Any competent business advisor would likely tell a client that spending $76,000 in order to potentially fend off an incident that could cost that organizations millions of dollars would be money well spent.
But what happens to that calculus when the outlay is a ransom demanded by cybercriminals who managed to infiltrate your computer network, encrypt all your files leading to a complete shutdown of operations?
With hundreds of publicly disclosed ransomware attacks to study the unfortunate answer is there is no easy answer.
That is the quandary business owners, municipal governments, school administrators and even librarians are now facing as more and more of these folks arrive at one morning, turn on their PC and find themselves staring at a computer screen that will only display a plaintext message from their attackers demanding a certain amount in bitcoin in exchange for the keys needed to decrypt their data.
Once this point is reached there are basically three courses of action an organization can take. Pay the ransom and take the chance the bad guys will do as promised and send along the decrypt keys; begin the recovery process using an established plan and backed up data; or refuse to pay the ransom and then try to rebuild from scratch.
Two major U.S. cities recently found themselves in the latter position.
When Atlanta was hit with SamSam ransomware in March 2018 it refused to pay the $51,000 ransom demand with the end result of being unable to work around the encryption and then spending $17 million and many weeks to rebuild its network. Baltimore is now in the same boat having refused to pay the attackers $76,000 and instead is looking at a potential $18 million bill and months of repair work to get back online from Robbinhood ransomware.
Jackson County, Ga., decided to take the other route and caved to the demand paying its attacker $400,000 in March 2019 for the decryption keys. In this case the gamble paid off as County Manager Kevin Poe told SC Media. The county was willing to take the chance that the criminals would honor their word and let them regain access because there was no other choice.
Poe said forensic evidence showed the county had little choice as network had been infiltrated for quite some time and the attackers were able to essentially throw a switch and turn everything off, including its 911 emergency system.
Most recently on June 17 Riviera Beach, Fla., shelled out 65 bitcoins, almost $600,000, in an attempt to regain access to its completely shuttered network. To add insult to injury the city also had to spend more than $900,000 to replace damaged computer equipment.
While paying the ransom or dealing with the exorbitant recovery costs are bad enough, one company opted to simply go out of business. Brookside ENT and Hearing Center in Battle Creek, Mich., made this choice after being hit in April. The company told local TV station WWMT that when the $6,500 payment was not received all their files were wiped, so the doctors simply decided to close up shop and retire early.
Chris Bates, vice president of security strategy at SentinelOne, said there is only one truly correct answer to the problem. Take a proactive approach and update legacy defense systems susceptible to sophisticated attacks, in addition to allocating additional resources to security team staffing, training and support because the odds of regaining access to your data is not in the victim’s favor.
“Riviera Beach took the opposite approach of Baltimore but paying the ransom is not the answer either as recent research shows us that 45 percent of U.S. companies hit with a ransomware attack paid at least one ransom, but only 26 percent of these companies had their files unlocked. Furthermore, organizations that paid the ransoms were targeted and attacked again 73 percent of the time as attackers treat paying companies like ATMs,” he told SC Media, citing the SentinelOne 2018 Global Ransomware Research Report.
The FBI’s 2018 Internet Crime Report states there were 1,493 ransomware cases reported last year costing each victim on average $3.6 million. The FBI did list a few caveats with that figure noting it does not include estimates of lost business, time, wages, files, equipment, or any third party remediation services acquired by a victim. Also, not every victim reports a loss and some under represent the figure.
Forrester Senior Analyst Josh Zelonis believes the option of paying the ransom, while odious, is a perfectly legitimate business decision to make calling the Baltimore Mayor Jack Young’s immediate decision to not pay “shortsighted” adding emotion has to be removed from the equation when deciding how to get a business or city back up and running.
“Forrester’s guidance is not a recommendation of whether or not to pay a ransom but to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organization,” he wrote.
There are also other factors to consider before the desperate maneuver of paying the ransom is contemplated. Sherrod DeGrippo, senior director of threat research and detection at Proofpoint said some entities, like schools for example, do not have to rush a decision as there is time and possibly additional resources that can be brought to bear in an attempt to recover. However, a hospital lacks that luxury. It could be a matter of life or death if it cannot return to full operations immediately. In this case a ransom may have to be paid if it has the ability to eventually regain access on its own.
The hard decision will have to be when all resources are exhausted and access cannot be regained. DeGrippo laid out the math that should lead to the proper answer for any organization.
“When it comes to deciding on whether to pay a ransom, organizations must compare the benefits of paying against the moral and financial costs of not paying up. If the attacked organization backed up their data five minutes before the attack and can restore that data in hours – they will be less likely to pay. A hospital or medical center might not have that luxury, so simply paying might be their only option for keeping patients safe,” she said.
She added that in her experience it is likely the decryption keys will be supplied allowing the victim to get back online.
But for those entities that do not follow Bates’ advice and prepare in advance there are steps that can be taken to help mitigate the situation and possibly help even fully recover.
The first is possibly the most obvious, disconnect the impacted devices from the network and inform IT, said Sherrod.
“Once disconnected, information security operations teams must determine the scope of the attack. Not all ransomware is the same. To properly respond it’s crucial to determine the attack type, who on the network is compromised, and what network permissions the compromised users may have,” DeGrippo said, adding law enforcement and other outside resources should be brought in at this time.
“The Cybersecurity and Infrastructure Security Agency (CISA), the federal government’s lead civilian cybersecurity agency, has a number of resources to help state, local, tribal and territorial governments defend against the growing threat of ransomware. This includes exchanging the latest threat information, providing technical services and expertise, and supporting incident response,” said Scott McConnell, press secretary for CISA.
As beneficial as these steps and resources are to a victim they are still being taken after the proverbial horse has left the barn. What is required is action prior to the event.
As has been stated, being prepared with the proper security in place and backups ready to go is a necessity for any company or municipality and while it helps to have deep pockets to pay for advanced levels of protection those organizations that have to count their pennies can still take precautions.
Ionut Nechita, threat labs senior analyst at Comodo Cybersecurity, suggests restricting normal users access, so when ransomware is accidentally started, it cannot do as much damage from a limited account.
“Given ransomware is typically known to target and delete backups, having a backup of critical data, ideally in a different location, can keep your data away from attackers,” Nechita said.
Although it seems to be a no-brainer by now, organizations should not underestimate the power of simply having good cyber hygiene. System administrators should patch and update software and there are federal and state-level resources available to help organizations prepare.
CISA has outreach programs that include a recorded webinar on combating ransomware along with a 24/7 watch center that analyzes and disseminates threat and mitigation information to critical infrastructure partners in both the public and private sectors. The organization also provides exercise support, risk and vulnerability assessments, and incident response from our Hunt and Incident Response Teams.