Commentary from Semperis on Choice/ Radisson cyber attack
October 2024 by Dan Lattimer, Vice President, UK & Ireland, Semperis
The commentary from Dan Lattimer, Vice President, UK & Ireland, Semperis in response to initial reports of a ransomware attack against Choice / Radisson Hotels.
Initial reports of a ransomware attack against Choice Hotels are a reminder that a constant and persistent threat exists for all organisations. At this point, details are scant but the Everest ransomware gang posted on darkweb channels that they gained access to sensitive data and are giving Choice ten days to pay or they will release the data.
While Choice/Radisson continues its investigation, it wouldn’t surprise me to learn they are trying to recover their data without making a payment. Payments are typically made with assurances that the threat actors will provide the victim with decryption keys. Unfortunately, honesty isn’t highest on the priority list for cyber criminals. Semperis found in a recent global ransomware report that 35 percent of companies negotiated a ransom payment in good faith but received corrupted decryption keys or none.
No organisation can pay their way out of ransomware. Unless a company is in the life and death situation, don’t pay, as it only emboldens threat actors and fuels the global ransomware economy.
Today, ransomware attacks are inevitable, and organisations should adopt an assumed breach mindset. In most ransomware attacks, an organisation’s identity system is targeted. Active Directory (AD) is the most used identity system and it holds the ‘keys to the kingdom’ for companies. When AD goes down, business comes to a screeching halt increasing downtime and data loss.
Companies need a robust backup and recovery plan in place before ransomware attacks occur. Cyber resiliency requires a certain level of redundancy to avoid single points of failure. A layered defence should include an Identity Threat Detection and Response (ITDR) solution that protects AD.
In addition, constant monitoring of the identity attack surface is critical and can help companies identify vulnerabilities before attackers do. Use free community tools like Purple Knight to find vulnerabilities in your organisation. And review the recent Five Eyes Alliance Report on detecting and remediating 17 common techniques used by threat actors to compromise AD.
An incident response plan is not something that organisations can just check off. It should include tabletop exercises that simulate attacks and involve business leaders as well as the security team. Incident response testing improves your organisation’s ability to recover critical systems and data in the event of a breach.