Ransomware attacks lead the headlines and strike fear in the hearts of executives who face crippling operational shutdowns and public relations nightmares. Yet too many executives are prepared to pay a ransom without considering other avenues as a means of business recovery, and place too much trust in insurance coverage and the honesty of criminal cartels. Paying ransoms don’t always lead to recovery.
The question, then, is assuming you can, should you pay the ransom? And perhaps more important, can you justify the decision to your board of directors, insurance carrier, and law enforcement?
The answer doesn’t fit nicely in a yes or no convention. Perhaps the closest answer is, it depends. The point is that ransom payment is often the only choice – but shouldn’t be the first one.
Cyber insurance and data back-ups have proven a partial solution. Yet the majority of insurance policies, when paid out, create major losses for the insurer. This means premiums will go up, coverage will go down, and more “good driver history” type enforcement will apply. In fact, insurance renewals are now measured in months, not days.
And back-ups designed in the days of business continuity weren’t designed to withstand intentional espionage – which is a staple tactic of ransomware gangs. You need more than a “fix-it-after” approach.
Avoiding Ransomware Payment Demands
When asked how you can best avoid paying a ransom, the answer is to catch the cyberattack in its early stages. Criminals employ common tactics, techniques and procedures, which provide a breadcrumb trail for security experts, and can be caught in early stages with rapid detection and response.
The faster you identify the early stages of the attack (and there are plenty of indicators), the better chance you have of preventing your adversary from establishing a persistent connection that leads to a pervasive ransomware detonation.
Assuming you don’t catch the criminals in the act, then rapid recovery is preferable to payment. With resilient business continuity practices and disaster recovery programs in place, you can restore systems while mitigating prolific service outages. It doesn’t mean the criminals won’t be back, but the first score goes to you. And while criminals can shutter your operations in minutes, it might take you weeks or months to get back to business as usual.
The majority of firms that pay ransoms believed they were prepared. They didn’t see themselves as a target. They downplayed the risk or overestimated their ability to thwart the assault. Don’t let that be you.
Before You Pay Ransomware, Do Your Homework
The legal landscape of ransomware attacks and data breaches has changed significantly over the last couple of years. Once protected by attorney-client privilege, incident response documents, executive decisions and potentially damaging budget exclusions can lead to expensive lawsuits or insurance claim denials.
And many government agencies are pushing a “don’t pay” ethos backed by restrictions and even prosecution if you make a payment to a known terrorist of cybercriminal group. As such, you need to do your homework before you decide to pay.
When faced with this decision, no one is going to make it for you. No one will indemnify your decision or alleviate knock-on liability – that’s only limited by the creativity of the plaintiff’s lawyers. You need to engage experts who can help you plan and respond to a major incident like a ransomware attack. Know your obligations.
Before Paying Ransomware: Hard Questions
I often say this: You need specific information to make informed decisions that are designed to minimize any negative impact.
If you are faced with the untenable decision to pay a ransom, ask yourself these questions before you do:
- Can we recover without paying the ransom?
- Will paying the ransom accelerate the recovery?
- Is paying the ransom the only viable option?
- Can we pay the ransom without risk of legal penalty?
- Should we contact law enforcement and will that help if we violate a sanction?
- Will our insurer cover the ransom?
- Should we notify our clients, partners or employees?
- Are we required to notify regulators or state authorities?
When you answer those questions, like the issue of ransom payment itself, it’s not a yes or no exercise. Remember, of course, that you have to stand by your answers and possibly defend your decisions in court.
Also see: Best Website Scanners
At a cybersecurity event, I had the privilege of meeting Bruce Mathison, who was a star quarterback for the Buffalo Bills back in the 1980s. While trading a signed copy of my book for a signed copy of his rookie card, he gave me the best piece of wisdom for dealing with incidents out of your control.
He said, “You don’t practice until you get it right. You practice until you don’t get it wrong.” Sage advice from a veteran of the gridiron.
So how do you establish controls and programs – methods to practice – that detect and respond to a ransomware attack? Basic security controls drastically reduce the risk of a business disrupting ransomware attack, and provide quick recovery methods that don’t rely on paying extortion fees for decryption keys (these keys don’t always work, but that’s another topic).
Here are basic controls for your two main groups:
- Require multi-factor authentication to access business systems.
- Protect remote connections with a Virtual Private Network (VPN) or equivalent service.
- Mandate user awareness training and testing that covers:
- Job-based phishing lures, not generic examples.
- Downloading files from untrusted sources.
- Inspecting URLs and file extensions to ensure legitimate and intended content.
- Prohibiting free versions of applications.
- Compliance-based requirements.
- Employ least privilege for employees and remove administrative rights where possible.
- Disable Remote Desktop Protocol (RDP) when not in use.
- Segment network systems.
- Regularly patch systems based on a prioritized list of critical systems.
- Back-up all critical files and systems using segmented or offline designs and regularly test fail-over and recovery services.
- Restrict administrative access to critical systems with Privileged Access Management (PAM) or similar systems.
- Deploy Endpoint Detection and Response (EDR) agents on Domain Controllers (DC), centralized Logging systems and Active Directories (AD) and other critical systems frequently targeted by criminals.
While bad actors will likely continue utilizing new ransomware to target vulnerabilities, there are things you can do to shore up your fortress walls. And should those walls be breached, remember to tread thoughtfully in regard to next steps.
While paying the ransom may seem like the quickest, easiest way to move forward, there’s too much at stake without asking yourself some key questions first.
About the Author:
Mark Sangster, Vice President and Industry Security Strategist, eSentire