Threat Management, Malware, Ransomware

When ransomware strikes, should a company pay up?

That is the question organizations must quickly decide when they are hit with a ransomware attack, reports Doug Olenick.

The 2 a.m. phone call dreaded by every chief technology officer, school district IT manager or small government official:

“It seems our entire network is inaccessible and someone calling himself TheDarkOverlord is demanding 28 of something called Bitcoin in order to release our data.”

The issue then becomes what is the next step? That is after the victim does a quick Google search to figure out what exactly is a Bitcoin and how much do they cost. Pay the ransom, hope the IT team can figure out a way around the problem or implement the organization's well-thought out contingency plan.

The Federal Bureau of Investigation (FBI), along with many others, recommend against paying the ransom, but the number of companies opting to pay the bad guys before they either make the stolen data public or delete it is growing.

The bottom line is that many times organizations are faced with only poor options from which to choose. Don't pay and deal with the consequences, pay and discover the bad guys did not release the locked data or pay and have the criminal then ask for even more money.

“Normally we recommend not paying when hit with a ransomware attack as this only feeds the flames for cyber criminals to continue the practice. Your payment becomes an incentive for them to continue working on more advanced attacks. Additionally, paying doesn't necessarily mean you're going to get your data back,” says Dave Packer, vice president of corporate and product marketing at Druva.

Types of digital currency

Currency code: BTC
Blockchain is a matter of public record, with transactions viewable on several websites.
Proof-of-work currency, based on SHA-256 algorithm.

Currency code: ETH
Blockchain based on a decentralised virtual machine called ‘EVM'.
EVM is Turing Complete and can run scripts called ‘smart contracts'.
Currently a proof-of-work currency, but moving to proof-of-stake.

Currency code: XRP
A decentralised transaction network based around a fixed quantity of XRP that can be used with any currency or commodity to settle transactions.
Used by international banks as settlement infrastructure: more secure and less expensive than traditional systems.
Closed Source.
Proof-of-work based with no facility for mining.

Currency code: LTC
Technically nearly identical to Bitcoin.
Uses the memory-bound Scrypt algorithm for proof-of-work.

Currency code: XMR
Provides strong privacy, with only approximate transaction values publicly available and sender/recipient details remaining secret.
Adopted by major darknet markets including AlphaBay in 2016 due to the additional privacy offered over BitCoin.
Uses the memory-bound CryptoNote algorithm for proof-of-work.

Currency code: DASH
Another privacy-focused cryptocurrency offering two novel services:
PrivateSend: Similar to Bitcoin laundering services, this obscures transactions by mixing coins from multiple sources into single transactions.
InstantSend: Provides the ability to conduct and confirm transactions near instantaneously

However, Packer points out that a recent consumer survey found more than one in three ransomware victims ultimately pay up, despite the fact that nearly half of the victims don't get their files back anyway.

Israel Barak, Cybereason's CISO, says the delay in bringing a business' systems back online after a ransomware attack is one reason to take a chance and pay up, however this should not be done unless all other avenues of correcting the problem have been explored.

“The key factor should be the alternative ways to restore business operations. If the direct or indirect costs of other alternative ways are significantly higher than paying the ransom, it probably makes more sense to pay the ransom and better prepare for the next attack. In the vast majority of the ransomware cases where data files were encrypted, paying the ransom resulted in restoration of the lost data,” he says.

If the final decision is made to give in to the criminals demand, the victim still may have one more card to play. Perhaps Hollywood can supply an answer.  In the old Clint Eastwood movie Kelly's Heroes, Eastwood, Telly Savalas and their group of wayward soldiers are attempting to remove Nazi gold from a bank. One that is guarded by a massive Tiger tank that they cannot destroy or move.

Savalas as Big Joe asks the wheeler and dealer character Crapgame, played by Don Rickles, what to do.

Crapgame: Try making a DEAL!

Big Joe: What kind of DEAL?

Crapgame: A DEAL, deal! Maybe he's a Republican. You know, "Business is business."

“These criminals are in business to make money, they would rather make something than nothing, so if you do decide you must pay you should not be afraid to negotiate,” says cyber industry veteran John Johnson, adding that there is no set answer and each business must make its own decision and setting a policy of “never paying” is easy to make before there is a problem, but

An example of this happened just last month when in mid-February Bingham County (Idaho) government found itself on the receiving end of a major ransomware attack. The attacker managed to lock up all 28 of the county's servers and demanded a 28 Bitcoin, or $33,000 payment, for the keys to release the data.

Twenty-five of the county's servers were properly backed up and were quickly up and running after some hard work put in by Bingham's third-party IT provider, according to the Idaho Statesman. Of the remaining three, two had corrupted back-up drives and the county simply decided not to back up the third citing expense.

This resulted in the county swung a deal and only had to pay three Bitcoins, or around $3,500, to restore that data.

Not having a plan in place or any clue that there is such a thing as ransomware is bad enough, as NASCAR race team Circle-Sport Leavine Family Racing discovered last year when it was forced to pay $500 to have its crew chief's laptop containing all the team's race data released. This placed them in the unenviable position of having no other choice.

“If your business is not already enforcing a regular backup procedure (which we highly recommend) and the data that's been compromised is critical to business operations or records of the business (e.g., financial, health data, personal identifiable) with no recourse, then paying the ransom might be the only option, Packer says.

Making a payment may not be the end of the trouble. Johnson points out by paying the ransom a business or organization has now labeled itself not only vulnerable to a cyberattack, but as willing to pay.

“Once you pay, unless you truly shore up your security, you become a target for future attacks because they know you have paid in the past,” he says.

The next possibility for a victim to ponder is the data kidnapper may take the ransom payment, release the data, but – unknown to the victim – the content has already been downloaded by the thief who is already busy selling in on the Dark Web.

And the bad news keeps on coming.

Packer points out that federal regulations like HIPAA and the emerging GDPR in the EU require a company notify their customers of any such breach.

“A company might find that they're going to pay one way or the other,” he said, adding, “There's also the real risk of sensitive data breach and loss, so I might wind up paying $500 to get my data back, but there's that four percent  of revenue stipulation in GDPR that could cost my company millions.”

You've Got Ransomware, Now What? Part One

So, the unthinkable has happened: your corporate server (or maybe just a few employees) has been infected with ransomware.

Click here for Dave Packer's complete blog.

You've Got Ransomware, Now What? Part One

One protective measure against a lawsuit, Johnson suggests, is to keep records of the measures that were taken to protect the company's data.

“If you are breached, you will be asked to show in court how you did your due diligence to protect your confidential and regulated information,” Johnson says.

Possibly the one aspect of ransomware that has so many cybersecurity pros pulling out their hair is the fact that a few simple expedients insulates anyone from being victimized. Part of this is training. Employees who know not to click on unknown attachments or fall for phishing scams are a great defense for their company.

The other trick is to simply have a thorough data back-up plan.

“I would rather think that ransomware is something that companies with good security practices can avoid. Protect your most important information, back it up often and test the backups,” Johnson says, adding advanced end point protection goes a long way to back stop employees who may or may not have paid attention during their cybersecurity seminar.

Digital currency terms

Blockchain – The public, distributed ledger for Bitcoin. Commonly used as a generic term for any cryptocurrency's distributed ledger. 

CPU-Bound – Refers to algorithms – in this case related to blockchain process/mining – for which available CPU processing power is the limiting factor in processing speed. 

Memory-Bound – Refers to algorithms for which available memory (RAM) is the limiting factor in processing speed. 

Mining – In proof-of-work cryptocurrencies, the activity of processing transactions to prove their veracity and achieve distributed consensus. The first miner (or group) to meet the proof-of-work criteria for a block of transactions is typically rewarded financially through either the creation of new currency, transaction fees, or both. 

Proof-of-Work – A method of proving that work has taken place, typically through computationally intensive tasks that are quick to verify when completed. In the case of cryptocurrencies, this generally means transaction processing and hashing and the methods are usually either CPU-bound or Memory-bound. 

Proof-of-Stake – An alternative type of cryptocurrency where the creator of the next block is determined pseudo-randomly, weighted by the amount of the currency they hold (i.e. their ‘stake').

Ransomware criminals do not ask for their payment to be left in a phone booth in a big cloth bag with a dollar sign stenciled on the side, they instead prefer using hard to trace digital currency.  So another question victims have to answer, whether they are a Fortune 100 corporation, mom and pop business or an individual, is what the heck is Bitcoin.

While there are several types of digital currency available by far the most popular is Bitcoin. Like conventional currency Bitcoin's value fluctuates depending upon demand, as of March 21, one Bitcoin equaled about $1,200 dollars. Otherwise it has very little in common with greenbacks.

“Instead of a centralized ledger (as would be the case with traditional currencies/government central banks), Bitcoin uses a public ledger known as the ‘blockchain'. Bitcoin transactions are broadcast to a network of privately operated nodes running Bitcoin software, a subset of which verify and process the transactions into groups called blocks (these machines are known as miners). All nodes keep a record of these blocks (hence ‘blockchain') once they have been processed, thus keeping a distributed record of transactions and ownership,” ForcePoint says.

Although ransomware is becoming known among the general public, the digital currency is still somewhat of a mystery. One that must be solved if the ransom is to be paid.

“My experience is that most organizations, outside of a few specific folks in the IT department, are unfamiliar with bitcoin, how to acquire it and how it's used,” Packer says.

Barak disagreed saying in his experience companies are familiar with Bitcoin and other digital currencies and even if they are not the learning curve is shallow allowing novices to quickly learn what they need to know. He also thought it might be a good idea for any potential ransomware victim that simply cannot have its systems down for any length of time to have Bitcoin on hand to quickly pay off an attacker.

The mere thought that having Bitcoin on hand to handle a ransomware attack could mean that dealing with such incidents will become akin to a retailer having to deal with shoplifting. It's going to become just another part of doing business, Barak says.

“Given the accelerated growth in ransomware variants, distribution, and the expected ramp up in sophistication and targeting by some of the more advanced cybercrime actors that are active in this market, as well as the lack of sufficient security controls to counter this threat in most businesses, we can expect to see ransomware payments becoming a part of business operations, either through insurance carriers or directly,” he says.

But there is an inherent danger in taking this approach, countered Packer. If victims quickly give in to the cybercriminals they may simply be opening themselves up for even more attacks.

“Paying doesn't stop them from attacking or trying to extort more money from the organization. If you've established the pattern that you're willing to pay, then you're setting yourself up to be attacked again,” he says.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.