Sydney hospital loses $2 million in alleged BEC fraud
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
Holding someone to ransom is an age-old extortion tactic, and your mind can immediately go to movie plots in which a nefarious villain is holding someone captive, only to be released once the ransom is paid. Today, ransomware attacks are an increasingly prevalent cyber threat. In fact, a recent Australian Signals Directorate report called them the “most destructive cybercrime threat” this financial year.
While the purpose hasn’t changed over the centuries, the tactics certainly have. And, unfortunately, we’re all targets.
Here’s what finance leaders need to know.
Ransomware is typically a piece of malware – malicious software – that gets into your system and locks or encrypts your files, assets and data so you can no longer access them. The cybercriminals then demand a ransom for the release of those files. This is a ransomware attack.
Increasingly, cybercriminals can also demand a ransom for not leaking or selling confidential information and intellectual property, which is sometimes called a “double extortion” ransomware attack. The publication of stolen data can be especially devastating in areas like healthcare or law, since the exposure of sensitive information can devastate the target organisation and its individual customers.
Ransoms usually come in the form of cryptocurrency, which needs to be paid to the cybercriminal on the promise that your locked files will be released, and stolen data destroyed.
The motive behind ransomware attacks vary, though they’re usually financially motivated. However, some groups might be trying to destabilise critical organisations or sectors, or they may be trying to make a little extra money while conducting espionage backed by a nation-state.
As for how it happens, ransomware attacks usually occur because of human error, often as a result of phishing or other social engineering. By opening a malicious or unexpected email or attachment, clicking on a suspicious link on social media (malvertising – malicious advertising – is increasingly common) or visiting a suspicious website, the malware can get into your system.
It can also happen because of weakness in systems, which is why it’s important to always keep software and systems up to date, and use up-to-date security software. Another ransomware attack source can, unfortunately, result from employees deliberately loading ransomware onto your systems. You don’t really want to imagine a threat coming from within, but it’s smart to be aware of the possibility.
The impact can be significant and costly – both literally and in terms of brand reputation. The ransomware will lock your important files, assets and photographs, meaning you are unable to access them.
For the vast, vast majority of businesses, this will stop day-to-day activity immediately – the average time a business is down after a ransomware attack is 24 days. For all businesses, that would be challenging – for services such as health or transport, for example, the consequences can be devastating. Suppliers can also be affected, with linked systems and stolen details being used to affect their operations, too.
Aside from halting business operations, your business then faces the financial risk of paying the ransom without any guarantee of getting files and data back, as well as the impact of your data – potentially including your customer records and files – being released onto the dark web. This, of course, can cause serious reputational damage, as we’ve seen with the Optus and Medibank data breaches, for example. In addition, there are legal implications, as well as staff morale and HR concerns to address.
Behind ransomware attacks are organised gangs – although using ‘gangs’ probably conjures up the wrong mental image. Cybercrime is a slick, highly skilled, organised and professional business, and there are a number of ‘gangs’ around the world – many in Eastern Europe – that make significant amounts of money from extorting people online. Today, many of these gangs offer ‘ransomware as a service’ creating affiliate schemes in which they get paid commission for successful ransomware attacks carried out by others using their technology.
Ransomware organisations LockBit, BlackCat and Clop are three of the biggest players today, and in the first six months of 2023.
Ransomware attacks are incredibly common. In 2023, a survey found that 56% of Australian businesses had fallen victim to a ransomware attack, and incidences have steadily increased over the years. Globally, organisations around the world detected nearly half a billion ransomware attacks in 2022.
In 2023, the average ransom was US$1.54m – a figure that’s almost doubled since 2022. In 2021, an insurance company reportedly made a payout of US$40m – the largest recorded to date.
In February 2023, global fruit and vegetable producer Dole fell victim to a ransomware attack, resulting in a shutdown of its systems throughout North America.
Consequently, product shortages followed, and there was some impact on operations. Company data, including some employee information, was also stolen. Dole acted swiftly to minimise the impact of the incident. However, it still reported US$10.5 million in direct costs, and endured reputational damage. In Australia, the Medibank cyber incident had devastating consequences that resulted in serious financial, reputational, legal and operational costs for the insurer.
You might be unable to open files or access devices – they’ll ask for a password or code – and/or files may have moved or have different file extension names. A pop-up message might appear requesting a ransom is paid in order to access files, or you might receive an email claiming to be from the group who has successfully infiltrated your systems or data.
First and foremost, the best way to protect your business from a ransomware attack is to not fall victim in the first place. Given that ransomware usually relies on human error – someone opening a suspicious attachment, clicking on a social media or emailed link, or visiting unsafe or suspicious websites – regular training on how your teams can help prevent cyber attacks is essential.
It’s also smart to back up all files regularly to an on-premises server or a portable hard drive. While it’s best to prevent an attack, having backups means your business will be able to get back up and running more quickly than it otherwise would be able to.
The official advice from the Australian Cyber Security Centre is to never pay a ransom – and Australia is one of 40 countries to sign up to a US alliance plan to pledge never to pay ransom to cybercriminals.
However, of the 56% of Australian businesses that have been held to ransom, 75% that paid the ransom did so within 48 hours, and research has shown that many of the major ransomware groups do honour the promise to destroy copies of the data once payment is made.
Many experts are reportedly in favour of negotiating due to the benefit for the victim, however, that brings a moral dilemma in terms of validating the cybercriminal’s activity.
In addition to the obvious financial impact of falling victim to a ransomware attack, it’s vitally important that financial professionals are constantly on guard against potential cyber threats.
Invoices attached to – and linked within – emails, for example, should be scrutinised before opening, while payment details included on invoices need to be verified before payment is made. Payment redirection scams, or business email compromise (BEC) scams – where payment details on a genuine invoice are altered – are incredibly common, and cost Australians $224m in 2022.
Of course, any data shared or sold on the dark web increases the risks for finance professionals, too. From compromised login credentials and transaction histories to personal data that could be used for social engineering or other scams, there’s a wide range of potential security challenges.
A Sydney hospital lost $2M in a BEC scam. Learn how to protect your business with MFA, email authentication, and robust financial controls.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.