How not to Pay a Ransomware Demand

Amid surging ransomware attacks, Alex Meehan asks how organizations should act when faced with the nightmare scenario of a ransom demand

For any information security professional, a ransomware attack is a decent contestant for the ultimate nightmare scenario. Your system has been compromised, your data has been encrypted and you find yourself facing a demand for cash in return for a key to unlock it.

What should you do? Ignore the threat and restore from back-ups? (You do have up-to-date back-ups, don’t you?) Alert the authorities? Pay the ransom and hope nobody finds out? It’s a horrible situation to be in, and it’s made worse by a lack of transparency and guidance from those who have been in this situation before.

Companies that have fallen victim to ransomware attacks are slow to publicize the fact. Firstly, it’s embarrassing to have people know you got caught out, and secondly, if you have actually paid a ransom, you probably don’t want people to know that either.

“Those hit by ransomware attacks, or indeed by any sort of cybercrime, are reluctant to admit they’ve been victims of a crime for reasons I think we all understand, such as worrying about brand reputation and so on. Yet, I think that is changing. The era of victim-blaming a company that got hacked is coming to an end,” explains Brian Honan, chief executive officer of BH Consulting.

"The era of victim-blaming a company that got hacked is coming to an end"

“Increasingly, we’re seeing companies that suffer attacks being criticized not for being victims, but instead for how they dealt with the issue, and how transparent they were in their response to a cyber-attack.”

Honan believes it’s not whether companies get caught out or not that gets them into trouble, but rather how well they handle it. Key issues include not being transparent about how the problem is being treated and not engaging well with stakeholders, such as the media, customers and employees.

“Ransomware is definitely one of the top threats that companies are worried about right now. The top question we get from the CEO and the boards of our customers is ‘how prepared are we to fend off or respond to a ransomware attack?’” he says.

Malware is the New Gun

The key to dealing with ransomware vulnerabilities, according to Honan, is to recognize that the people behind such attacks are criminals. Their only goal is to make money, and they don’t really care how they do it. It’s a form of extortion, updated for a world where it’s easier and safer to hold a company up with some malware than with a gun.

In theory, if a company is hit with a ransomware attack, all it has to do is ignore the threat, restore its data from its own back-ups and go on about its day. In real life, it’s rarely this simple. Maybe the back-ups aren’t up to date? Perhaps the system has the ability to do a restore but has never been thoroughly tested?

One solution to this kind of threat is to take out cyber insurance specifically to protect from the financial expense involved in fighting off a ransomware attack. This should cover the cost of loss of revenue while your system is offline, as well as things like fraud, theft of funds and the cost of business interruption in general.

“Our very first piece of advice to all our customers is don’t pay ransoms because we don’t know where that money is going and it’s just not the right thing to do. With that out of the way, what should you do if you find yourself under attack? The first thing is don’t panic. Take your time and gather information about what has actually happened,” says Gareth Wharton, cyber CEO for Hiscox, an insurance firm.

“Try to get a handle on exactly what has been encrypted and what you have back-ups for. For example, was everything that was on-premises encrypted or everything in the cloud, or both? Most companies run a hybrid environment where some things like Office 365 are running in the cloud, so usually, they will still be available.”

Even if you only have older back-ups, it may still be possible to rebuild or reconstitute data from them. Sometimes there are even decommissioned machines or hard drives accessible that you could rebuild from.

“Things might not be as bleak as they immediately seem, so make sure you’re speaking to your IT team or your IT support company to figure out how big a mess you’re in. Next, you need to know what ransomware variant you have been hit with. Is this a really malicious type, or something relatively harmless that you can find a key for without too much trouble?” says Wharton.

A Lifeline is Key

The first place to look for a key is the www.nomoreransom.org website, an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee. The site’s goal is to help victims of ransomware retrieve their encrypted data without having to pay criminals.

It’s kept up to date with publicly available keys to the most common types of ransomware attacks and could provide a lifeline in the event that a company’s back-ups aren’t current or there is some other issue preventing them from being able to recover from an attack.

“There are about 100 decryption keys available on that site, so if you’re relatively lucky, you might be able to find a key there. Regardless though, if you get your system cleaned and you’re able to restore it, it’s very important to look for signs of persistence,” says Wharton.

“You’d hate to clean all your machines, then get them all back up and running again only to find that you’ve either missed something or the ransomware has installed itself again. There are some variants that will come back every time you reboot a machine, so make sure your IT security provider has securely cleaned all those machines.”

According to Will Lyne, head of cyber intelligence for the National Crime Agency in the UK, the issue of paying ransoms is a tricky one. Obviously, no law enforcement agency is going to be happy to see a criminal profit from an illegal act, but Lyne also concedes that sometimes companies are between a rock and a hard place.

“We recognize that the majority of victims of ransomware are either IT companies or are companies heavily reliant on technology. If that is taken away from them, it’s an existential threat. We recognize that there are certain instances when paying may be the only option, but we would never condone that,” he comments. “Should a victim take a decision to pay, we would look to maximize the evidential opportunity from that to find the criminals.”

Lyne is adamant that the best defense against ransomware attacks is good preparation, something that doesn’t have to cost a lot of money.

“It would be remiss of us not to push the message that the best defense against ransomware is to protect yourself as much as possible, and that means having secure off-site back-ups and a way to restore from those back-ups. So the message is ‘be as prepared as you can be,’ although I appreciate that’s not particularly helpful if you’ve been victimized in the first place,” he says.

“When companies report that they’ve been hit, we recognize that it’s a really bad day for them. Despite this, we’d never encourage or condone anyone paying a ransom for really obvious reasons, chief amongst them is that it makes the overall problem worse by encouraging more crime.”

Off the Shelf, Into the Fire

According to Sweden-based Patrik Fältström, technical director and head of security for Netnod, the arrival of off-the-shelf ransomware-as-a-service products has created serious headaches for law enforcement and security specialists trying to guard against intrusions.

“You don’t need to know how to create ransomware anymore – you can just go to a website and buy it from someone who sells it as a service. It means that the people who create the tools and the people who carry out the attack both make money. That creates an economy in which money flows between these bad actors, and at the end of the day, this is all about making money,” he says. “Ransomware is the low hanging fruit of the cybercrime world, and ransomware-as-a-service is a serious business.”

Fältström points out that in the event of an attack, it can sometimes be worthwhile rebuilding data from scratch rather than paying a ransom. For example, if a company has significant data on paper – a legal requirement in some jurisdictions – it might be worth sending it out to be scanned or even typed in from scratch.

“If you only need to do enough to bootstrap your company back into business, for example, the contact details of your customers, then that can be worth considering. The rest of your missing data can be back-filled over time, but the most important thing is to get the company back to a position of being able to function, pay wages and fulfill obligations,” Fältström says.

Your options in responding to a ransomware attack can also be limited depending on where in the world you are. On September 21, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an updated advisory on potential sanctions risks for facilitating ransomware payments.

OFAC’s advisory reiterates the US policy of “strongly discouraging” ransom payments, warning that such payments carry a sanctions risk. It says, “In recent years, ransomware attacks have become more focused, sophisticated, costly and numerous. According to the Federal Bureau of Investigation (FBI), there was a 21% increase in reported ransomware cases and a 225% increase in associated losses from 2019 to 2020.”

The thrust of the advisory is that the US government wants the IT sector to know that American companies that pay ransoms are financially enabling criminals in countries where the funds could be used to “fund activities adverse to the national security and foreign policy objectives of the United States.”

"Our very first piece of advice to all our customers is don't pay ransoms because we don't know where that money is going and it’s just not the right thing to do"

“What the US government has been trying to do is shut down the reason for ransomware to exist and to limit each company’s ability to pay. If they can create a situation where you can’t pay these criminals, then that places pressure on you to get your IT security in order and have a better plan on how you run your business,” comments Shane Tews, a US-based internet policy analyst and non-resident senior fellow at the American Enterprise Institute.

“Even if you want to, you can’t pay someone who’s in a listed country, and if you do, you’re going to be in trouble with a bunch of different people. You might end up being fined because you’re dealing with places considered unsafe entities that the government doesn’t want you working with from a trade perspective.”

This approach to the ransomware problem is somewhat siloed. The people who have created the legislation are in a political silo and primarily concerned with policy and law. The people who are being impacted, however, exist in a different silo, the tech sector. They’re primarily concerned about their ability to recover from an attack. While the political silo often lacks technical knowledge, the tech silo operates in a world where national borders are far less important.

“This has been put in place by people who have decided that the issue here is that companies shouldn’t be paying foreign entities and funding criminals, so therefore we’re going to make this difficult, if not impossible, or actually illegal to go along with,” says Tews. “That’s all very well, but it doesn’t do much for the victim of an attack that is sitting on top of a data encryption problem they didn’t ask for. How are they supposed to get their stuff back?”

According to US analyst and chief strategy officer for Ericom Software, Chase Cunningham, this new advisory is further evidence that the people writing legislation in the US are disconnected from the day-to-day experiences of those working in the technology sector.

“I do a bunch of work consulting on Capitol Hill, and I’ve sat on some of the taskforce calls. This continues to happen because lawmakers think that they can carry on writing legislation that will change the situation, based on their 50 to 60 years worth of experience legislating for regular criminal activity,” he says.

“But in this case, legislation just isn’t going to make a difference. Their approach is to say, ‘well, we have advisors,’ but when you look at the advisors, they’re not necessarily people engaged or entrenched in this space.”

It seems likely that this problem is going to persist until generational change makes the people in charge of legislation more likely to have backgrounds in enterprise IT and therefore more familiar with the practicalities of IT security. Until that happens, there will always be people willing to bend and break the law to make a few bucks. Are you prepared?

What’s Hot on Infosecurity Magazine?