Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

6/21/2019
12:45 PM
50%
50%

Pledges to Not Pay Ransomware Hit Reality

While risk analysts and security experts continue to urge companies to secure systems against ransomware, they are now also advising that firms be ready to pay.

When a Florida town of 35,000 paid a $600,000 ransom to regain control of its computer systems and critical services — from e-mail access to management of a water-pumping station — critics immediately warned that paying ransomware operators would only lead to more attacks.

Yet businesses and city governments need to stay operational. While risk analysts and security experts continue to recommend that companies keep focused on securing their systems and speeding incident response to minimize the impact of crypto-locking ransomware, they are now also recommending that companies be prepared to capitulate.

In a June 5 report, for example, Forrester Research published a guide to paying ransomware, advising its audience to consider third-party firms that negotiate with cybercriminals to ensure the best outcome.

"Our recommendation is to work with someone who is essentially a specialized breach coach for ransomware," says Josh Zelonis, senior analyst for cybersecurity and risk at Forrester. Companies need to "go through a staged process to make sure that you are building a rapport with the actor and ensuring that they are able, and willing, to decrypt the data — to essentially deliver a 'proof of life.'"

The list of municipalities that have been hit with ransomware is growing. Baltimore, Maryland; Atlanta, Georgia; Riviera Beach, Florida; and Albany, New York, have all faced the decision of whether or not to pay. Some, such as Riviera Beach, decided they had no other choice but to meet the ransomers' demands. Others, such as Atlanta, reportedly refused and faced massive clean-up bills.

The list of companies that have had to deal with crypto-locking ransomware is even longer. Large companies, from Merck to Fedex to Renault, wrote down hundreds of millions of dollars from the WannaCry and NotPetya attacks. Now, clients of some managed service providers are facing ransom demands after attackers gained control of their administrative portals. Paying $17,000 in 2016, Hollywood Presbyterian Medical Center got off fairly lightly. 

"I don't think you can make a blanket statement of 'pay the ransom' or 'don't pay the ransom,'" says Adam Kujawa, director of the research labs at security firms Malwarebytes. "If you have failed to segment your data or your network, or failed to check your backups or other measures to get your company back on track quickly, then you will have to deal with the fallout."

One problem for companies: Ransomware operators have shifted away from blanketing consumers and businesses with opportunistic ransomware attacks and now almost exclusively target business and municipalities. Along with that shift, the cost of ransoms has quickly grown because such organizations can afford to pay. Now, many organizations are faced with seven-digit ransom demands, Zelonis says. "That's a heck of a payday," he adds.

The increase in ransom demands is driven by attackers' targeting and research on victims, he says.

"It is interesting because the other thing we are seeing is that these actors are not just looking at your infrastructure and where your backups are to make sure that you cannot recover from backups," he says. "A lot of the actors are looking at a company's annual revenue to figure out what they can afford to pay."

For companies that want to stick to their pledge to never pay ransomware operators, that intent needs to start before an incident — with preparation. Organizations need to focus on security, incident response, and recovery to minimize the cost of a ransomware attack. Incident response exercises are key, Zelonis says. 

Yet cybercriminals have become more savvy. They will often spend time in a target's network looking for the most sensitive data and making sure they can compromise the backups, as well, he says.

"The ransomware market from two or three years ago has totally evolved," Zelonis says. "[Cybercriminals] are understanding where you are backing things up and going after those systems. This is a full-scale breach."

The Forrester report advises companies to invest in cyber insurance as a way to offset at least some business risk. Organizations should also test their ability to recover from a massive data loss event using their backups.

"A harsh reality is that a majority of organizations aren't testing their ability to recover a single system from backups, much less validating they have the ability to recover potentially hundreds of systems at the same time," the report states.

To be most responsive in the case of a ransomware incident, companies need to have a plan for acquiring cryptocurrency or have a fund already in place, as well as have an incident response provider on retainer and select a ransomware specialist, the report stated.

The focus for companies is to stay in business, so even for companies that could recover all of their data, it is often easier — and cheaper — to just work with the attacker to restore the data.

"If you are losing data, that will cost you more to recover or to deal with the fallout of losing it, and you are dealing with the cybercriminal and they are willing to negotiate, then you are in a situation where paying might not be the worst idea in the world," Malwarebytes' Kujawa says. "It's not what we like to do, but at the end of the day, a business needs to stay in operation."

Related Content

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
6/24/2019 | 9:49:11 AM
And if .....
Suppose .... A server failed or data center went offline, you cannot pay ransom to recover that event.  So what to do?  Gee, isn't that what a recovery and backup plan is supposed to do?????  And what is any damn different from a ransom attack to a failed RU-42 rack full of servers?   Except exfiltration of data = NOTHING.   So give up people and just have a back account set aside for ransom and heaven forbid planning for any other eventuality.  The only one thing IT needs to worry about -ever- is a ransomware attack and otherwise things never, ever go down ..... right?
Simon Hunt
50%
50%
Simon Hunt,
User Rank: Apprentice
6/24/2019 | 9:12:31 AM
To pay, or not to pay.
The difference is, we know any payment will be used to commit further crimes, in particular, "real world" crimes like drug manufacturing, people trafficking etc. Plus any payment inspires other criminals to follow suit. https://www.bromium.com/wp-content/uploads/2018/05/Into-the-Web-of-Profit_Bromium.pdf
For Cybersecurity to Be Proactive, Terrains Must Be Mapped
Craig Harber, Chief Technology Officer at Fidelis Cybersecurity,  10/8/2019
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17593
PUBLISHED: 2019-10-14
JIZHICMS 1.5.1 allows admin.php/Admin/adminadd.html CSRF to add an administrator.
CVE-2019-17594
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the _nc_find_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-17595
PUBLISHED: 2019-10-14
There is a heap-based buffer over-read in the fmt_entry function in tinfo/comp_hash.c in the terminfo library in ncurses before 6.1-20191012.
CVE-2019-14823
PUBLISHED: 2019-10-14
A flaw was found in the "Leaf and Chain" OCSP policy implementation in JSS' CryptoManager versions after 4.4.6, 4.5.3, 4.6.0, where it implicitly trusted the root certificate of a certificate chain. Applications using this policy may not properly verify the chain and could be vulnerable to...
CVE-2019-17592
PUBLISHED: 2019-10-14
The csv-parse module before 4.4.6 for Node.js is vulnerable to Regular Expression Denial of Service. The __isInt() function contains a malformed regular expression that processes large crafted input very slowly. This is triggered when using the cast option.