Sunday, July 11, 2021

Ransomware: To pay or not to pay?

If your company is the victim of a ransomware attack, should you pay your attacker? This one caused a bit of controversy when I wrote this for work, so I'm posting it here under the umbrella of "my personal opinion - on your own head be your final choice in this matter - don't sue me."

This isn’t an easy question to answer. It’s one thing to say “No, never pay a ransom”, but it’s another thing entirely to stare at the flashing lights of a data encryption hijack, with no immediate way of recovering essential data and your payment records and invoicing system crippled by malware. People do pay the ransom to release their files, but should they?

In July 2020 the US business travel management company CWT Global handed over an impressive US$4.5 million in bitcoin during a ransomware attack – setting a new ransomware payment record. Not really the sort of claim to fame that a company wants.

Reasons not to pay.

In October 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory that paying ransomware ransom is now illegal, and people and companies can be fined for making payments to sanctioned hackers. Many other international law-enforcement agencies are considering similar actions, and are encouraging victims not to pay. Paying ransoms, however, is still technically not illegal in most of the world. So far we’ve not seen any evidence of enforcement of the advisory, but watch this space - It’s going to be tricky to explain to the IRS why you had to spend US$220,000 on bitcoin and where it went.

Paying a ransom encourages criminals into further criminal activity. Crime only pays if the victims pay. The more companies and individuals who pay, the more it encourages new black-hat hackers to enter the ransomware arena and launch attacks against other companies – or even a repeat attack against your company. If victims stand together and don’t pay, bad actors have no recourse other than to pack up their laptops and shuffle back to their dark web newsgroups. Is it better PR to stand firm and refuse to be bullied, standing with your fellow victims and promoting ransomware prevention best practices, than to look weak by paying for a company mistake? Very probably, and you don’t want to be seen as a target for other malware in the future.

It’s estimated that last year, over half of ransomware victims paid the ransom to restore access to their data. If your data is encrypted, the only way to reset the clock is with the hackers’ decryption key. It’s further estimated that around 20% of these people never heard anything else from their ransomers and their data stayed locked without them receiving any unlock code – essentially paying for nothing. While the percentage of organizations that recovered their data has increased, from 49% to 72% over the last 3 years [Cybersdefence Report, 2021], black hat hackers and the systems they use aren’t to be trusted. There is no guarantee of getting your data back. Hackers have also been known to further leak sensitive data for further financial rewards, regardless of payment.

Prevention is better than cure.

The average ransomware payment increased by 43% this year, to approximately US$220,000, and a company is hit by a ransomware attack every 11 seconds. There are a few cost-effective areas of preventative action that can be taken.

54% of all ransomware breaches begin with a phishing email. Digitally screen all mail, but also educate yourself and train your team on the different tactics behind a phishing attack. There are many ways hackers might attempt to fool your staff into granting them access to your network. Try running an internal simulated phishing attack across your company to get stakeholders familiar with your reporting processes and the sort of attacks they might see. Check my article, here, on how to do so. Discourage staff from visiting unapproved websites, and physically block staff from sites that have the potential to distribute malware.

Do you have a tried and tested disaster recovery plan? You should. Ransomware attacks should only be a part of this. What would you do if the phones went down? If you had a flood in the building? Or if your website was hacked? Your team needs to know the plan, who needs to do what, and what they need to do. Make sure stakeholders have a printed copy of this – there’s no point in having an encrypted disaster recovery plan in the event of a ransomware demand.

What do you do on Tuesdays? You patch. A regular and thorough software/OS patch management routine is important preventative maintenance critical for keeping machines up-to-date, stable, and safe from malware and other threats. ABP:
Always Be Patching. 

It's good practice for IT departments to back up company data regularly and securely, off-site. While this is by no means guaranteed, as some ransomware software has been seen to attack even (supposedly air-gapped) backed up files, it can be a help in some cases – though probably not for long as bots get more savvy and bad actors to have the time and resources to develop more sophisticated programs. Coding elements for following data to its backup resources are available for purchase on the dark web, and the black hat hacker community is not to be underestimated.

Install an anti-virus or web application firewall (WAF), Intrusion Prevention / Intrusion Detection Systems (IPS/IDS), and other controls to prevent ransomware from communicating with Command & Control centers. Cyber attackers “will penetrate the organization’s network and stay for months, sometimes years” prior to encryption, and this is the time they are vulnerable to detection and where you can prevent an attack before it happens. Also, invest in runtime application self-protection (RASP) to have protection against those known and zero-day attacks that patching may miss. Protecting with 2FA can also bolster your security posture.

Save time, stress, and tens of thousands of dollars

An attack at some point is statistically inevitable, with an all-time high of 69% of organizations having been victimized by ransomware in 2021, so spend a fraction of what you could lose on preventative measures and not on paying criminals. A small investment in time, effort, and funds right now are better than chaos later.