The ransomware attack on UnitedHealth subsidiary Change Healthcare has remained top of mind since its disclosure in February 2024. This incident highlights the attractiveness of data-rich healthcare firms to hackers and the increasing sophistication of cybercriminals. However, the Change Healthcare attack is merely the tip of the iceberg, with numerous ransomware attacks staying underreported in the media.
Ransomware has emerged as a highly profitable enterprise, evidenced by Change Healthcare’s payment of a $22 million ransom in bitcoin. In 2023 alone, payments made by ransomware attack victims doubled compared to the previous year, surpassing $1 billion, as reported by blockchain analysis firm Chainalysis.
A ransomware attack can swiftly cripple an organization, rendering it unable to access critical data and conduct business. Moreover, threat actors have evolved from merely infecting systems with ransomware to employing multi-faceted extortion tactics, which may include publicly naming and shaming victims, exfiltrating data, and threatening to disclose or sell it (e.g., Omni Hotels & Resorts, Nexperia, EquiLed).
While organizations may attempt to mitigate their exposure to such extortion schemes through cybersecurity insurance policies, this approach may no longer be as effective. Insurers like Lloyds are increasingly imposing restrictions on payouts, including the exclusion of losses related to state-backed cyber attackers. Consequently, fewer companies can rely on cybersecurity insurance to mitigate catastrophic risks. Instead, businesses must bolster their ransomware preparedness, with cyber resilience playing a pivotal role in enhancing their ability to prepare for and swiftly recover from ransomware attacks.
Mitigating Ransomware Exposure
Unfortunately, organizations often prioritize prevention tools without adequately preparing for the worst-case scenario: falling victim to a ransomware attack. To mitigate the risk of such attacks, organizations should consider the following steps:
- Strategic Readiness: This encompasses cyber risk assessment, tabletop exercises, security awareness training, and secure data backups, alongside penetration testing.
- Prevention: Implementing security measures such as patch management, application whitelisting, spam filters, least privilege, and deploying anti-malware and endpoint security software.
- Incident Response: Investing in services and forensic tools to facilitate:
- Investigation of the ransomware attack to determine its cause and secure evidence for litigation preparedness.
- Remediation efforts to harden the environment, prevent further spread of the ransomware, and remove attacker access.
- Eradication endeavors aimed at eliminating the attacker from the environment, including disabling accounts, resetting passwords, establishing multi-factor authentication, and ultimately eliminating the ransomware.
- Recovery efforts focused on securely restoring business operations without risking reinfection of the infrastructure.
Ultimately, organizations need to look beyond preventive measures when it comes to dealing with today’s ransomware threats and invest in ransomware response, which improves their ability to prepare and quickly recover from ransomware attacks.
