveiled: The Business Impact and Prevention Strategies
In the ever-evolving digital landscape, the sophistication of cybersecurity advances runs in parallel with the advancing cyberattacks. Among these varied threats, ransomware, and what can be its devastating impact, remains a prominent concern as it becomes clear that no organization is safe.
It’s important to remember that even companies deemed highly secure aren’t unbreachable. Take Caesars Entertainment and MGM Resorts, for instance—the two prominent high-profile gaming and entertainment companies recently fell victim to ransomware attacks, resulting in significant media coverage and substantial damage to their reputation.
The successful ransomware attack on these two prominent corporations serves as a stark reminder of this constant threat we all face in today’s interconnected world, and this article will delve into the unfolding saga of these attacks before offering insights into what we can learn, as well as essential preventive measures to safeguard your business.
What is Ransomware and How Does it Work?
First, an explanation of the specific attack: Ransomware is malware designed to encrypt a victim's files, databases, and even entire computer systems in order to render them inaccessible. Malicious actors hold the victim's system or critical data hostage until a ransom is paid to the attacker—sometimes, they work so swiftly that the organization has no time to react.
Ransomware attacks typically involve these key steps:
- Breach: Attackers gain access to your network, often using phishing or spear phishing attacks against your organization or highly privileged users within your organization. Social engineering remains the most common attack vector for adversaries to initially compromise an organization, whether through ransomware or not.
- Encryption: Once an attacker gains the privileges to run and deploy their malware, data across a company's network can rapidly be encrypted so that employees will no longer have access to that data (and the key for decryption is held by the attacker). Sensitive data is often also exfiltrated by cybercriminals prior to encryption, amplifying the potential damage of a ransomware attack.
- Ransom Demands: Attackers will then leave instructions in the form of a file or on-screen notification that instructs victims regarding the recovery process for their encrypted data. Attackers typically leverage the threat of leaking stolen data during negotiations, during which they request payment—often in the multimillions—in the form of cryptocurrency, such as Bitcoin, to mitigate the likelihood of their being caught.
- Post-Payment: Even if a victim pays the ransom, there’s still no guarantee the malicious actor will provide them with the decryption key to unlock the encrypted data—as attackers are highly unpredictable, paying the ransom could leave the victim with a massive financial loss and unrecoverable data. There’s also the possibility that the attacker established capabilities to remain within the organization’s network, which provides the opportunity to execute further attacks.
Understanding the Recent, Ongoing Ransomware Attacks
Unfortunately, these ransomware attacks have become a concern for businesses worldwide—most recently for MGM and Caesars.
In a report to the Securities and Exchange Commission, Caesars Entertainment acknowledged it had suffered a “cybersecurity issue” on September 7, 2023. According to other reports, Caesars paid roughly $15 million to the hackers who obtained a copy of Caesars’ loyalty program database, which included driver's license numbers and/or social security numbers of a significant portion of its rewards members in the database, among other data.
Meanwhile, according to a statement made by ALPHV, MGM shut down computers and Okta Sync Servers inside their network after hackers called into the MGM IT helpdesk, impersonated an employee, and eventually obtained credentials in a successful vishing attack. By the time MGM discovered the attackers’ presence, they’d already gained Global administrator privileges in MGM’s Azure tenant and Okta environment, and by September 11, upwards of 100 ESXi hypervisors in their system had been encrypted. Right now, it remains unknown if PII information is contained within the exfiltrated data taken by the malicious actors, as MGM is refusing to communicate with the adversaries.
The Impact of a Ransomware Attack on Your Business
These companies—and others—have taken different approaches when negotiating with malicious attackers, but none have ever avoided negative fallout that’s more than just an unexpected ransom sum to pay. Falling victim to ransomware will also mean:
- Extensive Financial Losses: Yes, ransomware attacks often demand large sums of money in exchange for decryption keys—while that would be a significant financial loss, costs may skyrocket further still due to recovery efforts and legal fees (even if you don’t pay the ransom!).
- Operational Disruption: Ransomware can paralyze business operations which can lead to downtime, lost productivity, and missed opportunities, ultimately affecting your bottom line.
- Data Loss: In some cases, ransomware attackers threaten to leak sensitive information—or even outright destroy it—and losing valuable data can affect your reputation, regulatory compliance, and customer trust.
- Reputation Damage: Leaked data or not, a publicized ransomware attack can tarnish your brand, as customers may lose confidence in your ability to protect their data, potentially leading to long-term damage.
- Resource Drain: Dealing with a ransomware attack requires significant resources, from IT experts to legal counsel, which would mean diverting them from growth initiatives, potentially hindering your business's overall development. What’s more, you may also need to invest in stronger cybersecurity measures after an attack to prevent future incidents.
How to Protect Your Organization from Ransomware
All this makes avoiding ransomware attacks a necessity, but actually preventing them demands not just vigilance, but a multi-faceted and proactive approach.
As part of the cornerstones for resilience, the below practical measures can help against ransomware and other cybersecurity threats:
Recommended Cybersecurity Practice |
Details |
---|---|
Regular Data |
Routinely backup all critical data and ensure that backups are stored securely, offline, or in the cloud with robust access controls. |
Strong Password |
Implement and enforce strong, unique passwords and implement multi-factor authentication (MFA) wherever possible. |
Security Audits and Penetration Testing: |
Regularly assess your cybersecurity posture through security audits and penetration testing to identify vulnerabilities. |
Employee Training: |
Continuously educate your employees about the latest threats and how to recognize and report potential security risks. |
Incident Response |
Develop and regularly update an incident response plan, ensuring everyone in your organization knows their role in case of an attack. |
Regular Updates and Patch Management: |
Stay current with software updates and security patches to plug known vulnerabilities. |
Vendor Risk |
Evaluate the security practices of third-party vendors that have access to your systems or data. |
Is Schellman’s Ransomware Assessment Right for You?
Because ransomware has become and continues to be even more pervasive as an attack, it may also be prudent to have a specific ransomware assessment conducted—a service Schellman offers.
Our Ransomware Assessment isn’t a “one-size fits all” ransomware simulation—during our scoping call with you, we’ll build an attack plan that fits threats applicable to your organization, which would include onboarding our team as an IT employee to perform an assumed breach scenario, during which we would:
- Assess your current security posture by gathering intel and conducting an analysis of your organization’s:
- Existing security protocols;
- Perimeter security configurations;
- Endpoint protection; and
- Privileges a regular IT employee would possess.
- Simulate various ransomware-like attacks as an internal employee to evaluate your organization’s ability to detect, respond, and recover from such incidents.
Such an assessment could serve as a proactive measure to ensure your organization is well-prepared to both neutralize potential ransomware and other threats as well as minimize any potential damage.
Unsure of Where to Start? Taking the First Step with Schellman
Regardless of whether you choose to take this step with us, the recent attacks on MGM and Caesars are just the latest proof that ransomware continues to be a potentially devastating threat. Every organization must take the steps they can to enhance their cybersecurity posture, and one way you can get started is to consult our CSET Ransomware Guide.
But if you are interested in leveraging our experience and cybersecurity expertise, contact us today to start the conversation regarding how best to achieve your specific security goals.
About Tim Moriarty
Tim Moriarty is a Penetration Tester with Schellman and is based out of San Diego, CA, where he performs several offensive security assessments including internal/external network testing, social engineering, and web application tests. Prior to joining Schellman in October of 2022, Tim worked on a software development team as a Systems Analyst II where he specialized in quality assurance and software testing.