Welcome

No Sign of Reprieve From Ransomware Frenzy for Companies in 2022

Dec. 27, 2021, 10:00 AM

Supply chain attacks and software exploitations are set to continue next year, and remote or hybrid work may complicate cyber-preparedness, attorneys and cybersecurity professionals say.

Ransomware attacks show no signs of slowing down in 2022, posing legal, reputational, and regulatory risks for businesses. These types of hits grew alongside an uptick in attacks related to remote work during the coronavirus pandemic.

“These are sophisticated attacks, and it’s scary the amount of damage these groups can do,” said Iliana Peters, shareholder at Polsinelli PC in Washington, D.C. “What we’re seeing now is that there’s no indication that that’s going to drop off next year.”

Rising Risk

Supply chain attacks, including hits to Kaseya Ltd. and Microsoft Corp.'s Exchange software, made big headlines in 2021, and those types of hits could bring more companies unwanted press attention in 2022, attorneys and cybersecurity professionals say.

Software supply chain vulnerabilities are particularly insidious because they can be leveraged to “magnify” the impact of a cyberattack, said Alex Iftimie, a partner at Morrison & Foerster LLP in San Francisco.

“We’re seeing as a trend in 2021 and into 2022 the targeting of software and IT tools that are being used across industries and across companies to allow the hackers and malicious actors to get into not one or two systems, but thousands of systems in fairly short order,” Iftimie said.

Exploits used in the first quarter of 2021 are still being used today, nearly a year later, underscoring the need for robust patching, said Keith Wojcieszek, managing director of cyber risk at Kroll in Washington.

Despite such high-profile attacks, however, it’s important to not forget about phishing, which remains one of the highest-volume types of vulnerabilities, he said.

“Phishing training, especially with the workforce at home, is crucial,” Wojcieszek said.

Hits against critical infrastructure in the vein of attacks on meat supplier JBS SA and Colonial Pipeline Co. are also probably going to continue, Wojcieszek added. Both cyberattacks were traced back to hacking groups based in Russia.

President Joe Biden warned Russian President Vladimir Putin in July that 16 critical infrastructure sectors ranging from transportation to agriculture were off-limits. After the warning, hacks stemming from overseas still occurred, including one on Iowa corn and soybean producer New Cooperative in September traced to Russia-linked ransomware group BlackMatter.

The Cybersecurity and Infrastructure Security Agency in November mandated that federal civilian agencies remediate known vulnerabilities within specific time frames.

The Biden administration is likely to continue its push to beef up cybersecurity among the federal government, contractors, and other key ransomware targets, said Veronica Glick, a partner at Mayer Brown in Washington.

“I think there will be heightened cyber standards and more reporting requirements,” Glick said. “More broadly, I think critical infrastructure entities, their suppliers, and tech companies with broad supply chain reach can expect increased scrutiny.”

Sector-specific regulations are likely to continue to increase , and businesses will likely have to work more aggressively to meet standards imposed by the federal government and other entities, Iftimie said.

“Companies need to focus on the fact that requirements they have that relate to cybersecurity are only going to become more complicated than they have been today,” he said.

Getting Prepared

Attacks may happen overnight, but that doesn’t mean a company’s plan of action needs to spring up that way, said Kristin Hadgis, a partner at Morgan Lewis & Bockius LLP in Philadelphia. A good incident response plan enables businesses to act nimbly and allows key players from information technology, legal, human resources, and customer support, among other teams, to remediate an intrusion effectively, she said.

“Make sure people on those teams are regularly meeting,” Hadgis said. “That might seem simple, but in the event of an incident, you have your team and you know what the roles are.”

It also helps to line outside counsel up before a cyber event so that they can jump into action in a crisis, she said.

Companies should limit access controls, institute patching programs that are “aggressively implemented and enforced,” and employ multi-factor authentication, said Michael Gold, a Los Angeles-based partner and co-chair of the cybersecurity and privacy group at Jeffer Mangels Butler & Mitchell LLP.

Moving data and systems to the cloud is a good step to take as well, but companies should use rising cybercrime as an opportunity to reevaluate what their network security looks like and what’s covered—and what’s not—by current operations, he added.

“Until you start thinking about your network in an expansive way, you’ll never be able to protect it effectively,” Gold said.

To contact the reporter on this story: Jake Holland in Washington at jholland@bloombergindustry.com

To contact the editors responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com; Keith Perine at kperine@bloomberglaw.com

To read more articles log in.

Learn more about a Bloomberg Law subscription.