Garmin reportedly paid cyber extortionists millions of dollars for access to a decryptor so that the company could restore its services to customers following a July 23 WastedLocker ransomware attack. Meanwhile, a separate ransomware outfit this week reportedly leaked sensitive data lifted from LG and Xerox’s internal networks after attempted negotiations with the two tech companies apparently did not bear any fruit.
Which leads to the question: Who made out better in the short term and the long term, Garmin or LG and Xerox? Does it make more business sense to pay a high financial price now to avoid exacerbating the crisis, or to not pay but then suffer for perhaps months and years to come due to loss of proprietary data and a damaged reputation? The answer to that might depend on your personal point of view, and how closely you adhere to the recommendations of federal law enforcement officials, who advise to not pay.
“This is the crux of the risk vs. reward calculations that most companies consider when determining whether to pay or not. The rule of thumb is to never pay a ransom, but for a company in that situation, this is easier said than done,” A.J. Nash, senior director of cyber intelligence strategy at Anomali, told SC Media.
“Each company certainly has their own calculus here, so it’s hard to offer a blanket answer," Nash said. “In cases where highly sensitive or embarrassing information may have been compromised, it will almost certainly be tempting to pay a ransom in the hopes the information won’t be released.”
If it is a more traditional attack featuring only decryption, then victims might have less to lose by refusing to cooperate. After all, decryptors don’t always work, so you might be shelling out dough for nothing anyway.
In this case, however, it appears that Garmin’s decryptor did work, as service began coming back online in the days following the attack, which at its peak interrupted website functions, customer support, customer facing applications and company communications. BleepingComputer confirmed that Garmin received the decryptor.
There does not appear to be a doxing component to the Garmin attack, as there was no threat to release information publicly and Garmin on its attack FAQ page said there was no indication that data was impacted. And in LG’s case, the Maze ransomware attackers only leaked stolen information, but did not actually encrypt files or systems, ZDNet reported.
Certainly, the recent trend of ransomware actors threatening to leak gigabytes of data has muddied the water a bit in terms of whether or not to pay as part of incident response. “In the early days of ransomware, the decision was usually about the cost of restoring data versus paying. Adversaries have upped the ante by threatening to release data as well, which doesn’t make for easy answers,” said Nash.
“The success or failure of a traditional ransomware scheme relies on the assumption that the value of the data being held ransom is greater than the ransom demand itself,” said Eric Groce, incident response manager at Red Canary. “However, organizations always had the option to implement their incident response plan to recover their data from backups or rebuild from scratch, especially if the ransom demand is exorbitant or if paying a ransom is unpalatable.”
“Historically, there haven’t been any ramifications beyond an organization’s own time and resources. With the onset of [data leak] extortion, that option has completely gone away,” Groce continued. “Organizations are often forced to pay the ransom in the hope that their data won't get released to the public or sold to other adversaries. Unfortunately, paying a ransom does not guarantee that the adversaries won’t leak the data anyway, nor does it ensure that an organization will be able to recover encrypted files.”
Whether or not to pay ransomware is essentially becoming a critical business decision, and therefore requires multiple stakeholders to weigh in. Nash said that an organization’s cyber threat intelligence team is in “the best position to know about the credibility of the adversary and threat,” but also involved are the CISO/CIO – "informed by their governance, risk and compliance personnel" – as well as the legal department and executive staff and board members.
“The reason for the wide range of people involved is because the decision needs to take into account the credibility of the threat, the risk of exposure to both operations and the business, legal implications of a breach, and then the potential threats to the brand and stock price for publicly traded companies,” said Nash.
Nash advised companies to prepare for real-life incidents through training exercises featuring various threat scenarios. “If the first time an enterprise considers a ransomware decision when it is really happening, chances are high that the choice will be made without considering all angles. That’s when the worst decision-making happens,” said Nash.
This week, BleepingComputer reported that Canon Inc. has also apparently been infected with Maze ransomware and may now find itself in a dilemma similar to that which LG and Xerox faced. Reportedly Canon's email, Microsoft Teams, U.S. website and internal applications have been disrupted and the culprits are claiming to have stolen 10 TB of data.