Feature So, the worst has happened. Computer screens all over your org are flashing up a warning that you’ve been infected by ransomware, or you’ve got a message that someone’s been stealing information from your server.
There’s a growing market of firms that advise extortion victims on how to handle the situation, but that just adds another invoice to the injury, and some still prefer to go it alone. In the end, while a few companies do ignore ransom demands outright, all at least assess their options before deciding whether to negotiate, restore from backups, or pay up.
“I believe less than a quarter of the organizations last year that we assisted ended up going on their own and settling with the threat actor,” explained Andrew Carr, senior manager of business development with Booz Allen’s Commercial Incident Response team.
So how should you proceed?
First, take a look at the infected machines to see what exactly is going on and if there’s information on how the infection occurred so security holes can be patched up.
For companies that have cyber insurance, the insurer will often appoint someone to do just that, according to an independent ransomware negotiator who asked to remain anonymous to avoid being targeted by criminals. Insurance companies are spending a lot of time and effort examining the ransomware ecosystems because they are having to pay out increasingly large sums as the ransomware plague spreads.
Next up, companies usually wipe their systems clean and restore them from backups. The wiping is particularly important, since once someone has gained access to your network, they could well have left other malware behind to get a second bite of the cherry.
This holds true even if victims decide to pay up – once a system has been penetrated, it must be thoroughly checked for remaining threats. Getting the ransomware key is one thing, but the system should still be regarded as at risk, even after decryption.
When you have to pay
Although the majority of ransomware victims don’t pay up, some feel they have to. Maybe it would take too long to wipe and restore all affected systems, or maybe the backups are insufficient, given the scope of the infection.
As we’ve seen in the Colonial Pipeline and UnitedHealth attacks, the CEOs were quite blunt about their reasons for paying – service had to be restored, fast.
In the case of Colonial, it was an emergency. Panic buying was leading to shortages and fistfights were breaking out at gas stations across the US East Coast. The decision was made to suffer the pain and pay up.
With the Change Healthcare cyberattack, parent company UnitedHealth forked over $22 million in bitcoin to the ALPHV/BlackCat gang, since pharmacies were in chaos and prescriptions desperately needed to be filled. Incidentally, this was one of the relatively rare cases where the gang did rip off its affiliates, the ransomware negotiator told The Register.
Most ransomware infections contain contact information for the attackers. If you feel you have to negotiate, it’s important to know who you’re dealing with. Typically, ransomware-as-a-service operators let affiliates make the actual intrusion, then take over negotiations and kick back a percentage to the initial attacker.
The reason for this central control is that it allows the malware developer to ensure their brand – such as it is – remains untarnished. While there have been cases of people infecting victims or stealing data, taking the payoff, and then double-crossing the payer, that’s bad for business.
“Trust is a massive part of this,” the ransomware negotiator said. If the gang has a reputation for delivering a solution once victims have coughed up the fee, then it’s easier to extort money.
The major gangs have full-time staff who manage negotiations, ensure delivery, develop better malware, and so on, the ransomware negotiator explained. Typically, they’ll pitch the first demand at around 5 percent of annual revenue. The trick to reducing the sums is playing the long game.
The longer the negotiation goes on, the more the price is likely to drop, he opined. The extortionists just want the money and “it will tie up with the negotiator so they just kind of go, ‘Well, you know, screw this. Let’s just give them a nice, generous discount’,” he added.
There are exceptions. After going through chat logs related to LockBit, the ransomware negotiator told us, he noticed a lot of amateur teens seem to be using rent-a-ransomware kits. These folks are more likely to negotiate themselves, then take the money and run, as they have no reputation to preserve.
But they’re also more likely to cave, as we saw in the recent ransomware infection at PowerSchool – the original infection actually happened upstream at an unnamed telco, but they refused to pay, so the attackers used info gained in that first attack to target the education software provider instead, according to legal documents connected to a guilty plea from a 19-year-old attacker. PowerSchool paid up, but the data was still apparently out in the wild and remained undeleted, leading to further extortion attempts against PowerSchool customers.
As far as payment goes, everyone we spoke to agreed that bitcoin was the preferred payment method. It’s convenient and, importantly, usually untraceable. While coin mixing technology – which seeks to launder the digicash using a mass of transactions – is improving, it’s still possible to beat. In the case of Colonial, most of the ransom was recovered, and one Dutch university not only recovered the ransom but made a profit because the price of bitcoin had risen while they were doing so.
If you seek help, mum’s the word
If you do hire a professional to help, don’t let the criminals know what’s going on, Carr advised.
“We don’t go in and say I’m from X company, here on behalf of this victim organization. You pretend, typically, that you are a member of that organization. That way it just seems more natural. And some of the groups actually have animosity towards professional organizations that assist in these cases.”
Similarly, if you have insurance, it’s vital not to let on when negotiating with the extortionists. At the recent RSA security conference, Dutch police explained that in addition to encrypting some systems, the crooks also look for documents related to cyber insurance. If the victim has coverage, the amount they demand goes way up.
But it shouldn’t come to that. The vast majority of ransomware operators just want low-hanging fruit – people without even basic endpoint protection who can just be spammed with malware, Carr said. Larger companies should be able to fight off all but the most determined, well-resourced attackers.
And that’s the root of the issue. Payment is likely to fund further criminal activity, so caving to the demands is making attacks more likely in the future. Carr said that if it came to a decision to pay, then his job was over – “we’re hands off in that,” he concluded. ®
