To pay or not to pay? Notwithstanding the ethical and emerging federal legal liability issues associated with paying a ransom, what should you do in this situation?
Steve Durbin, Chief Executive, ISF
Police forces, healthcare providers, educational institutes, the oil industry, entire governments — no sector is immune to the ransomware epidemic. Once you’re hit, it can threaten your organization’s very existence. The threat is so pervasive, the ramifications so dire, that the U.S. Department of Justice has elevated all ransomware investigations to a similar priority class as terrorism.
Today, cyberspace is effectively the fourth vector for defense after air, sea and land. A ransomware attack on the operational technology supporting critical infrastructure can have just as much impact as a full-scale physical attack.
And that’s exactly what we’ve witnessed throughout 2021; the Colonial Pipeline hack created critical gas shortages across the East Coast, and then, the massive $11 million attack on the meat giant JBS temporarily halted 23% of the American meat industry.
Given the high stakes and recent ease of access, the fact is that the ransomware menace is here to stay. As someone who works in cybersecurity, here are some things I think you should keep in mind when securing your own organization.
Growing digital connectivity, complex IT infrastructure and intricate supply chain networks all dramatically expand your organization’s attack surface. That means skilled cybercriminals are more likely than ever to infiltrate your internal network with ransomware payloads.
We’re also witnessing a huge shift from “spray and pray” ransomware attacks in which attackers randomly target a large number of organizations and leave success to chance. These groups are becoming more advanced, elevated to criminal cartel status, meticulously picking their targets and executing group coordinated attacks that are multipronged and sophisticated.
Ransomware can reach you in one of three ways, and knowing these ways can help you stay informed and secure:
- Targeted ransomware attacks: Motivated and highly sophisticated threat actors can choose your organization as a deliberate target and spend months in the reconnaissance phase, gathering information about you, your IT infrastructure and your employees from every possible source. They can target your privileged users like system admins via spear-phishing attacks or recruit malicious insiders to their side.
- Supply chain attacks: Cyber defenses stand as strong as your most vulnerable supply chain partner. Supply chain attacks are gaining traction because they give cybercriminals access to otherwise secure networks through weak defenses of partner companies. Secondly, they let them target more than one organization in one go — they can spread the ransomware to everyone associated with the victim company. That’s exactly what happened in the very elaborate and certainly unprecedented Kaseya ransomware attack. It impacted multiple SMB service providers and spread to their clients as well.
- Unintentional attacks: Just like any code, ransomware can sometimes have bugs that can make it go haywire like the WannaCry ransomware based on the malware created by the NSA. Although such uncontrolled, wild attacks aren’t that common anymore, many organizations still get caught in the crossfire. This was the case for Düsseldorf University Hospital that was hit by ransomware intended for Heinrich Heine University. In some cases, the Colonial Pipeline hack, for instance, even the perpetrators can’t anticipate the far-reaching consequences of an attack.
RaaS Rules Cybercrime Underground
Until recently, ransomware was largely a weapon of choice for organized cybercrime groups that had the technical expertise to execute such sophisticated attacks. However, RaaS (Ransomware-as-a-Service) has transformed the ransomware landscape as amateur hackers can simply subscribe to pre-packaged ransomware services, which often include the attack code, delivery mechanisms, even chat room and help desk assistance, from underground criminals.
Because of this, practically anyone can launch ransomware against any target. Some underground groups such as REvil are notorious for their big-game hunting, deliberately targeting profitable global enterprises with time-critical business operations, such as just-in-time manufacturers, because they’re more likely to fulfill outrageous ransom demands quickly. Others use the double extortion technique, whereby they steal the data before encrypting it and threaten to expose it to maximize their chances of getting paid.
To Pay Or Not To Pay?
Notwithstanding the ethical and emerging federal legal liability issues associated with paying a ransom, what should you do in this situation? One thing to note is that organizations that choose to pay the ransom rarely get their data back in full. It’s not that these companies don’t receive the decryption keys after paying because, after all, ransomware groups need to sustain their market reputation if they want to continue extorting other victims. But applying decryption algorithms to hundreds of computers and file systems has its technical liabilities, and there’s a high probability that something can go astray.
What’s more, many of those who choose to pay the ransom suffer another ransomware attack shortly thereafter. Both the FBI and CISA (Cybersecurity & Infrastructure Security Agency) push alternatives to paying ransoms and recommend not yielding to extortion demands.
Ways To Survive The Ransomware Menace
Kudos to you if you’ve managed to dodge the ransomware menace so far. But don’t pop the champagne just yet. Ransomware is predicted to hit an organization every 11 seconds by the end of this year. It’s no longer a matter of “if” but “when” a ransomware group will attempt to target you. And if you’ve already been through an attack, you’re certainly not immune to the deadlier, more contagious variants. So the question remains: How prepared are you to survive the ransomware epidemic?
Having offline data backups is no longer enough. Your organization should hold security awareness training and arrange phishing assessments for your employees. Prepare a ransomware plan so you know how to effectively contain the threat, resume operations and engage with the attackers when the time comes.
You can also obtain cyber insurance for possible access to qualified ransomware negotiators. Even if your carrier won’t cover the ransom payment in full, they’ll run security audits of your network systems to scrutinize the resiliency of your IT infrastructure before underwriting a policy. As a first response, partner with law enforcement by reporting any breach to your local FBI bureau and CISA.