Getting hit with ransomware puts every company in a tough spot – and there are no clear cut best practices to follow because each infiltration, attack group, victim organization, jeopardized data set, and potentially impacted third-party stands somewhat unique to every situation. The reported $5 million ransom payment paid last Friday by Colonial Pipeline to threat actors will likely embolden other attackers to carry out more brazen attacks on critical infrastructure networks.
Threat actors know that critical infrastructure systems are old and vulnerable, and they will leverage the success of the Colonial ransomware attack to up their game and hit more networks with even bigger ransom demands. Where will the payments stop? At $10 million? $100 million? $1 billion? It’s simply never a good idea to pay criminals or terrorists. The ransomware attack on Colonial Pipeline was cyber terrorism, and the gas shortages up and down the east coast were a tangible result of the attack's severity – we’ll feel the ripple effects well into Memorial Day weekend.
There are many reasons for not paying ransoms to criminals. First and foremost, paying the attackers supports their illegal business models. Second, recent research from Cybereason shows that a fairly large number of companies that pay ransoms are hit again by another attack and often from the same group. In addition, there’s no guarantee that paying a ransom will result in the company receiving clean data files back. In the case of Colonial Pipeline and many others like it, the threat actors will provide decryption keys, but they are often very slow and sometimes they contain corrupted data, hindering the recovery process and adding insult to injury.
Just a few short years ago, it was the case where many organizations could simply implement off-site data backup and recovery solutions with the notion that, in the case of a ransomware attack, they could confidently rebuff the attackers’ ransom demand and focus their mitigation efforts on restoring their systems from the backups. This was a pretty solid strategy until ransomware purveyors evolved their methods to include alternative means to pressure organizations into paying up – the emergence of the Double Extortion tactic.
Double Extortion begins when a crypto-malware strain first exfiltrates, or steals, sensitive information stored on a victim’s systems before launching the encryption routine. After the ransomware encrypts the target’s data and issues the ransom demand for payment in exchange for the decryption key, the threat actors make the additional threat of publishing or selling the exfiltrated data online should the target refuse to make the ransom payment. This means the target still faces the prospect of having to pay the ransom regardless of whether or not they employed data backups as a precautionary measure. This may have been the case with Colonial Pipeline, as the DarkSide group has been known to use Double Extortion leveraging stolen data from targets, and has even threatened publicly-traded companies with the prospect of fueling short-selling runs against a company stock if they don’t pay the ransom demand.
Organizations often deliberate long and hard before deciding to pay the ransom. A company’s lawyers and insurance company are always involved in any payment decision. Companies make decisions based on what they thought was in the best interest of the company, its customers and shareholders. To disrupt cyber criminals’ operations and to ensure we stop ransomware before it can have any negative impact, security teams must deploy endpoint detection and remediation software as prescribed in the Presidential Executive Order published late Wednesday.
The Biden administration’s EO was a long time coming, but well-timed. The unending cycle of ransomware attacks must stop. While it’s understandable why companies give in, doesn’t it make more sense to spend the money on good security technology, processes and people as opposed to building a ransomware payment into the cost of doing business? It’s got to be cheaper and potentially less damaging in the long run to do the right thing from the start.
Lior Div, co-founder and CEO, Cybereason