Should victim organisations pay the ransom?
The impact of COVID-19 has ricocheted into many aspects of business, with enterprise security being one of the top concerns.The pandemic has created an environment that is ripe for cyber threats, which malicious actors have been quick to take advantage of. In turn, there has been a significant increase in cyberattacks, many of which exploit remote working and public fear.
So, as we move into 2021, we're reflecting on some of the most prominent threats that occurred last year. In this Q&A, I spoke to Peter Beardmore, Director, Digital Risk Strategy at RSA, to reflect on the current state of ransomware and explore whether victim organisations should pay up.
Thanks so much for joining us Peter! Firstly, could you give us a little background on yourself?
Thanks for having me Rema. I have worked exclusively in the cybersecurity industry for 14 years now and the time seems to have flown by! After I finished my time as a Signal Corps Officer in the U.S. Army, I was fascinated by all things tech. My first few roles out of the military were with networking companies, at a time when security was a growing customer concern. I started to focus on security in 2006, when I joined RSA for a couple of years, and then subsequently spent seven years at Kaspersky Lab extolling the virtues of endpoint and mobile security to consumer and businesses audiences alike. I re-joined RSA in 2015 and the rest is history, as they say! As more businesses accelerate their digital transformations, our job is to help make sure that they can effectively manage the risks that come with the digital age.
What are the current trends in the ransomware threat landscape?
We estimate that around 75-85% of the cases we've worked on so far in 2020 were ransomware related, which is a significant increase on previous years. Ransomware continues to be a major challenge for even highly mature organisations due to the legal and technical complexities involved, and the competing priorities of business continuity and data protection. The double whammy of data loss and service outage has essentially resulted in more organisations paying a ransom, which in turn may have contributed to the increase in cases. We anticipate that ransomware will become even more pervasive as we move into 2021.
We have seen both targeted and opportunistic ransomware attacks in recent times, with varying degrees of sophistication. The most significant enablers of ransomware continue to be a lack of visibility and a lack of a robust patching capability. Initial threat vectors also remain consistent and include phishing, drive-by attacks (commonly fake browser updates), and sometimes third-party relationships that are exploited. We have observed that ransomware events are often preceded by what many would consider to be commodity malware infections (Emotet, Qakbot, Dridex, etc).
As such, we recommend that organisations review their current ransomware mitigation strategies and take commodity malware infections seriously, including prioritising patches for vulnerabilities that could impact higher-risk assets. It might sound obvious but investing in the areas of prevention and detection can eliminate or substantially reduce both the financial and operational impacts of a ransomware attack later on. Depending on your organisation's situation, it might also be a good idea to work with experts to assess your individual ransomware risk and get recommendations of cost-effective mitigation strategies.
How do victim organisations decide whether to pay up or not?
This will depend a great deal on whether their data has been encrypted, stolen or both.
For the first option, enterprises may be able to restore from backups. However, in recent cases, we have observed attackers deleting backup servers and virtual snapshots to make recovery more difficult. As such, it is even more important for organisations to ensure they have an isolated, immutable recovery solution in place.
The theft of sensitive enterprise data prior to encryption presents an additional challenge. In the case of regulated customer data, an organisation may choose to pay a ransom to protect their customers from identity theft, for example. Or it may want to prevent trade secrets being made public and blunting its competitive edge. An incident response (IR) team can help organisations to understand exactly what was taken, to make an accurate damage assessment. However, certain forensic artifacts and files may not exist, which complicates decision making in this area.
Whatever happens, we recommend that the decision to pay and/or disclose a breach is made at the direction of legal counsel. The US government recently warned that organisations could face steep fines if they end up paying ransomware groups that have previously been placed on sanctions lists, for example.
What happens after an organisation decides to pay up?
Use of a third-party intermediary, also retained by external legal counsel, is recommended to contact the cyber-criminals. This person acts as a buffer between attacker and victim and are usually more familiar with the process of negotiation and the lingua franca of ransomware actors. In some cases, it may be advantageous to enter into communications simply to see if the price can be negotiated, which is almost always the case. Even if the victim organisation has decided not to pay, entering into ‘negotiations' can help to buy more time for incident response and remediation.
It is vital that the attacker no longer has network access, or a refusal to pay could lead to a second attack and infection. An IR function can often determine how the attackers got in, which systems they accessed, and whether or not they have placed backdoors in the environment. These details are critical to building a successful remediation plan and can take several days depending on the nature, timing, and extent of the compromise.
Even if the organisation has decided to pay, you can never be 100% sure that a ransomware group will definitely deliver a working decryption key: after all, they just committed a criminal act. To increase their chances of success, organisations need to be proactive in mitigating risk. First, they should require proof of stolen data and proof the decryptor works, again according to the guidance of their legal counsel and negotiating team. Then, as part of the incident response process, they should take steps to preserve all data of evidentiary and investigative value.
Even though an attacker may provide a working decryption key, there is always the potential for technical issues and there are no guarantees when dealing with a criminal organisation. Some vendors that handle negotiations and payments also specialise in recovery — another option we often recommend for our clients given the man hours involved here.
How ethical is the decision to pay a ransom, considering that it perpetuates this long-running cyber threat?
I think it's really up to each victim organisation to decide for themselves which course of action best aligns to their corporate values. Of course there will always be those who believe it is not ethical or palatable to pay criminals that have harmed them, while others will put the recovery of their organisation and a desire to prevent the release of sensitive information above all else.
As a mechanism to transfer risk, many have invested in cyber-insurance to cover data breaches in general and sometimes ransomware specifically, although this approach arguably also ends up in more ransom payments and, therefore, subsequent attacks. Philosophically, we all pay the price of ransomware in the end, through increased prices for products and services, higher cyber insurance premiums, and downstream identity theft.