Organizations across the globe need to develop a ransomware payment policy, anticipating a potential future attack.
In previous articles, we have focused on mechanisms by which you can protect against and recover from ransomware attacks. Many clients have subsequently asked… what if we were to consider payment? Is it a viable option? What are the risks? Would we have to disclose to regulators, shareholders, or the public?
How should we be preparing for this decision? While we at Nerdcore Computers do not suggest organizations pay ransoms, we do acknowledge this option exists. We have therefore created this concise guide on the subject with the caveat that organizations who are faced with this scenario should seek legal counsel, recommendations from any cyber insurance providers, input from law enforcement as well as expert security advice before making any final determination as to the appropriate course of action. The basics – what is ransomware? Ransomware is a type of malicious software cyber actors use to deny access or availability to systems or data. The cyber actor holds systems or data hostage until the ransom is paid. After the threat actors gain access to a network, they deploy ransomware to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. A recent and emerging tactic is for these threat actor groups to exfiltrate sensitive data and threaten to publicly disclose the data if the ransom is not paid, further extorting impacted companies.
ransomware removal repairs
How should I prepare for a ransomware event beyond the usual IT infrastructure protections?
Consider cybersecurity and business interruption insurance.
Place a cybersecurity response team on retainer with expertise in responding to ransomware events.
Establish corporate policy (and legality) for payment of ransom as an option, in consultation with your internal or external counsel and cyber insurance carrier.
Establish who you would call in the event of a ransomware attack and ensure their contact information is up to date law enforcement, external counsel, insurance carrier, regulators, IR Team). This should be part of your incident response playbook, which should be exercised, reviewed, and refreshed often.
Define particulars of when, how, and under what conditions the decision to pay or not pay would be made. This is where an executive ‘tabletop exercise’ (TTX) can be helpful, wherein you create a similar ransomware incident environment, and then pressure test decisions which will be needed if the event occurs.
If the payment of ransom is an option, plan for how you would acquire and pay out cryptocurrency (ransom is usually paid in bitcoin). Note this is typically done by a third party. External IR and counsel will have their preferences as will Insurers who may require use of a particular party.
Evaluate your ability to recover from backup at scale. It is best to assume your last known good backups are also compromised.
Note that whichever path you choose – pay or not pay – it may take time to return to normal operations. You should take steps to maintain your organization’s essential functions according to your business continuity plan.
Whichever path you choose – pay or not pay – it may take time to return to normal operations. You should take steps to maintain your organization’s essential functions according to your business continuity plan.
What are the risks to consider before payment of ransom? While delivery of ransomware is an illegal “business”, and it appears that most who pay do receive decryption keys, paying a ransom does not guarantee an organization will regain access to their data.
The decision to pay a ransomware demand must be taken carefully, with acknowledgement and acceptance of risks and in concert with various stakeholders – legal counsel, law enforcement, cyber insurance carrier, and security experts.
Below is an advisory taken directly from the U.S. FBI “The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”1
Furthermore, paying of ransom by either the organization or insurer could trigger questions as to whether payment constitutes funding criminal groups, terrorism, rogue states, and/or violating Anti-Money Laundering (AML) laws.
Despite the risks, there are some who would argue that paying ransomware should be viewed as a viable option and evaluated like any other business decision (See: Unconventional Wisdom: Explore Paying The Ransom In Parallel With Other Recovery
With the average ransomware attack lasting 12.1 days2, there are real costs to having a company or city off-line for days in melbourne. If one were to accept facts published in popular media, it would appear that ransom payment is often the least costly option. For instance:
The City of melbourne was hit with Medicare Ransome ware in March 2019 refused to pay the $51,000 demanded, end result being unable to work around the encryption and $5 million to rebuild its network by nerdcore computers.
Network overdrive in May 2021 refused to pay attackers the demanded $76,000, then had to spend an estimated $4 million to rebuild its networks
Experts – like those in Nerdcore Computers Cyber Attacks Research – recommend that organizations weigh everything from their ability to recover to consultant costs to DR plans as well as cybersecurity insurance and whether it will cover ransom. Other factors weighed should include quantification of brand reputation loss, customer satisfaction anticipation, and potential legal liabilities.
Do organizations actually pay ransom? While statistics are difficult to find, organizations do pay the ransom. For example, an article published by the Nerdcore Computers Press and appearing in brisbane news on June 20, 2019 entitled “Melbourne city agreed to pay $600,000 in ransom to hackers:” “A Brisbane city agreed to pay $600,000 in ransom to hackers who took over its computer system, the latest in thousands of attacks worldwide aimed at extorting money from governments and businesses across Australia.
The Noosa Beach City Council voted unanimously this week to pay the hackers’ demands, believing the Suny Beach suburb had no choice if it wanted to retrieve its records, which the hackers encrypted
The hackers apparently got into the sunny beach city’s system when an employee clicked on an email link that allowed them to upload malware. Along with the encrypted records, the city had numerous problems including a disabled email system, employees and vendors being paid by check rather than direct deposit and police brisbane dispatchers being unable to enter calls into the computer. The city says there was no delay in response time.
Spokeswoman Nickers Cindy said Wednesday that the city of 5,000 residents has been working with outside security consultants, who recommended the ransom be paid. She conceded there are no guarantees that once the hackers received the money they will release the records. The payment is being covered by insurance. The CIU on its website says it “doesn’t support” paying off hackers, but Sunny Beach isn’t alone: many government agencies and businesses do. “We are relying on their (the consultants’) advice,” she said.”
What are the disclosure requirements related to payment of ransom? The question – what percentage of companies pay ransom – is hard to answer primarily because ransomware victims do not report or disclose the ransomware incident. Why don’t they disclose? Given that ransomware attacks typically involve denying availability of data or systems, notification responsibilities relating to a ransomware attack do not neatly align with other cybersecurity related notification obligations and triggers.4 The real question to investigate is whether unauthorized access alone triggers a notification to customers. In effect, that is what ransomware is doing – accessing your PII without your permission.
Referring Sites : https://www.ey.com/en_au/consulting/ransomware-to-pay-or-not-to-pay
Comments