Another year passes and we are still not seeing the significant dip in ransomware and double extortion attacks that we had hoped for. We are becoming increasingly blasé by the frequency of the attacks.
Yet the individuals caught up in the attack have to make difficult and rapid choices that most had not previously considered. In this article I look beyond the moral argument of “to pay or not to pay” and consider the cold reality of the decisions surrounding paying a ransom and what you can prepare for now before it is too late.
DO WE PAY?
This topic is a difficult one to cover. As I sit here writing this I am struck by an uncomfortable feeling, perhaps caused by the cognitive dissonance often felt on the issue of ransomware payments. Morally we would all agree that in a perfect set of circumstances we would not pay a ransom to criminals. It is unquestionably funding a cycle of criminality and ultimately making all of our lives more challenging. It is also not in dispute that we are not truly able to ascertain exactly where the money is going and for what purpose. This blog post isn’t going to be looking at the morality arguments behind crime, ransoms and societal damage caused from it.
We have very little overall visibility into the ransomware landscape so a great deal of the analysis you read on ransom payments is at best partial and, in many cases, unsupported by evidence. That said there has been an increase in the propensity of organisations paying the fees demanded by attackers. So much so that an entire industry of products, services and “negotiation consultants” has sprung up to facilitate such payments.
Owing to this alleged increase in the number of companies opting to pay ransoms, and despite the uncomfortable feeling it creates, I will take a look at a few things you should be doing now to increase your resilience and your ability to respond should you find yourself contemplating paying the attackers.
The first thing to do is have the tough conversations now, before any attack. Nobody elects to pay a ransom to cyber criminals for the mere joy of doing so. If you are in a position where you are considering paying a ransom it is fair to say that you probably only have few other options available all of which are varying degrees of terrible. All of which are likely to be rather expensive too.
So if you are seriously evaluating whether or not to pay a ransom there are some questions your Crisis Management Team (CMT) need to be asking and it is imperative that you have these conversations now before you find you are backed into a corner with a timer counting down to disaster.
Some of the key conversations should cover:
- Would we ever pay?
- If so in what circumstances?
- Who would authorise the payment of a ransom?
- What does our insurance say on this matter?
- How would we buy Bitcoin or Monero? Would we need a wallet set up beforehand? This isn’t a quick task!
- What is the maximum amount the CMT can decide to pay without involving the Board?
- If we do decide to pay, what assurances would we need from the attackers?
There are a lot of things to consider here and in the heat of a business crippling incident this will likely feel somewhat overwhelming. Most of these questions can be hypothetically discussed and clarified prior to this worst scenario manifesting. That will save you a great deal of time and stress but crucially it will give you more control over the process should you ever end up here.
Due diligence on the attackers
I almost roll my eyes each and every time I present on this topic. The fact that I am sat here talking about how and what due diligence you should be doing on cyber criminals who have just attacked and extorted your business to the detriment of your clients is quite frankly indicative of how bad the situation regarding ransomware is at present.
There are a few things you need to give some careful thought to though, to avoid getting into more trouble post incident.
Who are they? This will likely not be a mystery. The majority of big ransomware groups now trade heavily off their brand and reputation that they have taken time to build and curate for this very purpose. It is essential to establish who the ransomware group is for two main reasons:
- Are they going to do what they say they are going to do? A lot of bigger ransomware groups do tend to stay largely true to their word as their business model would fall apart pretty quickly if they didn’t. That said given the lack of contractual protections afforded to us when negotiating with criminals it is prudent to look at the past attacks claimed by the group and your insurer or third party law firm assisting will likely have information on this to assist.
- If they are deemed to be “reliable” can we even pay them? Firstly, it is not illegal in the UK to pay a ransom. That said there are two circumstances where such payment may constitute an offence. The first is if you are found to have financed terrorism. The test here is whether or not you knew or had reasonable cause to suspect that money you paid may be used for the purposes of terrorist activity. It is very unlikely a ransom payment would meet this. The second circumstance where you could be caught out is if you pay a ransom to a “designated” individual or entity who has been sanctioned by the UK. The Office of Financial Sanctions Implementation in the UK details this list further. Caution does have to be exercised here though because recently there has been a wave of proactive measures being taken, especially by the OFAC in the USA, to sanction cryptocurrency mixers (Blockchain services which render crypto payments largely untraceable and un-linkable). The most noteworthy this year was the sanctioning of the smart contract mixer known as Tornado Cash, you can read all about that here.
They key point here is to think about how you would do all of this due diligence. Review your insurance cover and see what, if anything, it says about ransomware and double extortion attacks, the onboarding of third parties and whether they facilitate the negotiation and payment, or whether you are expected to. You can also pre-engage third parties yourself, such as law firms, who then would be on hand to assist in the event of an attack.
Plans and Playbooks Stop Panic
The vast majority of all the exercises, simulations and consultancy we run currently are focussed on ransomware and double extortion attacks. These attacks are notoriously aggressive and public. They are very difficult to keep private and very difficult to contain. If an attacker has gained access to your network – even if ransomware wasn’t deployed or wasn’t deployed successfully – they can exfiltrate a large amount of data and threaten to dump it publicly. You can find yourself up against a wall very quickly. That is, I suppose, the entire idea behind the attack.
The CMTs that I see leap, probably prematurely, to paying the criminals have one thing in common, they panic. Panic is something that plagues all human beings and from a psychological perspective I find it utterly fascinating. When you are in a state of panic several crucial things happen, none of which are helpful. Your cognitive processes are suppressed which means you cease to be able to think logically and analytically. Responses can become irrational and short sighted. We don’t make good decisions in panic. We are unable to.
So how do we stop this panic response? Preparation is key. First and foremost I recommend building out a ransomware plan and a playbook that can be utilised by your strategic and tactical teams. Run exercises to test the plans and your team’s ability to use them under pressure. Find the weaknesses, patch them, repeat.
The second thing I find helps supress panic is having options. I was recently interviewing UK Astronaut Tim Peake at an event in London. Before the interview we grabbed a coffee or 3 to prepare the questions and also indulge my nerdy side. We came onto the topic of space walks, a feat so incredibly fraught with danger that astronauts spend their entire careers prepping for what could be a few short minutes outside of the ISS. We talked about the incident in 2013 when Italian astronaut, Luca Parmitano, was doing a spacewalk and felt water at the back of his neck. Water started to flood into the helmet and whilst he and his team got him back to the airlock in time it very nearly ended in tragedy. Tim Peake’s view was that “so long as you know you have options you won’t panic”. That point stuck with me. It’s true.
The same applies in a cyber incident. A lot of the major ransomware groups are excellent at applying pressure and generating panic because that increases the chance you will pay and you will pay full price. So long as you have options you won’t be so inclined to panic. So document those options. What are they? What are the implications of each of them? What are the implementation timeframes? If they feel they have options the key decision makers can remain calm and make better, more analytical decisions.
What is your point of no return?
The final point that I think is always really important to discuss, although it is also very uncomfortable, is ensuring that in your plans, playbooks and checklists you are clear on what the point of no return is. In many ways this is the ultimate deadline. In the financial services sector operational resilience and impact tolerance setting has been on steroids for a few years now. The net result, in my opinion, is a really robust appreciation for the impact and levels of harm experienced from the disruption of important business services. Every business, no matter how large or small, will have a point where the harm to the business and customers is now so great it cannot easily or maybe ever recover. It is the absolute worst case scenario if you like. So in your planning I urge you to identify the important business services that you have, consider how long they could be down for or how much the integrity of the data could be impacted or even how far back you could go to restore from backups without those backups being useless. Make sure that analysis is included in your plans and playbooks. This will hugely influence decision making, as it should and is often a question that gets raised by the CMT in exercises. It will give you a clear idea of when you are approaching a critical point where the business won’t be likely to recover. There isn’t much point paying if you’ve already gone beyond this point. It is definitely, in my experience at least, a vital deadline to have in your mind and greatly influences how much time you can spend exploring options other than paying the criminals.
So ignoring the moral arguments around ransomware and looking at it through a cold, analytical lens there are many things we can discuss and plan that will greatly assist us should the worst happen. Your position on when and if to pay ransoms doesn’t need to be documented, in fact many argue this would be unwise in the event of an attacker being in your network, but you can have the conversations and have a general understanding of what you would do in what circumstances.
The more you can prepare in advance the better the incident will go should it happen. You will know when or if you have to make a decision to pay and how to go about doing so. Crucially your strategic and tactical teams will be more resilient and able to respond much faster. respond.