The
crudely written ransom notes in movies 20-30 years ago may have been replaced
by more modern, digital missives – like a texted photo a la Liam Neeson’s
“Taken” – but the message remains the same: Pay up or else. That is the quandary business owners, municipal
governments, school administrators and even librarians are now facing on an
almost daily basis as a growing number of employees come to work only to find
when they turn on their PCs that they’re staring at a computer screen with a
plaintext message from an attacker demanding a bitcoin ransom in exchange for
the keys needed to decrypt data being held hostage.According to the FBI’s 2018 Internet Crime Report, 1,493
ransomware cases were reported last year, costing each victim on average $3.6
million. The FBI did list a few caveats with that figure, noting it does not
include estimates of lost business, time, wages, files, equipment, or any
third-party remediation services contracted by a victim. Also, not every victim
reports a loss and some underrepresent the cost.Any competent business advisor would likely tell a client
that spending $76,000 to fend off an incident that could cost that
organizations millions would be money well spent, but that calculus is more
complicated when the initial outlay is not to pay for a cybersecurity
preventative measure, but rather for a cybercriminal’s ransom demand.
Unless an organization is the corporate equivalent of
Neeson’s Bryan Mills in “Taken,” who relentlessly pursues kidnappers (through
two sequels at that), meting out justice and violence in equal measure, it
typically has three choices – pay the ransom and take the chance the bad guys
will do as promised and send along the decrypt keys; begin the recovery process
using an established plan and backed up data; or refuse to pay the ransom and
then try to rebuild from scratch.Two major U.S. cities recently chose that last tactic – at
great cost.When Atlanta was hit with SamSam ransomware in March 2018
it refused to pay the $51,000 ransom demand with the end result of being unable
to work around the encryption and then spending $17 million and many weeks to
rebuild its network. Baltimore is now in the same boat, having refused to pay the
attackers $76,000 and instead looking at a potential $18 million bill and
months of repair work to get back online from Robbinhood ransomware.Jackson County, Ga., though, caved to its attacker’s
demand to cough up $400,000 for decryption keys last March. The gamble paid
off, as County Manager Kevin Poe told SC Media. The county was willing to take
the chance that the criminals would honor their word and let them regain access
because there was no other choice.Poe says forensic evidence showed the network had been
infiltrated for quite some time and the attackers were able to essentially
throw a switch and turn everything off, including its 911 emergency system.Most recently, on June 17 Riviera Beach, Fla., shelled out
65 bitcoins, almost $600,000, in an attempt to regain access to its completely
shuttered network. To add insult to injury the city also had to spend more than
$900,000 to replace damaged computer equipment. Riviera Beach was followed just
one week later by Lake City, Fla., which bowed to a ransom demand and paid
about $400,000 to its attackers.The greater capabilities being built into modern
ransomware have pushed some victims to shell out ransom payments.“A few years ago, if a company was locked out of its data
by hackers, it wasn’t necessarily inclined to pay the ransom demand. That’s
because there used to a ‘silver bullet,’ in that if the company was doing
regular backups of its systems, it could restore its data,” says Robert
Rosenzweig, vice president and national cyber risk practice leader at Risk
Strategies.Now more complex
malware gets hackers into the production environment as well as the backup
system to deploy the ransomware encryption, meaning there’s no longer a perfect
mitigating control.If they pay up, though, organizations run the risk that
the bad guys, like those in the “Taken” series, keep coming back for more, or
another set of cybercriminals pop up with new demands. Shortly after Jackson
County, Riviera Beach and Lake City decided to pay up, the U.S. Council of Mayors
passed a resolution at its annual conference pledging not to pay ransoms.The resolution contends paying ransoms merely encourages
others to conduct similar attacks by showing there could be a financial
benefit, and that it behooves municipal governments to de-incentivize these
attacks to prevent further harm. The Conference of Mayors is composed of mayors
representing cities with more than 30,000 residents.“NOW, THEREFORE, BE IT RESOLVED, that the United States
Conference of Mayors stands united against paying ransoms in the event of an IT
security breach,” the resolution says.While paying the ransom or dealing with the exorbitant
recovery costs are bad enough, some companies simply opt to go out of business.
After being a victim of a ransomware attack in April, Brookside ENT and Hearing
Center in Battle Creek, Mich., told local TV station WWMT that when the $6,500
payment was not received all its files were wiped, so the doctors simply
decided to close up shop and retire early.In June Belgian aerospace manufacturer ASCO Industries was
forced to shutter several factories due to a ransomware attack. ASCO, currently
in the process of being acquired by Wichita, Kan.-based Spirit AeroSystems,
brought in outside help, but declined to offer any additional details. Reports
at the time also indicated ASCO has shut down some of its Belgian factories,
putting more than 1,000 workers on the sidelines, but the company has not made
an official statement.Organizations that had the forethought to buy cyber
insurance with specific coverage for ransomware have a system in place to ease
budgetary pain. Lake City and LaPorte County, which paid $130,000 ransom in
July, both say having cyber insurance policies that would cover the majority of
the ransom factored into their decisions to bow to their attackers’ demand.It’s no surprise businesses increasingly find themselves
victims of ransomware attacks. A Malwarebytes study found ransomware rose a
shocking 365 percent from the second quarter of 2018 to the second quarter of 2019.
Meanwhile, consumer detections of ransomware have been on the decline,
decreasing by 12 percent year over year and 25 percent quarter over quarter.
The shift makes perfect business sense, at least from the criminal’s
perspective.“Cybercriminals are searching for higher returns on their
investment, and they can reap serious benefits from ransoming organizations
over individuals, who might yield, at best, a few personal files that could be
used for extortion or identity theft. Encrypting sensitive proprietary data on
any number of endpoints allows cybercriminals to put forth much larger ransom
demands while gaining an exponentially higher chance of getting paid,” the
Malwarebytes report says.Forrester Senior Analyst Josh Zelonis believes the option
of paying the ransom, while odious, is a perfectly legitimate business decision
and calls Baltimore Mayor Jack Young’s immediate choice to not pay
“shortsighted,” adding that emotion has to be removed from the equation when
deciding how to get a business or city back up and running.“Forrester’s guidance is not a recommendation of whether
or not to pay a ransom, but [rather a way] to recognize paying the ransom as a
valid recovery path that should be explored in parallel with other recovery
efforts to ensure that you’re making the best decision for your organization,”
he wrote.Chris Bates, vice
president of security strategy at SentinelOne, says there is only one truly
correct answer to the problem. Take a proactive approach and update legacy
defense systems susceptible to sophisticated attacks, in addition to allocating
additional resources to security team staffing, training and support because
the odds of regaining access to your data is not in the victim’s favor.“Riviera Beach took the opposite approach of Baltimore but
paying the ransom is not the answer either as recent research shows us that 45
percent of U.S. companies hit with a ransomware attack paid at least one
ransom, but only 26 percent of these companies had their files unlocked.
Furthermore, organizations that paid the ransoms were targeted and attacked
again 73 percent of the time as attackers treat paying companies like ATMs,”
Bates tells SC Media, citing the Sentinel One 2018 Global Ransomware Research
Report.American voters agree with Bates. A Harris poll
commissioned by Anamoli found:• 64 percent of registered voters will not vote
for candidates who approve of making ransomware payments.• 66 percent of Americans believe that
government organizations should never make ransomware payments to
cybercriminals.• 64 percent of Americans
believe that businesses should never make ransomware payments to
cybercriminals.• 86 percent of Americans agree that when
organizations make ransomware payments, they are encouraging cybercriminals to
continue with such attacks.• 70 percent of Americans
agree that when organizations do make ransomware payments to cybercriminals, it
is likely because they were left with no other choice.There’s plenty of proof that being prepared pays off. The
state of Louisiana under Governor John Bel Edwards won kudos for having a plan
in place that when activated, as it was this summer when Edwards declared a
state of emergency after three school districts were hit with ransomware, makes
a number of resources available to battle attacks.“The Louisiana school districts benefited from pre-emptive
measures that the state had taken to prepare for malicious cyber incidents,
which led to the rapid deployment of technical assistance to the affected
organizations. The quick response has so far allowed these school districts to
avoid paying a ransom to those responsible for the attacks according to state
officials, who caution that data recovery is not yet complete,” Moody’s said in
a report.Resources include the Louisiana National Guard, Louisiana
State Police, Louisiana Office of Technology Services and Louisiana State
University (LSU) coordinated by the Louisiana Governor’s Office of Homeland
Security & Emergency Preparedness (GOHSEP).Being prepared with the proper security in place and
backups ready to go is a necessity for any company or municipality and while it
helps to have deep pockets to pay for advanced levels of protection those
organizations that have to count their pennies can still take precautions.Ionut Nechita, threat labs senior analyst at Comodo
Cybersecurity, advocates taking steps like restricting normal user access, so
when ransomware is accidentally activated, it can’t do as much damage.“Given ransomware is typically known to target and delete
backups, having a backup of critical data, ideally in a different location, can
keep your data away from attackers,” Nechita says.But all is not lost for those organizations that don’t
prepare in advance – a number of steps taken after the fact can help mitigate
the situation and possibly even result in full recovery.The first is possibly the most obvious – disconnect the
impacted devices from the network and inform IT, says Sherrod DeGrippo, senior
director of threat research and detection at Proofpoint.“Once disconnected, information security operations teams
must determine the scope of the attack. Not all ransomware is the same. To
properly respond it’s crucial to determine the attack type, who on the network
is compromised, and what network permissions the compromised users may have,”
DeGrippo says, adding organizations also bring in law enforcement and other
outside resources at this juncture.“The Cybersecurity and Infrastructure Security Agency
(CISA), the federal government’s lead civilian cybersecurity agency, has a
number of resources to help state, local, tribal and territorial governments
defend against the growing threat of ransomware. This includes exchanging the
latest threat information, providing technical services and expertise, and
supporting incident response,” says Scott McConnell, press secretary for CISA.As beneficial as these steps and resources are to a victim,
they are still being taken after the proverbial horse has left the barn. More
prudent is putting a plan in place before suffering an attack. That way, an
organization might avoid the agonizing decision of whether to pay or not to
pay. NCyber insurance’s impact on the decision to pay a ransom
It is likely more companies and municipalities will use their cyber insurance coverage to offset any potential costs related to being hit with ransomware, including paying the ransom, says Judy Selby, an insurance lawyer specializing in assisting firms purchasing cyber coverage.Judy Selby“If you have the coverage you may as well take
advantage of it,” Selby says, although she does not believe having the coverage
will lead to victims simply opting to pay because the insurance companies will
demand every other method of recovering the data be tried first.However, as with any policy, putting in a claim is
likely to result in higher premiums down the road. Selby says right now pricing
is still pretty soft, but she expects to see a bit of tightening in the cyber
insurance market as it matures and it becomes easier for insurance actuaries to
get a handle on these types of claims.“We have data on every other industry, but little
on cyber,” says Jeffrey Smith, managing partner at Cyber Risk Underwriters,
during a presentation at Black Hat in August.Other factors likely to come into play are
insurance companies demanding their customers put proper cybersecurity measures
in place during the underwriting process and possibly turn over control of any
ransom negotiation or recovery process to the insurance company and its
partners. This could be particularly true in cases where negotiations and
haggling take place with the attacker over the ransom amount, Selby says,
adding that this will be quite helpful for small businesses and municipalities
that do not have the internal resources to deal with the situation.Despite the obvious benefits of having a cyber
insurance policy, not all companies opt for that protection. Smith notes that
the cyber insurance penetration rate is less than 50 percent and only about one
percent of insurance premiums collected industry-wide are from cyber policies.
Some of the companies that seemingly decided against having cyber insurance
paid a heavy price for this negligence.
Fox Tempest operated a platform called signspace[.]cloud, which allowed threat actors to obtain short-lived Microsoft-issued certificates via Artifact Signing.
