Ransomware wars: to pay or not to pay

Although not a shooting war, ransomware cyber warfare has been raging out of control for years. It’s become top-of-mind with law enforcement, the insurance industry, and businesses both large and small.

If you wake up one morning to find your business held hostage, there are two paths to choose from—pay the ransom or don’t pay. Here are some essential items to consider for each scenario.

SMB ransomware costs and benefits checklist

Business owners regularly make cost/benefit decisions, and ransomware incident response is no different, even if the stakes are higher. Consider this Ransomware Business Continuity Checklist:

• Do you have reliable backups of all IT systems and data?
• Can your data be recreated if your backups become encrypted along with everything else?
• Do you have a file cabinet with paper documents you can use to recreate your IT infrastructure from scratch?
• Are you able to continue effective business operations manually until you restore your systems?
• How long would it take to rebuild? Days, weeks, months. 
• What are your lost productivity costs for the anticipated downtime?
• Do you have updated business insurance to reimburse you for either the ransom payment OR the cost of downtime? (More on cyber insurance further down the page).

Once you have firm answers to the above, crunch the numbers. On paper, which course of action represents the lowest overall cost to your business? Is it less expensive to pay the ransom? Or would you instead absorb the cost of post-incident remediation and inevitable downtime associated with not paying?

How much ransom are SMBs asked to pay?

Ransom demands vary but often scale with what threat actors decide is “affordable” for individual businesses. They calculate the initial ransom ask amount to fall in line with the victim’s ability to pay, typically accepting lower ransom payments from smaller companies.

Consider the sophisticated supply chain attack on MSP cloud services provider Kaseya, Inc. Fifteen hundred businesses, large and small, were hit over a 3-day weekend by a well-known Russian-speaking threat actor, REvil. The majority of these companies were SMBs.

Initially, this group asked for a ransom payment of $50K for “small businesses” and $5M for “large businesses.” It’s unclear where their cutoff is. Everything is negotiable, including individual ransom amounts. The actor subsequently adjusted the total to $70M for a blanket decryption key for all affected businesses.

But first, what is OFAC, and why do I care?

If your first impulse is to pay off your attacker, you’ll want to take a hard look at this first. The Office of Foreign Assets Control (“OFAC”) of the US Department of the Treasury

“administers and enforces economic and trade sanctions based on US foreign policy and national security goals against targeted foreign countries and regimes, terrorists, international narcotics traffickers, those engaged in activities related to the proliferation of weapons of mass destruction, and other threats to the national security, foreign policy or economy of the United​ States.”

OFAC maintains an updated list of individuals and entities, such as terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called “Specially Designated Nationals” or “SDNs.”

Is paying ransomware illegal?

No. In principle, it’s not illegal for a business to pay a ransom to get its systems operational after an attack. 

However, if it turns out that your ransomware attackers are identified on OFAC’s sanctions lists, paying the ransom opens your business up to additional sanctions that may be significantly higher than the ransom you just coughed up to save your business.

Persons, entities, even foreign governments can have their financial assets frozen—including Bitcoin wallets—prohibiting US residents from dealing with them. Check the sanctions lists before paying any ransom. It’s your responsibility. Be sure to document your OFAC search.

What’s SUPPOSED to happen when victims pay

Let’s say you get breached and find your (and your business partners’) private information stolen, files encrypted, and your backups gone. You believe your only course of action is to pay the ransom. You’ve checked your threat actor against OFAC lists, and it comes back clean. If you can afford the ransom and don’t otherwise have a clear path to recovery, you’d be right to pay.

Ideally, once you pay the initial ransom amount for your decryption key, your systems become operational once again, with your wallet a bit lighter. You’ll feel you’ve dodged a bullet because you came out of the situation with your business intact.

Unfortunately for SMB’s, this is not the most likely outcome.

What REALLY happens when victims pay?

If you haven’t heard, paying the ransom usually doesn’t 100% restore your systems and data to pre-breach configurations. 

• Paying the ransom does not guarantee you’ll get the decryption key or that the key will perform as promised. Some sources report fewer than 10% of SMBs get systems and data back intact.
• Paying the ransom doesn’t prevent the same attacker from hitting you a second time or selling your information to other ransomware groups. They know if you paid once, you’d likely pay again.
• Paying the ransom sends a message to threat actors that “ransomware works,” and they should keep going to the well.
• Paying the ransom doesn’t keep your stolen data from being auctioned off or shared with the public.

It’s not personal; they’re criminals.

Paying the ransom makes the job of law enforcement harder.

The role of law enforcement in SMB ransomware 

The FBI and other international law enforcement agencies agree 100% that paying the ransom should not be a business’ first option. Their unwavering advice is not to pay the ransom because giving money to extortionists only perpetuates the problem.

Reality check. It’s not that the FBI doesn’t care about the well-being of your organization. FBI resources focus primarily on ransomware investigations for larger businesses. Bigger bang for the buck.

Yet, the best advice is to get the FBI involved early, even if you plan to pay the ransom. It may seem that law enforcement is chasing its tail when it comes to prosecuting cyber crime. But they do have access to information and resources to help you through a ransomware incident—including decryption keys from previous attacks.

FBI actively striking back at ransomware

It’s not all doom and gloom for law enforcement. Just one week after a crippling attack on US oil infrastructure, the FBI recovered most of Colonial Pipeline’s $4.4M ransom, hoovered out of Bitcoin wallets upon obtaining their private keys.

This ransom recovery is clear evidence of the FBI’s coordinated attack on threat actor DarkSide’s ransomware operations and technology infrastructure. The group confirms that pressure from the US forced it to pull the plug on its Ransomware-as-a-Service (RaaS) model.

“…a couple of hours ago, we lost access to the public part of our infrastructure, in particular to the blog, payment server, and content delivery servers. At the moment, we can’t access them, and the hosting panels are blocked…”

The role of cyber insurance for SMBs

Cyber Insurance has been available for years, but ransomware has changed the current landscape. Corporate insurance companies have taken a beating over the past year. A recent industry study shows that insurance companies paid out $2.71 for every $1 collected in policy premiums—an unsustainable business model. The entire insurance industry has been hard at work trying to agree on standard metrics and minimum requirements for business cyber insurability.

Traditionally, most cyber insurance providers market exclusively to large businesses. That is rapidly changing. There are plenty of companies that provide affordable cyber insurance to the SMB market, and hopefully, more small businesses will take advantage of these offerings.

Companies that offer cyber insurance are not universally embraced by small businesses with excuses not to purchase cyber insurance. They hear, “Well, we’re not a target,” or “Our IT people have it buttoned down, so we’re good.” Security apathy that has existed for years in small businesses still exists today.

Ten cyber insurance basic hygiene requirements

Individual cyber insurance policies vary concerning minimum security requirements for insurability. Covered businesses need to have more skin in the game by adopting and enforcing internal security procedures that “harden” their technology infrastructure.

While not a complete list for every company or policy, below are ten basic security practices that cyber insurance providers want to see in place:

1. Document all equipment, hardware, and software
2. Secure remote connections. At minimum, a VPN with dual-factor authentication.
3. Frequent, off-site, redundant backups of data and systems configuration
4. Malware and antivirus endpoint protection make individual workstations more resistant to attacks.
5. Dual-factor authentication for every software application and system
6. Password management platform. Length, complexity, rotation frequency of passwords
7. Data encryption, in transit and at rest
8. Regular software security patch updates
9. Least-privilege user access to restrict unnecessary administrative access to systems
10. Ongoing employee security training to better recognize threats.

These are common sense items every business should have in place, whether buying insurance or not. Putting these in place will significantly lower the risk of ransomware attacks.

How do we inform the public about a breach?

Regardless of your intention to pay or not pay a ransom, consider carefully how your organization will communicate details of a ransomware attack. Cyber-attacks have legal, financial, HR, data privacy, and business reputation repercussions. 

An often-overlooked element of any organization’s Pre-Breach Incident Response Plan is how to let your business partners, customers, vendors, etc., know what’s happened. This communication should be well documented and closely followed at every level. Consider retaining a cyber breach coach to help you generate the appropriate language and notification procedures.

What is a breach coach?

Most regular business processes benefit from some level of project management. Recovering from a ransomware attack may be the most important project a small business can undertake. Think of a breach coach as a project manager for getting your company back up and running after a breach.

Most breach coaches are practicing lawyers who bring broad industry experience and a deep understanding of today’s ransomware landscape and its players. A cyber insurance company will often provide these services, but you don’t need to purchase business cyber insurance to retain a professional breach coach.

Common services a cyber breach coach can provide:

• Identify the appropriate internal staff that comprise your response team.
• Create/update your business’s post-incident playbook.
• Manage communications to employees, customers, vendors, and business partners. Sometimes knowing what NOT to say is more important.
• Retain an appropriate industry forensics team to research the damage and determine the extent to which the malware has spread, aka, “blast radius.”
• Ransom negotiation. Attackers often agree to accept a reduced amount if they feel they are being taken seriously at the outset.

Are there additional resources available to help businesses recover from ransomware?

Two projects that assist businesses with ransomware recovery are No More Ransom and Ransomwhere.

No More Ransom offers decryption tools for over ten different types of ransomware. They also outline key steps you can take to prevent attacks from happening in the first place.

Ransomwhere tracks the total reported ransomware payments in a certain time period. The resource allows you to see if attacks are increasing and whether prevention measures are working.

Conclusion

Years ago, America’s War on Drugs coined an ill-conceived slogan, “Just Say No!” which was in no way helpful in addressing the eternal issue of drug abuse in our society. Fifty years later, one could make an argument that “Just Say No!” is gaining traction against the War on Ransomware.

Look, if lack of preparation or just bad luck leads to a situation where a business owner must pay a ransom or risk losing the entire business, then paying is the right thing to do. I’m not suggesting that a ransom should never be paid.

What’s been happening is that more businesses (and cyber insurance providers) view paying off ransomware actors as a “cost of doing business.” If we continue down that path, ransomware will continue to thrive.

Final thought: SMBs, don’t just react to ransomware, prepare for it. 

Implement cyber basic hygiene (see above) within your organization. Maintain proactive relationships with cyber security consultants, IT, law enforcement, legal, and insurance partners. The business you save may be your own.

Not sure where to start? Give us a call.