Ransomware Incidents’ Key Considerations
Ransomware attacks are on the rise and likely to become more painful and frequent as attackers are finding that organizations are not well prepared to defend themselves and are often willing to pay handsomely to end the incident. Ransomware attacks commonly include an attacker using malware software or code that both encrypt data files with strong encryption and replicate and propagate themselves quickly throughout networks to maximize their presence and impact. The attacker will harvest the encryption keys needed to decrypt the data and hold onto them in exchange for ransom. If victims do not pay, they will not be provided the encryption keys required to decrypt and access their data.
Organizations that consider the threat of a ransomware attack to be both likely and materially business impacting should consider a number of issues to limit the impact of these attacks and respond effectively. Here are 5 key considerations when evaluating this threat scenario and response plans:
Managing the Risk: To Pay or Not to Pay?
—One of the most difficult decisions that an organization has to make is whether or not to pay the attacker to gain access to encryption keys or the other methods to regain access to its data. Often, organizations pay only as a last resort, but it is a risk-management decision that needs to be considered carefully. In some cases, it may be economically and operationally more efficient to pay the fees to gain access to data than it is to try to restore data and systems. That said, if an organization pays and it becomes known either to the attack community and/or the public, the organization may become the target of similar attacks due to the perception that it paid once and may do so again.
The decision to pay or not to pay should be considered by decision makers prior to an attack. Organizations should establish thresholds to identify their risk appetite for this type of situation, and factors such as loss of productivity, availability of data, reputational impact and cost of recovery should be considered. These thresholds should be designed to establish both at what point in the attack and at what price it is favorable to pay.
Negotiation
—It is often the case that a ransomware attack will include a demand for large amount of currency, often Bitcoin, to provide the mechanism to release the data. If an organization decides that it is willing to pay the attacker, it should engage in a dialogue with them, if possible, to negotiate the fee. The adversary is often more interested in getting some money rather than no money. The fee that an organization is willing to pay should be based on the projected costs of remediation of the incident without the help of the attacker. If the organization is able to negotiate a fee that is lower than this cost, the decision to pay may be an easier one.
Is this the beginning or end of the attack
Recent attacks have demonstrated that attackers are using ransomware-style attacks as the last module of a multifaceted attack strategy. The encryption of data can be used to distract an organization from other attack actions and activities and to cover the attacker’s tracks as they are trying to escape with data assets or implanting malware tools to be used in the future. Ransomware attacks are obvious and intended to make it known that the adversary has successfully exploited the organization. It is important to recognize that the remediation of a ransomware attack should always be followed up with a thorough investigation to ensure that the attacker did not carry out any other malicious actions as part of their attack or leave capabilities behind to carry out the same attack in the future.
Are backups good enough and should they be used?
—Often, the way organizations recover from a ransomware attack if they choose not to pay is to restore their data from backups. This assumes that the backups are comprehensive, have integrity and are recent enough to be useful to the organization. It is important for an organization to consider whether its backups are already infected with the attack malware/code or if the backups are susceptible to being affected by the original attack. A sophisticated attacker will implant their attack capabilities on systems and allow them to lay dormant for a significant period of time, hoping that they will propagate throughout the backups of the organization. Once the backup is restored, they will attempt to use their attack method again.
One way to defend against this scenario is to only backup data files and not system files to limit the possibility of reinfection. The attack code may be included in the data files, but an action would have to occur for it to be installed and operate again. Ideally, the method of exploitation and attack would be positively identified prior to recovering the backups.
Identify when networks and systems should be segmented and/or disabled
—Malware/attack code associated with ransomware activities often attempts to replicate and propagate itself across systems and networks as fast as possible to increase its effectiveness. In many cases, organizations use resources such as shared storage and network file shares that are easily leveraged by modern ransomware tools, such as the popular Cryptowall. It is important to identify when it is appropriate to segment and/or disable networks and systems to contain the attacker. Doing so can have significant business impacts. The conditions and scenarios that qualify for these actions should be discussed and agreed upon in advance with business process owners and leaders.
Preparation is key to a successful response for any attack scenario, but especially for a ransomware attack. These attacks and the decisions and actions that an organization is required to take to effectively respond to them go well beyond technical considerations and often fall into the realms of both enterprise and information risk management. Regardless of what decision is made, business leaders need to be aware of the broader considerations associated with this type of attack to ensure they are not targeted by the original or different adversaries in the future.