[BreachExchange] Ransomware: To Pay Or Not To Pay, That Is Still A Real Question

Destry Winant destry at riskbasedsecurity.com
Wed Oct 10 00:07:31 EDT 2018


Ransomware has long been a lurking threat, but it really took center stage
in 2017 with the rapid spread of WannaCry and Petya/NotPetya. Like someone
flipping a switch, ransomware went from a manageable annoyance to a major
concern of not only security professionals but business owners and
executives everywhere. While questions have been raised around whether the
rate of ransomware attacks is rising or falling
year – fueled in part by the pivot to cryptojacking in lieu of relying on
payment of an extortion demand – one thing is for sure, we believe that
ransomware is not going away anytime soon.

Just like a cold or the flu, preventing an infection is generally much
preferred to actually getting sick. But as any security professional would
say, preventing ransomware infections is much easier said than done. A
quick Internet search produces no shortage of prevention tips
from training employees to spot suspicious emails to leveraging
sophisticated security tools. One firm even goes so far as to suggest using
<https://www.blackstratus.com/guide-detecting-preventing-ransomware/> to
lure infections away from the rest of the network.

Regardless of which mitigation or prevention strategies are in place, no
organization can be 100% guaranteed to be safe from a ransomware event.
That’s what makes a sound recovery plan – with reliable back ups – so
important. If the infection can be contained and data and systems restored
from back ups, then the organization stands a fighting chance to recover
from the event none the worse for wear.

The more interesting question becomes, what to do if restoration isn’t an
option? What happens if the encryption also hits the backups or spreads so
fast the organization is left paralyzed and unable to function. In a
horrible situation such as this, leadership is faced with few options, and
none are particularly good:

   1. Accept the loss and start fresh, which is usually no option at all.
   2. Try to recover the files yourself.
   3. Outsource the issue and have a security firm help you
   it out.
   4. Pay the extortion demand yourself.

We wanted to spend some time covering the choices that an organization
faces in depth, specifically whether to pay or not if faced with a
ransomware situation.
Why You Shouldn’t Pay

When asked, a majority of security professionals will reply immediately
that you should never pay a ransom if infected by malware demanding money
to unlock your files (a.k.a. ransomware). In fact, many practitioners feel
so strongly about this stance that they don’t even want to discuss the
alternatives without providing much validation. Let’s look at a few reasons
why people may say that, and why you shouldn’t consider payment of a demand
as a viable option.
The FBI Says Don’t Do It?

Companies hit by ransomware are typically focused solely on getting their
data back as quickly as possible. Even though the FBI has stated that they
do *not* support paying a ransom <https://www.fbi.gov/investigate/cyber> –
for a number of good reasons – the end result and getting your organization
up and running again is all that matters, right? Depending on the infection
and how fast the data must be recovered, it may actually make sense that a
company is inclined to pay it. Even the FBI recognizes this fact. Their
guidance does *not* state “do not pay under any circumstances”. Rather, in
their “Ransomware Prevention and Response for CISOs” document
while not encouraging payment as it is clear they don’t prefer payment,
they state:

Whether to pay a ransom is a serious decision, requiring the evaluation of
all options to protect shareholders, employees and customers. Victims will
want to evaluate the technical feasibility, timeliness, and cost of
restarting systems from backup.

So their guidance suggests a careful cost-benefit analysis on whether or
not to pay. The idea that the FBI says not to pay is actually a myth, and some
news organizations are trying to make that more clear

The FBI, supported by multiple cybersecurity experts
<https://monstercloud.com/osiris-ransomware-facts/>, has on multiple
occasions insisted that when infected by ransomware, the best response is
to not pay unless it is an absolute necessity and there is no other way to
recover the hijacked files at all.

You Can Leverage Collaborative Projects For Free

There are web sites and projects that can help you beat the ransomware
without paying. For example, the “No More Ransom
<https://www.nomoreransom.org/>” project is an initiative by the National
High Tech Crime Unit of the Netherlands’ police, Europol’s European
Cybercrime Centre, and two cyber security companies – Kaspersky Lab and
McAfee – with the goal to help victims of ransomware retrieve their
encrypted data without having to pay the criminals. There are decryption
tools posted for more than 85 different types of ransomware.
You Are Marked as a Sucker (Repeatable Target)

One concern with paying off criminals is that you will be known to pay, and
once money is exchanged, malicious actors may continue to target your
organization. This could potentially make you and other payees a frequent
target in efforts to infect a machine. An article in *SC Magazine*
a company that found themselves in this position:

The company, having little other option, chose to pay up: “No-one said it
was a bad idea, although there was a level of feeling uncomfortable to
‘giving in’ to the thieves but by that stage we were out of ideas and it
seemed to be the only decision we could make.” It took most of the night to
complete the decryption, even after which roughly 10 percent of the files
were unrecoverable. The saga cost the business three days of work, at least
£25,000 pounds and a tenth of their data.  Their IT provider was soon
replaced, and new security policies and staff training put in. The company
was targeted with ransomware several times in the months after “Apparently
there was an upsurge in ransomware aimed at us in the months following the
attack, we think this is because we were put on a ‘Suckers List’ by the
criminals and others were trying to cash in by seeing if we’d fixed our

There Is No Guarantee They Will Give Your Data Back

The people that create and distribute ransomware are criminals. By nature,
they are performing unethical and illegal activities to profit off other
people’s misfortune. With that in mind, if you pay the ransom, how do you
know if they will actually send you the code to unlock your data? *Bleeping
Computer* published
article that gave an interested statistic:

The survey, carried out by research and marketing firm CyberEdge Group,
reveals that paying the ransom demand, even if for desperate reasons, does
not guarantee that victims will regain access to their files.


Of the 38.7% who opted to pay the ransom, a little less than half (19.1%)
recovered their files using the tools provided by the ransomware authors.

You Enable Ransomware Crime To Continue

The FBI and others believe that if organizations pay a ransom, it not only
encourages current cyber criminals to target additional organizations, it
also entices other criminals to get involved in ransomware as they will see
it as a lucrative activity.  In addition, by paying a ransom, it has been
noted that this money could inadvertently be funding other illicit activity.
You Won’t Learn Your Lesson

Some security professionals argue (believe it or not) that if you don’t
feel the real pain: long outage, detailed recovery, and high costs, then
your organization won’t properly learn your lesson. Meaning, you will not
be as motivated to implement security improvements to the environment. With
the ransomware incident resolved, some may end up leaving the environment
as-is, with no remediation or lessons learned.
Why You Should Consider Paying

Paying a ransom is still largely a very unpopular method to recover from a
ransomware event and understandably so. However, when push comes to
shoved-against-a-very-hard-wall, we do see some organizations choose this
approach. Let’s look at a few reasons why paying to recover might be an
acceptable decision.
You Get Your Files Back Quickly

No matter the industry, for most organizations getting quick answers and
solutions for customers, partners, and shareholders is required.  Most
businesses simply cannot be interrupted for any significant length of time
without a massive impact and for some, such as hospitals, potentially
<https://thehackernews.com/2016/11/hospital-cyber-attack-virus.html> Paying
what is usually a relatively small amount of money to get past the
ransomware incident is extremely appealing as it lets the company get back
to business immediately.
ROI: Yes, It Can Be Cheaper! Much Cheaper!

Remember the ransomware attack on the City of Atlanta?
<https://www.atlantaga.gov/government/ransomware-cyberattack-information> It
wasn’t that long ago, just this past Spring, that the city’s government was
left paralyzed by a SamSam infection. On March 22nd, the malware raced
through the city’s IT operations, forcing staff to resort to old fashioned
pen and paper
more than a week after the attack and leaving the busy Municipal Court
crippled for months

City officials decided not to pay the ransom only to find themselves paying
millions of dollars trying to recover from the attack, rather than paying
the ~$50,000 asking price from the criminals. The city’s Department of
Procurements initially published their emergency response cost details,
which *Wired* magazine nicely summarized back in April

THE CITY OF Atlanta spent more than $2.6 million on emergency efforts to
respond to a ransomware attack that destabilized
operations last month. Attackers, who infected the city’s systems with the
pernicious SamSam malware, asked for a ransom of roughly $50,000 worth of
bitcoin. (The exact value has fluctuated due to bitcoin’s volatility.)

The emergency contracts include:
Cisco Security Incident Response Services CDW-G $60,000
Surge Support Staff Augmentation Mosaic451 $60,000
Emergency Incident Response Services Secureworks $650,000
Advisory Services for Cyber Incident Response Ernst & Young, LLC $600,000
Microsoft Cloud, Client Stack Design and Build, and Pro Services for Azure
Active Directory, System Center, and Windows 10 Fyrsoft $730,000
Crisis Communications Services Edelman $50,000
Development and Deployment of Benchmark Pioneer Technology Group $124,000
Microsoft Azure Cloud Engineering, Development, and Migration Professional
Services Airnet Gorup, Inc. $393,328

As eye-popping as those figures might seem, it appears they were just the
tip of the recovery iceberg. In August, the *Atlanta-Constitution
Journal* obtained
a report
estimated the *recovery costs could be as high as $17 million.* An argument
could be made that figure represents a lot of catch-up spending from years
of deferred IT investment instead of actual recovery costs. Regardless, it
does highlight that major events like this often force organizations to
come to terms with years of accumulated technical debt.

While this incident represented a chain of events that snowballed out of
control quickly, it’s a good reminder that a quick cost-benefit analysis
may point your organization down a different path.
Cyber Insurance Policies Cover Ransomware

It is no secret that we at RBS believe that cyber insurance policies can be
an important part of a comprehensive risk management program.  Hopefully it
comes as no surprise to our normal readers that organizations can transfer
some of the financial burden arising out of ransomware events! It is
important that we emphasize again that not all cyber polices are the same,
and it is critical to make sure you actually read the fine print!  “Cyber
Extortion” coverage can be built into a policy and is also routinely made
available as an add-on to cyber policies, although it may not be as
routinely purchased. Of all the coverages found in cyber policies,
deciphering its value to the buyer can be the trickiest to understand. This
is one area where major differences can be found from one policy to the
next. Some forms may be limited to recovery costs incurred after a waiting
period while others may kick in recovery assistance as soon as the event is
uncovered. Most will actually cover the cost of the extortion payment
(bitcoin ransom payment), although buyer beware as certain policies may be
subject to limitations such as payments made “only at the direction of law
enforcement.”  If you have a cyber policy that covers a ransomware event,
and it will handle the payment, then why not report the event and let the
claims department figure out the best way to recover (even if that includes
making a payment).
Invest the Saved Money Into Security Improvements

As mentioned previously, recovering from a ransomware event unfortunately
can be very costly, and for the most part ransom demands continue to be
quite small.  With a ransomware event being a massive wakeup call for an
organization, it could be argued that by saving a substantial amount of
money it then could be invested in improving an organization’s security
posture. Investments such as training employees, improving technical
controls including backups and reducing other technical IT debt that has
It Might Be The Only Option

At the end of the day, paying a ransom might not be the preferred solution,
but it just might be the only solution to get an organization back up and
running properly.  If this is the case, it should be considered without

Each ransomware event is unique, so it’s impossible to say there is only
one ‘right’ way to handle such an event. If you find yourself facing a
ransomware incident and aren’t sure what to do, ask for help. Consult with
colleagues, bring in an incident response firm, and search the Internet for
others that have suffered the same ransomware variant. If someone tells you
there is only one option to consider, then we highly recommend that you
find another firm immediately to help you!

 Additionally, while it is hard to think about the future during a
fire-fighting situation, remember just as with any other incident you face,
attempt to look past the current moment and use it as a learning exercise.
Ensure you establish a policy for dealing with a future ransomware attack,
should it happen. Finally, make sure you look into a cyber insurance policy
(if you have one, verify you have coverage!) and how it may help protect
your organization financially.

 No matter what option you decide, please do report the ransomware event.
<https://www.ic3.gov/media/2016/160915.aspx> Yes, we know that chances are
low that anything will come of it, but it does help investigators, and at
RBS we are all about using data and statistics to help us improve cyber
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20181009/77c68e1f/attachment.html>

More information about the BreachExchange mailing list