Ransomware: To Pay or Not to Pay Just Got More Complicated
By: Homayun Yakub
Ransomware can cripple an organization. It often impacts a company’s ability to deliver core services, and can quickly jeopardize the trust customers have placed in them-ultimately impacting their bottom line. Public and private organizations alike are susceptible as attackers continue to evolve their tactics with increasing proficiency and accuracy. The global pandemic’s impact is also felt in this area, as the attack surface has broadened exponentially with organizations moving large portions of their workforce to remote-work status. The news cycle now frequently includes a rise in ransomware incidents suggesting the trend will only continue.
Organizations already dealing with the ramifications of the related economic downturn must now also contend with ransomware as another very real threat. The U.S. Government has also increased their attention on the issue with the Treasury Department releasing guidance on not paying ransoms to any attacker on their sanctions list. As such, doing so may incur civil penalties and fines, which adds yet another dynamic for organizations: whether to even report the incident for fear of government action.
All these increasing challenges have accelerated the need for organizations to formalize their responses, reinforce training/education of their workforces, and re-evaluate their security posture to consider adopting new processes and related technologies to minimize risk exposure. It also serves as an exigent opportunity to foster greater public/private collaboration on how best to stem the tide of ransomware attacks.
Ransomware has become a name synonymous with crypto-malware. The attacker encrypts data and demands a payment in order to release the data to the victim – they hold your data to ransom. Here the cybercriminal hopes to benefit at the expense of the targeted organization. However, in these scenarios, there will always be a loser. Either the victim loses (their data and their money) with the attacker winning a payday, or the attacker loses when they don’t get paid (note the victim may also lose as well in this situation when their data is encrypted). And meeting hackers’ demands don’t always yield expected results: we’ve seem examples of victims paying the ransom and not getting their data back due to either the decryption routine being faulty or the attacker not honoring the agreement to decrypt the data.
Leakware, also called double-extortion ransomware, is an adaptation of ransomware threatening to leak an organization’s data into the public domain unless a payment is made to the attacker. This creates a scenario between attacker and victim as the victim must still pay an often hefty fee to the attacker in order to prevent the disclosure of their data and all of the brand damage and potential regulatory attention that may entail. The attacker gets paid, but the victim doesn’t have their data lost or leaked. It results in the best of a bad situation for the affected organization – depending on the monetary value of the ransom demand, the ability to afford it, and/or the perceived value of the data. Attackers have recently pivoted attention to leakware knowing that organizations mitigate having to pay the traditional ransomware demand by having good backups in place.
Changing the rules – the risk of sanctions
Organizations consider many factors when deciding to pay a ransom demand. This may include the availability of good backups in order to restore the now locked data, the potential damage to the business’s brand reputation of paying or not paying, the likelihood of the attacker repeating an attack, any regulatory fines that may need to be paid to regulatory bodies, the ability to pay the attacker including the monetary value of the ransomware demand or having a known or reliable mechanism to pay the attacker. Further, an organization may have a SOP in place to handle a ransomware incident, or they may not.
It is clear to see that such a decision tree works in the favor of the attacker.
On October 1, 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. In the explanatory advisory the Department of the Treasury explains that paying the attacker may “encourage future ransomware payment demands but also may risk violating OFAC regulations.” A list of ransomware families and authors is provided upon which the U.S. Department of the Treasury has applied sanctions. This list includes the authors of Cryptolocker, SamSam, WannaCry and Dridex. It is now necessary for organizations considering paying the ransoms to factor in the risk of sanction violations.
Even with the introduction of such sanctions, businesses will go through a calculation based on dollars or cents and weigh the cost of disruption to the business versus the cost of other mitigatory actions. This is when a playbook can be helpful to steer the affected business into well thought-out and anticipated actions. What else can be done to help before or during a ransomware incident?
How to protect yourself from ransomware
By not adopting a proactive stance, a targeted organization is forced into a zero sum or non-zero sum crypto-malware game by the attacker. If the attacker is successful in engaging, it becomes vital that the targeted organization to retain the upper hand. Here’s a high-level 5-point checklist to help in that regard:
- Create a ransomware incident playbook applicable to your organization, practice it often and refine as appropriate.
- Educate your users to understand how to avoid succumbing to the lures and tricks of cybercriminals.
Adopt solid and proven backup procedures in order to restore data in the event of a crypto-malware incident, including offline backups.
Adopt a data loss prevention program across your organization so you gain visibility of where your data is and who is interacting with it. As part of your data protection strategy you should consider further steps such as segmentation of data across networks.
Remember that Behavior analytics can help identify anomalous actions within your environment which may be caused by attackers assuming the profile of a privileged user, interacting with files en masse or transferring data en masse.
What else must we do as a collective?
At the beginning of the pandemic, most CISOs focused on maintaining resiliency and minimizing business disruption as they transitioned to a majority remote workforce. This movement to working from home further exacerbated the situation due to an expanded threat landscape and a reduction in controls normally present in a traditional office environment. The overlay of today’s reality against an economic, health and mental health backdrop has unfortunately created an opportunity for attackers to step up their activities and target remote workers who are attempting to balance work and life demands without otherwise being distracted and therefore susceptible to attacks.
Against this backdrop, one thing is clear: in the cybersecurity industry, we’ll all benefit from increased public/private discussion and collaboration to find a better way forward. Now is a time for us work together to operationalize a ransomware approach that protects organizations in such a way that ensures attackers don’t win.
(The author is Senior Security Strategist Forcepoint and the views expressed in this article are his own)