The Ransomware Dilemma: How to Avoid Paying
Don’t Pay the Ransom?
When you take a step back and look at the ransomware problem, the obvious solution is for victims to refuse to pay the ransoms. It will demonetize the crime; the criminal enterprises that run these operations will no longer find the ransomware business to be profitable and they will move on to other things. However, this is much easier said than done. The actual decision of whether or not to pay the ransom, while a criminal gang is holding your network (and your data) hostage, is not an easy or simple decision to make. In fact, there are some victims of ransomware attacks in situations where they literally have no other option but to pay the ransom in order to save their businesses.
So, it’s extremely important to have a strong sense of empathy for the victims of ransomware attacks. If we want to move the needle on demonetizing ransomware, we need to understand the complexities involved in these decisions, avoid victim blaming, avoid re-victimizing the victims with regulations that limit their actions to save their businesses, and provide support that will help victims avoid paying the ransoms except as an absolute last resort.
Victims of ransomware attacks are under enormous pressure from the moment they become aware of the incident. Usually this happens after the criminal actor has executed their encryption attack, locked up their systems, and displayed a ransom note on their screens. These ransom notes generally contain an explanation of what happened to the victim’s files, a method for the victim to pay to have their files restored, and a series of threats of further damage if the victim does not comply with the demands.
This immediately puts an immense amount of pressure on the victims. They have to worry about loss of revenue due to disruption of critical systems for business operations. Ransomware gangs often try to ensure that payment systems go down, including the ability for businesses to collect revenue by sending email invoices, and disrupt a victim’s ability to sign up new customers. But the disruption to normal business operations is only one concern.
Victims also have to worry about the damage to their reputation if the fact that they were hacked were to get out to the public. Depending on the industry vertical, this fact alone could either be a small embarrassment or a business extinction event. In either case, this adds a new level of pressure to the disruption of business operations. Will this damage to their reputation negatively affect their stock value? Each of these concerns is exploited by the cybercriminals to ratchet up the pressure on the victims.
Additionally, there are legal concerns that victims face which add even more pressure to the situation. Will they be blamed for Personal Identifiable Information (PII) being exposed? Are there regulations in their industry that might have been violated? Will their customers sue them for potential damages? Ransomware gangs use all this to pressure the victim to pay and keep the incident quiet, encouraging them to just bury it under the rug to limit public exposure and the risks involved.
Time is also a factor that adds more stress to the situation. Not only is every minute of business disruption costing them money, but many ransomware groups increase the time crunch by increasing the ransom cost over time, so the longer the victim waits to pay, the higher the ransom will climb. Some even have a rolling counter displayed to the victims showing the cost going up second by second. In these times of stress, a victim is focused rightly on how to resolve the incident and protect their company. The last thing on their mind is how to prevent ransomware actors from making money.
Having Backups is Not Enough
All these pressures are all compounded by the additional pressure that having backups of your systems is no longer enough to avoid paying the ransom. In the past, if an organization had a solid backup plan, secured those backups effectively, and exercised that plan to ensure that it worked effectively, that would be all the ransomware protection they would need. They could restore from backups, get back to business, and avoid paying the ransom. But it didn’t take long for these criminal enterprises to evolve to include double extortion to force victims to pay even if they have great backups.
In a double extortion scheme, which has become entirely routine in almost all current ransomware events, the cybercriminals first steal valuable data from a victim network and move it to a server that they control. Only then do they execute the ransomware encryptor to lock up the victim’s systems. Not only are they using the encrypted data as extortion, but now this second form of extortion is layered on top of the first.
They use this stolen data as leverage, threatening to leak it to the public or to their competitors. They choose data such as valuable intellectual property, trade secrets, customer data, or embarrassing information from stolen emails to pressure them into paying. Double extortion has become so effective that many organizations have chosen to pay the ransom to prevent devastating leaks from happening, even after quickly restoring their systems and resuming business operations without needing a decryption key from the attackers.
Work the Fundamentals
So, with all this stacked against the victims, how does an organization still manage to avoid paying the ransom? The first steps to this have already been widely discussed in the security community so they won’t be rehashed here in detail. These basics of cybersecurity are still critically important.
Prevent the preventable by reducing your attack surface, following best practices on passwords and multi-factor authentication, aggressively patching your systems in a prioritized and enforced regime, and provide security training for your employees. Ensure that you have good system backups, those backups are secured effectively so an attacker can’t access them, and your restoration process is fully tested to ensure it works correctly. Enable rapid detection of attacks that get through your defenses by effectively instrumenting your systems to ensure full visibility for your network defenders. Be prepared to respond to incidents by creating a written incident response plan, connecting with partners needed for an incident prior to an emergency occurring, and exercising your plan to ensure that everyone is comfortable with their role. All these recommendations are commonly discussed in this space and will either help prevent incidents from occurring or minimize the damage that an unpreventable incident would cause. Many of these are easier said than done, so it’s important not just to do these, but to implement them in a way that is truly effective for your specific organization. Seek outside expertise as needed, depending on the maturity of your security and engineering teams.
Know Your Crown Jewels
However, even if a company were to implement all the industry best practices for prevention, detection, response, and resilience correctly, the double extortion scenario could still land them in a space where they would have to pay the ransom to prevent the release of their precious intellectual property. There can be many reasons for this, but most of them can be boiled down to failing to do a solid, internal review of your company’s crown jewels.
This review is incredibly important to do as part of an organization’s security planning. In addition to assessing what are the most critical systems that need to be protected from a business resiliency perspective (which is more commonly done), an organization also needs to assess what data is the most critical to protect from a double extortion perspective. Once the crown jewel data sets are identified, not only will it provide additional prioritization for defensive efforts such as patching and instrumentation, but it also starts to inform the ransomware response strategy.
Cyber criminals count on the fact that victims are under immense pressure and are forced to make hasty decisions that will fall in favor of paying the ransom. However, a company can take this advantage away from them by preparing ahead of time. This can mitigate the pressure of the moment and help a victim rely on decisions that have already been made for use during a time of crisis. Companies who do this crown jewel assessment not only make it less likely that a cyber criminal can access that data to steal, but they also can make quicker decisions about not paying the ransom if those crown jewels have not been exposed in the breach. Doing this review ahead of time will allow for all the various stakeholders in the company to have their input, ensure proper legal review, and build guidelines without the pressure of an ongoing incident hanging over their heads. Having pre-queued guidelines on what data can afford to be leaked can enable company leadership to make clear decisions about not paying the ransom even while under pressure.
Lastly, it’s important to protect this assessment as a crown jewel itself. Ransomware gangs are experts at combing through a company’s data to find information that they use to enhance their operations, such as the cyber insurance documentation that outlines how much the policy will cover, which they use to inform their ransom prices. A company’s crown jewel assessment could be used as a roadmap to your most valuable data and provide indications on how best to illicitly access it. So, it is absolutely essential to put the assessment itself on the list.
Adding a solid crown jewels assessment as part of your security planning will greatly improve a company’s chances of preventing attacks, quickly detecting inevitable incursions, responding effectively to minimize incidents, and avoiding paying the ransom. This means reduced cyber risk for the company, less damage when incidents occur, and less money flowing to the criminal gangs responsible for these attacks.
If you need help implementing this or any other recommendations mentioned above, [redacted] stands ready to help. Implementation is key to success, so it’s important to reach out to a security partner that you trust to have the depth of experience and expertise required to ensure that the solutions they provide are actually effective for your company’s specific needs.
Adam Flatley has over 20 years of cybersecurity and intelligence operations experience. He is the Vice President of Intelligence for [redacted], where he’s worked since mid-2020. In this role he drives the collection, analysis, and production of actionable intelligence for clients, partners, and the general public. Before joining [redacted], he served for two years as the Manager of Global Intelligence Operations for Cisco Talos’ Threat Intelligence & Interdiction team.
Prior to his time at Cisco, he served for fourteen years at the National Security Agency (NSA) in various operational capacities, most recently serving as the Director of Operations of a cybersecurity operations organization which was responsible for incident response, red teaming, vulnerability assessments, and threat hunting on critical networks. Earlier in his career at NSA, he distinguished himself by founding several new organizations within the Agency in order to meet cutting edge challenges posed by emerging threats or changes in technology to support counterterrorism, counterproliferation, and cybersecurity missions.