Reports have said that the Hive ransomware-as-a-service (RaaS) group has claimed responsibility for the cyber-attack against Tata Power disclosed by the company on October 14 and believed to have occurred on October 3.
“The company has taken steps to retrieve and restore the systems. All critical operational systems are functioning,” the Mumbai-based company said at the time.
Security researcher Rakesh Krishnan, has claimed that the leak has reportedly affected several of Tata’s 12 million customers and includes personally identifiable information (PII) like Aadhaar national identity card numbers, tax account numbers, salary information, addresses and phone numbers, among others.
It appears that many have taken Hive leaking the stolen data to mean that any ransomware negotiations failed, but Edward Liebig, global director of cyber-ecosystem at Hexagon, has suggested a different option.
“Let’s face it, even if negotiations are successful, there is still only a 50% chance of recovery of the encrypted assets,” Liebig told Infosecurity in an emailed statement.
“The decision to pay or not to pay is a business call. If the organization is in a very vulnerable position (recovery of assets is not possible), if there is a chance for extremely damaging information to be compromised, or if the potential business impact far outweighs the ransom payment, then the business may decide to pay.”
The executive has said another aspect to consider in this scenario is the rules of the cyber insurance carrier.
“Some Cyber Insurers prohibit the payment of a ransom,” Liebig said. “This means that a ransomware Incident Response (IR) playbook must have a very defined and comprehensive declaration and approval process that goes to the top of the executive team.”
Further to this, Liebig has said he believes that increasing the chances of defending against ransomware begins with watching the front and back doors.
“Watch for, block, and educate against incoming spam and phishing attempts. Know your assets and endpoints. Know and mitigate the vulnerabilities within your environment that enable the exploitation of those assets,” Liebig explained.
“The best way to defend against ransomware is never to let it take root in your systems. The next best way is to have a bulletproof, trusted recovery strategy to minimize downtime and eliminate the ‘ransom’ debate.”
The statistics published by Intel 471 and Digital Shadows, Hive was the third-most prevalent ransomware family observed in Q3 2022.
Lastly, the ransomware group also upgraded its tools to Rust in July to deliver more sophisticated encryption.
Keith Walsh, director OT Strategy and operations at Armis said: “Advanced persistent threat groups (APT) such as the Hive ransomware gang continue to display their desire to interrupt the daily activities of our lives by targeting critical infrastructure citizens rely upon, be it the delivery of electric power, ambulatory and in-patient services, or other basic services we take for granted every day. Properly segmenting critical infrastructure, monitoring activities in and out of OT operations, and having a play-book to properly triage events like this are of paramount importance to localising the attacks to stop them before their spread and to keep our citizens safe and our operations resilient.”
