Ransomware attacks against businesses are on the rise. How organisations respond to these attacks vary dramatically, with each organisation evaluating its response based on its unique circumstances. Forint recommend five questions businesses need to answer before an attack of this type hits your organisation.
Very much aligned to the fact that people can be kidnapped by criminals and held under duress until ransom is paid, In this evolving cyber world, criminals are instead holding businesses electronically hostage until ransom is paid.
Commonly, criminals accomplish this by encrypting the data on business systems to crippling effect (often all from behind a computer screen). When a message appears on your monitor demanding a ransomware payment in exchange for the decryption key needed to recover the data, each minute spent grappling with the question of whether to pay the ransom can be money down the drain. This “delay” may arise from the criminal demanding increased ransom as a penalty to a delayed response or from the sheer force of the business disruption, or both.
There is no single “right way” to respond. Each organisation must evaluate how to respond based on its own individual circumstances. Businesses should ask these top five questions now, before an attack, to help develop a corporate philosophy on how to quickly decide whether to pay a ransom in the face of an actual attack.
1. What Are the Costs of Paying?
The costs of paying a ransom range from the obvious, the price of the ransom demand, to the more subtle, the morality of paying. Often ransom demands ask for “only” hundreds or thousands of pounds but have hit as high as several millions of pounds.
Are paying ransoms encouraging cyber criminals to proliferate the practice?
One reason is that the ransom payment may go on to fund other criminal activities. Another reason is the hope that if the financial motivation is stripped from the cyber criminals by not paying ransoms, the attacks will decrease. In this same vein, businesses may very well end up putting a target on their backs for repeat attacks if criminals view them as resources that will pay each time that they are faced against a ransomware attack.
2. What Are the Costs of Not Paying?
Headlines affirm that ransomware attacks can wreak financial devastation in their paths when businesses do not pay the ransom. Just this year, Baltimore’s ransomware attack ravaged the city to a tune of more than $18 million dollars after refusing to pay the ransom. Typically, these giant losses are the result of business interruptions caused by lack of access to the data.
3. Can the Data Be Recovered Without Paying the Ransom?
If the computer screen is demanding payment, it is worthwhile to take a moment before immediately paying. As a preliminary matter, it may not be an actual ransomware attack that has successfully encrypted your data. Bringing in your IT or computer forensics experts can verify if the attack is real or not. Your IT or computer forensics experts can also help ascertain if the data can be restored from backups without paying the ransom. Even if it is a legitimate ransomware attack, there may be ways to decrypt the data. For example, European law enforcement agencies have engaged partners to maintain the website No More Ransom! As explained by the site: “[I]t is sometimes possible to help infected users to regain access to their encrypted files or locked systems, without having to pay. We have created a repository of keys and applications that can decrypt data locked by different types of ransomware.”
Engaging computer forensics experts or law enforcement may also lead to the liberation of your data. In their years of experience with different types of attacks, these experts may also be able to identify the type of ransomware attack sustained and share the decryption key businesses would otherwise pay for.
4. Is It Worth the ‘Will You Get Your Data Back’ Gamble?
Businesses need to appreciate that they may cough up the ransom money and, disappointingly, not get the data back at all. Remember, we are talking about a criminal’s promise here. Law enforcement and forensic experts may be able to help vet whether you are dealing with an “honourable” criminal who will actually release the data or not, if they have worked with the bad actor before. NotPetya is a devastating example of this.
NotPetya initially presented as ransomware and demanded payment but paying was futile. It was a wolf in sheep’s clothing (or perhaps a ferocious wolf in a less ferocious wolf’s clothing). The malware was, in fact, destructive wiper malware intended to destroy data in the guise of ransomware that gave false hope to victims lulled into thinking paying the ransom would solve all their problems.
5. Should the Business Pay This Ransom?
A middle ground exists between paying the ransom or not. Specifically, should you pay the ransom amount demanded? For example, criminals demanded a ransom from Hollywood Presbyterian Medical Centre. Rather than paying out millions of dollars, the victims negotiated the demand down. This shows that part of the thought process when assessing a corporate philosophy on paying ransoms includes how much you are willing to spend.
These are only a handful of the many considerations that businesses should contemplate when hit with a ransomware attack. The number of issues, both technical and legal, that arise are enormous and take significant advanced planning and thoughtful analysis.
Engaging counsel to light a path through this cloud of confusion can enable companies to respond quickly and nimbly in the face of a cyber crisis. You may want to revisit the decided philosophy when faced with a real attack.
However, revisiting a decision in light of real, and not hypothetical, facts can be far easier than debating the issue from scratch while an attack is ongoing. In summary, evaluating a ransomware philosophy should be a key component of a comprehensive incident response plan.
If you don't have a plan in place, then how can you respond effectively to an attack?
Deciding ahead of time arms businesses with a playbook of how to effectively respond to minimise the potential financial and reputational damages that would ensue from this type of attack.
If you need to discuss your action plan for dealing with this type of attack, or to create a plan with associated runbooks to support your current vulnerabilities, then please do contact us for a confidential discussion on maintaining your defence in depth profile.