So, they’re in. The data’s been hijacked, and systems are on lockdown. But don’t worry, you can get it all back. For a price.
‘Don’t pay!’ plead the cyber security experts and law enforcement, but with your business at risk, you face a dilemma: you are not sure whether you can access your backup and the price and time spent on recovery could be significantly higher than the cost of simply paying the ransom.
Now the devil is on one shoulder and the angel is on the other, the quandary of whether to pay or not starts to weigh in.
Hackers will use ransomware to infiltrate a business, usually to encrypt (lock out) files. The culprits will then offer a decryption key which they claim may restore some or all of the data in return for a ransom, usually made as a bitcoin payment, or through some other untraceable cryptocurrency.
Show me the money
“Ransomware is a criminal enterprise, where those who play by the hackers’ rules help fund their next attack on an unsuspecting victim,” states Jason Illingworth, principal analyst at IT security service firm NormCyber.
It’s true that paying the ransom does not guarantee the protection of stolen data, and in the worst-case scenario, organisations will simply be out of pocket, on top of being shut out of their systems.
And even when the keys are handed back, it may still take a long time to recover systems.
“Look at Ireland’s health service that was hit by [ransomware gang] Conti – the team there were still attempting to recover from a cyber attack six weeks in, even with the decryption keys,” notes Paul Baird, CTSO UK at Qualys.
To add insult to injury, data regulators may dole out fines that could range up to hundreds of thousands of pounds.
As part of a bid to crackdown on ransomware operators, there’s an ongoing debate as to whether it should be illegal for businesses or an individual to pay a ransom – or at the minimum, to make it mandatory to report ransomware payments to the authorities – something that the Australian government is currently considering.
Meanwhile in the UK, the government’s intelligence arm GCHQ and its data protection watchdog ICO joined forces with the Law Society this summer to launch a campaign to actively discourage lawyers from advising their clients to pay out.
Yet, despite the advice and the pitfalls involved in paying, the prospect of being handed a decryption key to recover data quickly is tempting for many firms.
More than 80% of British companies that have suffered a ransomware attack paid their attackers, a 2022 Proofpoint study found. Even among smaller firms – around 20% of mid-market businesses end up paying ransoms, according to Code Red’s: the state of the UK’s cyber security response report, with the average pay-out standing at £144,000.
“It rarely hurts [to pay],” opines Roger Grimes, a data driven defence evangelist at KnowBe4.
He adds that depending on the time and survey, the average percentage of victims who pay the ransom varies from 10% to over 60%, with the median percentage being about 40% to 60%.
To all the groups who say it never pays to pay, Grimes counters: why do the cyber security insurance companies always pay?
“Insurance companies know what it costs if you pay or don’t pay the ransom, and every insurance company will pay the ransom if they are reassured that paying the ransom will result in the victim getting the decryption keys and those decryption keys and programs working.”
So, while the received wisdom is not to pay out, there are several factors that could push an organisation into paying a ransom.
The financial impact of not paying and recovering systems over a long period of time could be greater than paying up and hoping that the keys will be handed over.
If cyber criminals have hit both the live data and the cold data backups (although these backups should always be segmented), then an organisation may have no choice but to pay if they want to be able to recover their systems and carry on with their functions.
“Typically, organisations must decide whether to pay out on a case-by-case basis. And it often comes down to limiting the reputational and financial damage of a breach, while carefully considering the ethical and legal implications that come with paying a demand,” says Richard Walters CTO of Censornet.
Cian Heasley, security consultant at Adarma acknowledges that paying out is a tough decision which needs to be made at board level, following discussions with various stakeholders including legal counsel, cyber insurers, law enforcement and other cyber security experts.
“Ideally, this should be discussed ahead of time, as part of your incident readiness preparations. But be mindful that even if an organisation makes the decision to pay the ransom there’s no guarantee that the attackers will uphold their part of the bargain,” he warns.
Double extortion
Here’s the rub: firms that do choose to pay are advised to ramp up security: the business has just cowered to demands of criminals, leaving them an open target for a second or even a third hit.
“The very act of paying an initial ransom suggests to ransomware groups that the victim may be more open to paying a second or third time when presented with the threat of double extortion, in which data is published or sold online, and triple extortion, in which anyone affected by the data stolen is threatened individually with its publication,” warns James Tamblin, UK president of BlueVoyant.
Steven Furnell, a professor in cyber security at the University of Nottingham, quoted recent evidence that suggested that 80% of victims that paid a ransom were hit a second time, often while still recovering from the initial attack and still in a vulnerable position.
Despite these statistics, other experts refute the idea that double and triple extortion is common.
“Organisations spend an incredible number of resources recovering from incidents, often hiring one or many third-party companies to ensure the incident at hand is remedied, illegitimate access is denied, and steps are taken to prevent similar or worse cases from reoccurring,” assures Danielle Jablanski, an OT cyber security strategist at Nozomi Networks.
Whatever decisions are made, in the event of a ransomware attack the first 72 hours after a data breach are critical, according to BlueVoyant’s UK president, James Tamblin. “Every decision an organisation makes can carry financial, legal, regulatory, investigatory, and reputational repercussions,” he warns.
Incident response plan
And in the era of the zero-trust cyber security framework (which we discuss in the fourth part of this series) it’s not if a business is attacked, it’s when. And while the experts we spoke with might have been split on the issue of whether to pay up or not, all emphasised the importance of having robust incident response (IR) plan to run through in the event of attack.
An IR plan is a living document comprising of many different components of a drill to be prepared for in the event of a real-life cyber-attack. The key pillars of any IR plan fall around preparation; detection; analysis; containment; eradication; recovery and post-incident response activities.
The most important step of all is the first one, according to Muhammad Yahya Patel, a security evangelist at Check Point, as many businesses don’t prepare for a ransomware attack thinking that it won’t happen to them – a mindset that needs to change.
“Having an IR plan to run through is key to making sure you’re able to respond to an attack efficiently. You want to analyse the different streams in your business that need to get started once you are attacked and to make sure that they will be able to function as you deal with the threat,” adds Patel.
Planning for an incident typically involves establishing roles and responsibilities; identifying contingency plans; prioritising physical and environmental safety; dictating policies for backups; recovery and restoration; crisis communications and ensuring a thorough post-incident forensic investigation is conducted with lessons learned.
This drill also needs to be routinely tested and revised to meet evolving needs, according to Larry Gagnon, senior vice president, Global Incident Response, eSentire. “An untested IR plan is little more than a list of suggested actions,” he says.
“Test, test, test. This is best achieved by testing the plan through tabletop exercises delivered as scenario-based tests of your IR plan, help to identify gaps and inefficiencies in your documented processes,” he adds.
Who, what, where?
In the event of a breach, it’s important to be able to reach out to the right people quickly and ensure that key players understand their roles and how they can minimise disruption to your operations and customers.
According to eSentire’s Gagnon, there are typically two distinct tracks in response to a breach or a malware event – a tech track and an executive track.
“The tech track is where the rubber meets the road. Forensic experts and client network teams work together to deploy and configure tools, contain the active threat, collect relevant data for analysis and remediate any security gaps within the network,” he explains.
If it’s not your IR provider taking the reins, the responsibility for the tech track usually falls to the IT department. Within the IT team, an IR manager may coordinate the effort, with security analysts undertaking the analysis and threat researchers who can provide context around information gathered.
It’s also on the IT team to plan what steps will be taken the secure the environment and mitigate further exposure, identify impacted devices, data and log what sources are available, and engage with the company’s disaster recovery program or business continuity plan to restore the impacted devices and keep the business operating.
The executive track, meanwhile, is focused on elements of risk. Damage to reputation, financing the response, business interruption and the potential for future litigation are all considered by the executive team.
According to Qualys’ Paul Baird, the responsibility shouldn’t just lie with the tech track (although it often does) as more senior department heads in incident management rooms means the information and messaging can be controlled.
“[IR] should involve a broader catchment that includes public relations, HR (If it is a staff data breach), legal and service delivery. Depending on the company and industry, it may also need teams responsible for things like manufacturing processes as well,” he says.
Oisin Fouere, head of cyber incident response at KPMG UK adds that it’s also important to keep customers, partners, suppliers, investors and regulators in the loop.
In some firms this responsibility falls within the comms team, but the main thing to ensure is that you have a spokesperson if an attack occurs and prepare content for a quick response to keep them informed.
Ransomware operators have the upper hand when the authorities are not notified, so it’s also recommended to contact law enforcement too – while taking measures not alert the hackers.
Post incident, as soon as the main threat has passed organizations are advised to conduct a full retrospective audit “ideally without blame or scapegoats, and share their findings and steps taken with the world,” according to Jack Garnsey, security awareness training product managers at VIPRE.
He adds: “Often, many ransomware attacks go unreported – and this is where a lot of criminal power lies. Full disclosure is helpful – not only for customers but also for other organisations – to understand how they can prevent an attack of this type from being successful again.