Negotiating Ransom: To Pay Or Not?

Uploaded on 2021-06-23 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, GOVERNMENT-Law Enforcement, FREE TO VIEW

Ransomware is one of the key cyber security threats that faces business and the cyber criminals behind it are becoming more dangerousOver the past eighteen months there has been a surge of ransomware attacks, made more disruptive by the complications of Coronavirus.  

From the criminals’ point of view, ransomware is massively profitable and a relatively easy exploit to accomplish. According to the European Union Agency for Cybersecurity (ENISA) 45 percent of victim organisations pay the ransom.

In December 2020, the acting head of the US Cybersecurity and Infrastructure Security Agency (CISA) said that ransomware was “quickly becoming a national emergency,” and it now effects most countries and corporates. In Britain, Lindy Cameron, newly appointed the chief of the British National Cyber Security Centre (NCSC) says her agency is committed to tackling the threat of ransomware and "supports victims of ransomware every day" but that a coordinated response is required to combat the growing threat. 

Speaking earlier this month, Lindy Cameron said "For the vast majority of UK citizens and businesses, and indeed for the vast majority of critical national infrastructure providers and government service providers, the primary key threat is not state actors but cyber criminals." She also noted that the ecosystem is evolving through the Ransomware as a Service (RaaS) model, whereby ransomware variants and commodity listings are available off the shelf for a one-off payment or a share of the profits.

Many analysts were surprised at how quickly the attack victim paid the $4.4 million ransom demanded when the US Colonial Pipeline was struck with ransomware recently, although much of the money extorted has since been recovered by the FBI.

The Colonial Pipeline CEO Joseph Blount told US lawmakers that although his company had an emergency-response plan in place, it didn’t include plans for responding to a ransomware attack.  However, the company did have insurance to pay for ransomware attacks, so the decision to pay was swift. A ransomware notice first appeared on a machine in Colonial Pipeline’s control room around 5 a.m. on May 7th and by 6 a.m. the company had shut down its 5,000-mile pipeline, Blount testified. 

By 7 a.m. the company had contacted outside legal counsel and engaged digital investigations firm FireEye to begin a forensic assessment of the damage. By late afternoon the same day, Blount decided to pay the ransom and on May 8th the money was sent.

The FBI advises victims to avoid negotiating with hackers, arguing that paying ransoms incentivises criminal behavior. This puts victims in a tricky position. “Regardless of whether you or your organisation have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under US law, and prevent future attacks”, says an FBI report.

The rise in ransomware as a business for criminals has produced a parallel rise in companies engaged in helping victims negotiate ransoms and recover the money extorted. 

Negotiating ransoms is a fraught process that can take more than a week and change rapidly, depending on the demands of the extortionists and the condition of the victim’s backups, according to Bill Siegel, CEO and co-founder of Coveware, a company that negotiates ransomware payments for victims. Coveware also aggregates statistics and other data about ransomware incidents to help the government track the scourge. Siegel told The New Yorker that Coveware has negotiated a “few thousand” ransomware cases since 2018 and that each case is different..

Siegel declined to discuss his customers or the specifics of negotiations, to avoid giving ransomware actors insight into negotiating tactics. Handling one of these negotiations is not easy and often goes five or seven days, it typically means that the company isn’t sure if they actually need to pay or not.

If an organisation has to pay very fast, it’s typically because they know they have no other means to recover.

The issue for most organisations is that they have not properly configured a backup if they suffer a ransomware attack. A server that gets impacted with ransomware has to be, at a minimum, heavily remediated to ever be trusted again. The best practice is to establish a clean backup network where you can re-image all of the servers, re-install all of the applications and then, for the data,  upload uncontaminated backups that you can restore to the backup network servers. To determine if files will decrypt properly you need to do scans on all of the encrypted files to look at the integrity of the encryption. A properly encrypted file will normally properly decrypt. 

A major aspect of the he Colonial Pipeline outage is that it had cascading effects that the company had no direct control over - the reaction of consumers - who started panic-buying and hoarding fuel.  Even though there wasn’t actually a fuel shortage, people created a fuel shortage from panic.

This is a compelling example of the follow-on effects that might not anticipated in an emergency and which that can put pressure on organisations to pay the ransom.

NCSC:    FBI:     Zero Day:    New Yorker:     ENISA:     SHRM:    ZDNet:   CloudsavvyIT:     Schnier On Security:

Image: Unsplash

You Might Also Read:

Running Out Of Cyber Gas

Will Governments Ban Ransom Payments To Hackers?:

 

 

« DarkSide May Not Stay Dark For Long
Global Police Operation Closes Fake Pharma Websites »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Cyber Security Supplier Directory

Cyber Security Supplier Directory

Our Supplier Directory lists 6,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

Mielabelo

Mielabelo

Belgian consulting firm providing services in the security and compliance of information systems and IT service management.

EfficientIP

EfficientIP

EfficientIP helps organizations drive business efficiency through agile, secure and reliable network infrastructures.

Cybercom Group

Cybercom Group

Cybercom offers strategic advice, testing & quality assurance, security solutions, system development, integration, management and operation services.

Norton

Norton

NortonLifeLock is dedicated to helping secure the devices, identities, online privacy, and home and family needs of approximately 50 million consumers.

Excelerate Systems

Excelerate Systems

Excelerate Systems is a leading provider of IT services with a focus on Big Data, Cloud Services and Security.

Ksmartech

Ksmartech

Ksmartech provide services related to security and authentication in all areas where the connection of people to objects, and objects and objects is necessary.

Gytpol

Gytpol

Gytpol is a leader in Endpoint Configuration Security (ECS) solutions, providing validation, remediation & securing of IT Policies and IT Infrastructure on-premise and in the cloud.

SAST

SAST

SAST provide Static Application Security Testing as a service based on SAST Tools.

Quantinuum

Quantinuum

Quantinuum is the combination of Cambridge Quantum with Honeywell Quantum Solutions, structured to drive the future of quantum computing.

Binary Security AS

Binary Security AS

Binary Security is a Norwegian information security consultancy company. We are specialists at application security, penetration testing and secure code reviews.

Moviri

Moviri

Moviri combines security technology engineering, intelligence expertise and our data science DNA to help companies manage digital risk end-to-end.

RegScale

RegScale

RegScale helps organizations comply in real-time with multiple compliance requirements (NIST, CMMC, ISO, SOX, etc), scalable to meet the needs of the entire enterprise.

Halogen Group

Halogen Group

Halogen Group is the leading Security Solutions Provider in West Africa. Services encompass Physical Security, Electronic Security, Virtual & Cyber Security, Risk Assessments and Training.

Censinet

Censinet

Censinet provides the first and only third-party risk management platform for healthcare organizations to manage the threats to patient care that exist within an expanding ecosystem.

Harbottle & Lewis

Harbottle & Lewis

Harbottle & Lewis is a leading UK-based law firm focused on the Private Client and Technology, Media and Entertainment sectors.

Information Security Society of Africa – Nigeria (ISSAN)

Information Security Society of Africa – Nigeria (ISSAN)

The Information Security Society of Africa – Nigeria (ISSAN) is a not-for-profit organization dedicated to the protection of Nigeria’s cyberspace.