Special feature from JLT Cyber Risk Consortium Partner Kivu Consulting, Inc.
Ransomware and related forms of cyber extortion aren’t only costly, (from Merck & Co.’s recent announcement of USD 175 million in Q3 costs to fix the damage caused by their June NotPetya attack, to “extinction-level events” suffered by ill-prepared SME’s) they can also be the most personal form of corporate cybercrime.
A stranger has targeted your organization, has control over your digital assets, and may even be relishing in your pain. No wonder companies facing their first ransom demand often go through one or all of the Kübler-Ross model five stages of grief (denial, anger, bargaining, depression and acceptance).
Even in the rare instance of an incident response plan that has been updated to reference ransomware, an organization’s first response is often panic and denial, leading to the first of the five stages:
Even before ransomware strikes, organizations are in denial about their likelihood of being attacked. While the government sponsored APT attacks (think North Korea and Sony) make the headlines, the clear majority of cyber extortionists are targeting vulnerabilities, not specific assets.
If your organization has one of these vulnerabilities (an unpatched webserver or poorly configured remote access), the attacker gets in, roots around and only then begins his extortion. Other driving forces in the rapidly growing ransomware economy is the proliferation of Ransomware-as-a-Service (RaaS), allowing newbie hackers to rent the malware, encryption tools and even the Bitcoin wallet to launch their own attacks with minimum expertise or expenditure.
The sheer number of attackers, changing attack vectors (phishing, social engineering, network penetration) and constantly evolving types of malware, means that anti-ransomware defenses either don’t work or have limited effectiveness.
For example, while there has been an undoubted recent surge in phishing attacks (often automated, but targeted to specific industries or the use of specific payroll or CRM applications), the metrics are skewed in that the phishing traffic is fairly easy to spot, monitor and block as it flows across the internet.
Equally prevalent, though less visible are attacks using network vulnerabilities that penetrate systems without an employee clicking on a link, opening a PDF attachment or providing their credentials to a spoofed webpage.
Thus anti-phishing training (and restricting what employees can access and thus infect) only resolves part of the risk. Equally concerning is that, with more bad actors trying new attack variants, supposed cutting-edge defenses quickly become redundant.
For example, many “ransomware detection” tools entered the market this summer, which used “canary in a coalmine” files. If encrypted by ransomware, these files immediately triggered a closure of the system to stop the spread of the attack. However, within weeks we noticed variants of traditional ransomware, including the venerable Cerber malware, that had been specifically designed to avoid encrypting these “canary” files, and thus actively continue to propagate the infection.
The success of a ransom demand is in direct proportion to the pain it causes. If the victim is not upset, the attack has either failed or they’ve misunderstood the gravity of the situation. However, while perfectly understandable, anger has no place in a ransomware response. First, an organization’s response to ransomware should be similar to any incident or disaster – you follow a plan and you make rational business decisions using the evidence before you.
Before responding (in anger or calm) an organization must determine if it is able to recover from an attack without paying the ransom. This requires examining backups and uninfected parts of the network. Since such backups are frequently untested or outsourced to third parties, this can contain yet more unpleasant surprises for the victim. If nothing else, it’s vital that the attacked organization does not prematurely reject the attacker (or even worse antagonise them or hack back) only to discover that the backups are defective or missing.
If there is no practical way to recover data without paying a ransom, the outrage felt by the victim can interfere with making what is, fundamentally, a business decision. Faced with the likelihood of having to pay a ransom, victims will jump on anecdotal evidence like “attackers usually won’t provide the necessary decryption keys even if a ransom is paid.”
For example, if you carry out an online search of any specific strain of ransomware (often the first thing done by the victim’s IT department), the results will include postings on internet forums which claim that the perpetrator is a fraud and doesn’t turn over the decryption software. Inevitably, either these postings are the work of rival attackers attempting to smear a competitor’s reputation, or else the poster has left out some critical part of their story, such as sending the attacker incorrect information that prevented proper identification of the decryption keys, delaying responding to the attacker (sometimes for months), or being unable to sensibly communicate with the attacker about problems with the provided keys.
The truth is that while the victim is outraged, the attacker considers this just a business transaction with their own online reputation to maintain. While almost all cyber attackers appreciate they are committing some form of crime, many consider this is just a temporary stage of their career in IT. Several foreign attackers have approached us offering their services as security consultants (rest assured we have retained none of them) or see ransomware as a means of funding their tech start-ups.
Negotiating with an attacker is not for the inexperienced or faint hearted. While it may be possible to negotiate down a ransom (or only request the decryption keys for specific mission-critical systems at a discount), it’s equally likely that poorly communicated demands may exacerbate the problem. Attackers have frequently infected numerous organizations, all now requesting the specific decryption keys to unlock their systems.
The organization that has delayed responding or antagonized the attacker may go to the back of the queue. Frequently we find that whatever small reduction in the ransom might be obtained is outweighed by the significant risk of increased business interruption – or the possibility of a malevolent attacker who simply increases the ransom amount when annoyed. And in many cases, it is necessary to keep the attacker cooperative – especially as decryption keys frequently don’t immediately work and require additional input from the attacker. This is when a ransomware negotiator needs to be able to utilise native language skills (at the moment Russian and Portuguese), experience in cyber extortion, malware reverse engineering expertise and IT skills – a package unlikely to be found in-house.
The only thing worse than the anger of being attacked is the depression caused by realizing you have botched the response. Delaying too long in the belief that functioning backups were available so that the attacker is no longer responding, or paying the ransom only to find that the you can’t get the provided decryption keys to work and you are unable to obtain assistance from the attacker.
ACCEPTANCE, OR HOW CAN CYBER INSURANCE HELP?
Increasingly, cyber insurance coverage for ransomware provides the same critical components offered by kidnap and ransom polices – it provides a process and immediate access to experts at a time of enormous stress, as set out above. These services, which are typically beyond the experience of most commercial organizations include:
- Providing the background knowledge into ransomware attacks that allows the victim organization to make an informed business decision whether to pay. For example, an understanding of the attacker - are they likely to be cooperative; the time it will take to decrypt crucial data even if a ransom is paid; and the amount of corruption that has been caused by the attack that will remain even if a ransom is paid (live SQL databases that were running at the time of the encryption are frequently “broken” by the attack)
- Carrying out due diligence on the attacker to confirm that the ransom payment is not in breach of anti-money laundering or anti-terrorist laws
- Professionally negotiating with the attacker in their native language, shielding the victim’s identity, and avoiding the discussion from becoming personal. Once the business decision is made to pay a ransom (and sufficient due diligence has been carried out), the sole aim of the process is to get the victim’s system restored as quickly and efficiently as possible
- Being able to make immediate payment of the ransom in the relevant crypto currency (usually Bitcoin or Ethereum)
- Providing a road map for the process to avoid the same outcome again. Paying the ransom and restoring your data does not mean that your system is secure or that the vulnerability that caused the incident has been identified or remediated. Even if the specific attacker has moved onto other victims, literally thousands of attackers are waiting to test the same vulnerability.
For more information, please contact Martin Delaney, Senior Vice President - Leader, Cyber and Risk Management Services at ClientFirst@jltcanada.com.