Malware, Phishing

Ransomware: To pay or not to pay

The crudely written ransom notes in movies 20-30 years ago may have been replaced by more modern, digital missives – like a texted photo a la Liam Neeson’s “Taken” – but the message remains the same: Pay up or else.  

That is the quandary business owners, municipal governments, school administrators and even librarians are now facing on an almost daily basis as a growing number of employees come to work only to find when they turn on their PCs that they’re staring at a computer screen with a plaintext message from an attacker demanding a bitcoin ransom in exchange for the keys needed to decrypt data being held hostage.

According to the FBI’s 2018 Internet Crime Report, 1,493 ransomware cases were reported last year, costing each victim on average $3.6 million. The FBI did list a few caveats with that figure, noting it does not include estimates of lost business, time, wages, files, equipment, or any third-party remediation services contracted by a victim. Also, not every victim reports a loss and some underrepresent the cost.

Any competent business advisor would likely tell a client that spending $76,000 to fend off an incident that could cost that organizations millions would be money well spent, but that calculus is more complicated when the initial outlay is not to pay for a cybersecurity preventative measure, but rather for a cybercriminal’s ransom demand. 

Unless an organization is the corporate equivalent of Neeson’s Bryan Mills in “Taken,” who relentlessly pursues kidnappers (through two sequels at that), meting out justice and violence in equal measure, it typically has three choices – pay the ransom and take the chance the bad guys will do as promised and send along the decrypt keys; begin the recovery process using an established plan and backed up data; or refuse to pay the ransom and then try to rebuild from scratch.

Two major U.S. cities recently chose that last tactic – at great cost.

When Atlanta was hit with SamSam ransomware in March 2018 it refused to pay the $51,000 ransom demand with the end result of being unable to work around the encryption and then spending $17 million and many weeks to rebuild its network. Baltimore is now in the same boat, having refused to pay the attackers $76,000 and instead looking at a potential $18 million bill and months of repair work to get back online from Robbinhood ransomware.

Jackson County, Ga., though, caved to its attacker’s demand to cough up $400,000 for decryption keys last March. The gamble paid off, as County Manager Kevin Poe told SC Media. The county was willing to take the chance that the criminals would honor their word and let them regain access because there was no other choice.

Poe says forensic evidence showed the network had been infiltrated for quite some time and the attackers were able to essentially throw a switch and turn everything off, including its 911 emergency system.

Most recently, on June 17 Riviera Beach, Fla., shelled out 65 bitcoins, almost $600,000, in an attempt to regain access to its completely shuttered network. To add insult to injury the city also had to spend more than $900,000 to replace damaged computer equipment. Riviera Beach was followed just one week later by Lake City, Fla., which bowed to a ransom demand and paid about $400,000 to its attackers.

The greater capabilities being built into modern ransomware have pushed some victims to shell out ransom payments.

“A few years ago, if a company was locked out of its data by hackers, it wasn’t necessarily inclined to pay the ransom demand. That’s because there used to a ‘silver bullet,’ in that if the company was doing regular backups of its systems, it could restore its data,” says Robert Rosenzweig, vice president and national cyber risk practice leader at Risk Strategies.

Now more complex malware gets hackers into the production environment as well as the backup system to deploy the ransomware encryption, meaning there’s no longer a perfect mitigating control.

If they pay up, though, organizations run the risk that the bad guys, like those in the “Taken” series, keep coming back for more, or another set of cybercriminals pop up with new demands. Shortly after Jackson County, Riviera Beach and Lake City decided to pay up, the U.S. Council of Mayors passed a resolution at its annual conference pledging not to pay ransoms.

The resolution contends paying ransoms merely encourages others to conduct similar attacks by showing there could be a financial benefit, and that it behooves municipal governments to de-incentivize these attacks to prevent further harm. The Conference of Mayors is composed of mayors representing cities with more than 30,000 residents.

“NOW, THEREFORE, BE IT RESOLVED, that the United States Conference of Mayors stands united against paying ransoms in the event of an IT security breach,” the resolution says.

While paying the ransom or dealing with the exorbitant recovery costs are bad enough, some companies simply opt to go out of business. After being a victim of a ransomware attack in April, Brookside ENT and Hearing Center in Battle Creek, Mich., told local TV station WWMT that when the $6,500 payment was not received all its files were wiped, so the doctors simply decided to close up shop and retire early.

In June Belgian aerospace manufacturer ASCO Industries was forced to shutter several factories due to a ransomware attack. ASCO, currently in the process of being acquired by Wichita, Kan.-based Spirit AeroSystems, brought in outside help, but declined to offer any additional details. Reports at the time also indicated ASCO has shut down some of its Belgian factories, putting more than 1,000 workers on the sidelines, but the company has not made an official statement.

Organizations that had the forethought to buy cyber insurance with specific coverage for ransomware have a system in place to ease budgetary pain. Lake City and LaPorte County, which paid $130,000 ransom in July, both say having cyber insurance policies that would cover the majority of the ransom factored into their decisions to bow to their attackers’ demand.

It’s no surprise businesses increasingly find themselves victims of ransomware attacks. A Malwarebytes study found ransomware rose a shocking 365 percent from the second quarter of 2018 to the second quarter of 2019. Meanwhile, consumer detections of ransomware have been on the decline, decreasing by 12 percent year over year and 25 percent quarter over quarter. The shift makes perfect business sense, at least from the criminal’s perspective.

“Cybercriminals are searching for higher returns on their investment, and they can reap serious benefits from ransoming organizations over individuals, who might yield, at best, a few personal files that could be used for extortion or identity theft. Encrypting sensitive proprietary data on any number of endpoints allows cybercriminals to put forth much larger ransom demands while gaining an exponentially higher chance of getting paid,” the Malwarebytes report says.

Forrester Senior Analyst Josh Zelonis believes the option of paying the ransom, while odious, is a perfectly legitimate business decision and calls Baltimore Mayor Jack Young’s immediate choice to not pay “shortsighted,” adding that emotion has to be removed from the equation when deciding how to get a business or city back up and running.

“Forrester’s guidance is not a recommendation of whether or not to pay a ransom, but [rather a way] to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organization,” he wrote.

Chris Bates, vice president of security strategy at SentinelOne, says there is only one truly correct answer to the problem. Take a proactive approach and update legacy defense systems susceptible to sophisticated attacks, in addition to allocating additional resources to security team staffing, training and support because the odds of regaining access to your data is not in the victim’s favor.

“Riviera Beach took the opposite approach of Baltimore but paying the ransom is not the answer either as recent research shows us that 45 percent of U.S. companies hit with a ransomware attack paid at least one ransom, but only 26 percent of these companies had their files unlocked. Furthermore, organizations that paid the ransoms were targeted and attacked again 73 percent of the time as attackers treat paying companies like ATMs,” Bates tells SC Media, citing the Sentinel One 2018 Global Ransomware Research Report.

American voters agree with Bates. A Harris poll commissioned by Anamoli found:

•  64 percent of registered voters will not vote for candidates who approve of making ransomware payments.

•  66 percent of Americans believe that government organizations should never make ransomware payments to cybercriminals.

• 64 percent of Americans believe that businesses should never make ransomware payments to cybercriminals.

• 86 percent of Americans agree that when organizations make ransomware payments, they are encouraging cybercriminals to continue with such attacks.

• 70 percent of Americans agree that when organizations do make ransomware payments to cybercriminals, it is likely because they were left with no other choice.

There’s plenty of proof that being prepared pays off. The state of Louisiana under Governor John Bel Edwards won kudos for having a plan in place that when activated, as it was this summer when Edwards declared a state of emergency after three school districts were hit with ransomware, makes a number of resources available to battle attacks.

“The Louisiana school districts benefited from pre-emptive measures that the state had taken to prepare for malicious cyber incidents, which led to the rapid deployment of technical assistance to the affected organizations. The quick response has so far allowed these school districts to avoid paying a ransom to those responsible for the attacks according to state officials, who caution that data recovery is not yet complete,” Moody’s said in a report.

Resources include the Louisiana National Guard, Louisiana State Police, Louisiana Office of Technology Services and Louisiana State University (LSU) coordinated by the Louisiana Governor’s Office of Homeland Security & Emergency Preparedness (GOHSEP).

Being prepared with the proper security in place and backups ready to go is a necessity for any company or municipality and while it helps to have deep pockets to pay for advanced levels of protection those organizations that have to count their pennies can still take precautions.

Ionut Nechita, threat labs senior analyst at Comodo Cybersecurity, advocates taking steps like restricting normal user access, so when ransomware is accidentally activated, it can’t do as much damage.

“Given ransomware is typically known to target and delete backups, having a backup of critical data, ideally in a different location, can keep your data away from attackers,” Nechita says.

But all is not lost for those organizations that don’t prepare in advance – a number of steps taken after the fact can help mitigate the situation and possibly even result in full recovery.

The first is possibly the most obvious – disconnect the impacted devices from the network and inform IT, says Sherrod DeGrippo, senior director of threat research and detection at Proofpoint.

“Once disconnected, information security operations teams must determine the scope of the attack. Not all ransomware is the same. To properly respond it’s crucial to determine the attack type, who on the network is compromised, and what network permissions the compromised users may have,” DeGrippo says, adding organizations also bring in law enforcement and other outside resources at this juncture.

“The Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s lead civilian cybersecurity agency, has a number of resources to help state, local, tribal and territorial governments defend against the growing threat of ransomware. This includes exchanging the latest threat information, providing technical services and expertise, and supporting incident response,” says Scott McConnell, press secretary for CISA.

As beneficial as these steps and resources are to a victim, they are still being taken after the proverbial horse has left the barn. More prudent is putting a plan in place before suffering an attack. That way, an organization might avoid the agonizing decision of whether to pay or not to pay. N

Cyber insurance’s impact on the decision to pay a ransom

It is likely more companies and municipalities will use their cyber insurance coverage to offset any potential costs related to being hit with ransomware, including paying the ransom, says Judy Selby, an insurance lawyer specializing in assisting firms purchasing cyber coverage.

Judy Selby

“If you have the coverage you may as well take advantage of it,” Selby says, although she does not believe having the coverage will lead to victims simply opting to pay because the insurance companies will demand every other method of recovering the data be tried first.

However, as with any policy, putting in a claim is likely to result in higher premiums down the road. Selby says right now pricing is still pretty soft, but she expects to see a bit of tightening in the cyber insurance market as it matures and it becomes easier for insurance actuaries to get a handle on these types of claims.

“We have data on every other industry, but little on cyber,” says Jeffrey Smith, managing partner at Cyber Risk Underwriters, during a presentation at Black Hat in August.

Other factors likely to come into play are insurance companies demanding their customers put proper cybersecurity measures in place during the underwriting process and possibly turn over control of any ransom negotiation or recovery process to the insurance company and its partners. This could be particularly true in cases where negotiations and haggling take place with the attacker over the ransom amount, Selby says, adding that this will be quite helpful for small businesses and municipalities that do not have the internal resources to deal with the situation.

Despite the obvious benefits of having a cyber insurance policy, not all companies opt for that protection. Smith notes that the cyber insurance penetration rate is less than 50 percent and only about one percent of insurance premiums collected industry-wide are from cyber policies. Some of the companies that seemingly decided against having cyber insurance paid a heavy price for this negligence.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.