After many high-profile ransomware attacks being extensively covered by multiple media outlets, we’ve all become familiar with these incidents. Ransomware is a malicious software, or “malware” that can be designed in many harmful forms and is executed by cyber criminals to block and lock users from their computers and files until a ransom is paid. Ransomware has evolved within the last two years with the addition of data exfiltration, threat of reputational harm and even the addition of Distributed Denial-of-Service attacks to push the unwilling payer with solid remediation efforts to pay. But is paying the victim’s only option? What happens if they don’t?
Why Businesses Want to Pay
Realistically, no business wants to pay a ransomware demand and it is recommended to avoid paying ransoms at all cost. The more money that is given to cyber criminals, the more incentive is given to keep Ransomware as an industry of profits. Paying a ransom is often a last resort, and purely a weighted financial decision. Companies lacking a comprehensive data backup system wherein data loss could be catastrophic, or considering harm to their reputation as detrimental to future operations, or those companies that are anchors in a large-scale supply chain with multiple dependents, could need to consider payment as an option. Every day that businesses are not running is a day that they are losing money, and the potential for reputational harm. The more time that passes, the more difficult it will be to eventually start-up operations again and make-up that lost revenue.
In the case of large companies like JBS and Colonial Pipeline, both of which paid ransoms, they had more to consider than their own fiscal welfare. A prolonged shutdown of one of the biggest meat suppliers in the country, or one of the biggest fuel suppliers, has real consequences for the economy as a whole. We saw a glimpse of that with Colonial Pipeline, as flights were grounded and some gas stations experienced shortages amid panic buying. However, just as in the Colonial Pipeline case, paying a ransom does not mean that operations will return to normal, or the threat of data release will be removed.
Why They Shouldn’t Pay
While organizations may have valid reasons for wanting to quickly pay a ransom, no insurer, law enforcement or government agency recommends that companies pursue this course, and for good reason. For starters, there is no guarantee that the locked information will be released. Recent data reported that a shocking 92% of organizations who paid the ransom did not get all of their data back. Only 29% were reported to recover half of the full data exfiltrated. When you make a payment, you may only be paying for hope that the stolen data isn’t leaked by the hacker. As was in the Colonial Pipeline attack, the bad actors received the ransom payment and sent a deficient decryption key, thus leaving Colonial Pipeline to ultimately restore from their backups.
There is also the legality issue, which is tricky. It is not new to American companies to avoid paying corrupt bribes or payments, specifically to criminals overseas. The Computer Fraud and Abuse Act was designed to include banning payments/bribes for threats to damage computers from banks, governments or any transaction involved in foreign commerce. However, in October 2020, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to any businesses or coordinators of ransomware payments that they may be subject to strict civil and criminal penalties for supporting, paying or assisting bad actors listed on the Office of Foreign Assets Control's (OFAC) Blocked Persons List. Similarly, the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued a like-warning in October 2020 to financial institutions, noting that their involvement in these transactions could be considered “money transition” and would result in additional accountability.
It can, however, take a prolonged time to verify if a ransomware attack is coming from one of the actors on the Blocked Persons (SDN) list. Typically, a company will engage a 3rd party forensic investigation through their Cyber Insurance carrier, and the OFAC will perform another independent investigation. If, possibly months after a ransom has been paid, the OFAC investigation discovers the payment unknowingly went to a listed actor, the company could still face sanctions. If either investigation turns up a connection beforehand, the insurance company will not assist with the payment. The company takes on all of the risk and expense, with no guarantee of getting back what they need from the attacker.
The Best Defense
Paying a ransomware demand encourages bad actors, with only a small chance of getting the data restored. The best response to this threat is setting up a secure defense strategy against a ransomware attack. This should include:
Multifactor authentication. First and foremost, put in place simple security measures to prevent one employee’s outdated password from exposing your whole organization.
Employee training. Employee ignorance is the easiest way for a bad actor to spread malware, particularly through phishing scams. Invest in your people and teach them to be prepared.
Backups. Optimize your data recovery by having an offsite backup system, isolated (“air gapped”) from the main network. If your main network is hit with ransomware, you can get operations up and running without acceding to demands.
Endpoint Detection and Response (EDR)- the lack of EDR is how the Solarwinds breach came to be. This is an endpoint threat detection tool that continuously monitors and collects data, looking for any threat patterns. If any patterns are detected, this tool will respond by removing or containing them.
Incident response plan. Assume now that you will eventually have to recover from a ransomware attack. Test your systems regularly to see how quickly you can resume operations after an incident.
There is no ideal scenario when faced with a ransomware attack. Companies risk losing money, data, reputation or all, and paying the ransom could do little to restore all. Preparing your network security and controls with a robust defense and recovery strategy will put your business in a stronger position to not be faced with the decision to pay a ransom.
Want to learn more?
Find me on LinkedIn, here.
Connect with the Risk Strategies Cyber Risk team at firstname.lastname@example.org.
Email me directly at email@example.com.