Ransomware as a business model

How it works and how to respond

Johannes Dohren
Partner, Cybersecurity and Privacy, PwC Switzerland

Even if individual steps differ in detail, the course of a ransomware follows a similar logic. It can be illustrated by being divided into four phases – preparation, attack, spread and infection. In our blog series, we show these phases based on an example scenario from the perspective of a ransomware operator, and show which security measures are truly effective. Finally, we touch on the legal aspects of ransomware payments.

Ransomware attacks continued to be the biggest threat to corporate cybersecurity in 2021 – across all regions and industries. The number of reported ransomware attacks, in which criminals attempt to extort companies, increased from 1,300 in 2020 to 2,435 in 2021.

Source: PwC, 2022, Cyber Threats 2021: A Year in Retrospect
The New Equation

Cybersecurity and Privacy

At PwC, we help clients evaluate their ability to deal with the main cyber risks and threats of the digital world in an easy and understandable way.

Learn more


Phase 4: the infection

In this phase, the hacker collects all the data which may be relevant. This includes documents, database extracts as well as access and contact details. Customer details are also of interest here. They can be used or resold for future attack campaigns, and thus enable the next phase in the criminal ransomware value chain. Data exfiltration usually takes several days. File systems and databases are searched automatically and the results downloaded directly, although access often needs to be re-established manually. Our attacker cannot accomplish all this him/herself, and so depends on other cybercriminals who specialise in this phase.

Once the data has been exfiltrated, the hacker activates the actual malware and encrypts the data. The encryption directly puts the attacked organisation under pressure, and at the same time is proof that the attack has been carried out successfully. With this, the work in Phase 4 is done. The hacker may pass relevant information onto another cybercriminal who takes over the communication with the “new client”, and after a good start to the week the hacker may move onto the next organisation on his/her list of targets.

Cyber incident response and recovery

We have a broad range of flexible solutions, including entire packages, to help you plan and prepare for cybersecurity incidents.

Find out more


What can you do?

If the cybercriminals have gotten this far, you can no longer prevent the attack. However, you can still contain it, as well as limit the damage and in particular the amount of work which needs to be done afterwards. This is not just sensible from an economic point of view; it is also urgently necessary to react quickly to restore trust in the company’s IT systems.

Monitoring, Incident Detection & Response (IDR)

  • Monitor the critical assets in your network at the highest possible level. If, for example, you detect a large number of read-only accesses to datasets in a very short period of time, multiple database dumps are created in succession from the same account and outgoing traffic has seen a dramatic upsurge, you should trigger the alarm. A lot of promises in this respect are made by manufacturers of security solutions under the heading of “anomaly recognition”, though these skills also need to be regularly tested in practice.
  • As soon as you notice an attack, the IDR processes that have been established should be implemented. Ensure that the isolation and containment measures are implemented quickly to involve the relevant stakeholders, and if necessary to report to the responsible regional data protection authority. This has no direct relevance to preventing attacks, but should still be done within the statutory period to prevent any claims for compensation from being made.
  • These processes and the clear understanding of the roles of the participants must form part of your Information Security Management System (ISMS) or Cyber Security Management System (CSMS), and must be practised on a regular basis. It makes sense for companies in particular to combine this with red teaming, meaning independent security teams which simulate attacks.

Backup & Restore

  • The more competent you are at backing up and restoring data, the shorter your downtimes are and the losses through ransomware as a result. Depending on which risk management system you use, you have already defined the restore points beforehand, stored the backups outside your network and also practised restoring data in case of emergency.

#social#

Building trust to succeed

At PwC, we are a community of solvers – powered by technology – committed to helping you protect everyone, and everything, you care about.

Explore our offering

Contact us

Johannes Dohren

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

Tel: +41 58 792 22 20