You get the call you’ve been dreading. No, not a breach. The other call. That despite best efforts and good intentions, ransomware has locked up critical servers. And now the attackers are demanding you pay them in bitcoin if you want the information back.
What do you do?
Sure. It sounds simple. We don’t negotiate. We don’t pay.
Is that the right answer? Are we giving people good advice?
A few months ago, the FBI suggested sometimes people should pay. Just last week a hospital made headlines when they did pay. Right now my local school district is handling the same issue. And struggling to get the bitcoin to pay.
Suddenly, people are talking about ransomware. Again.
What’s the right approach?
Turns out the answer is a bit nuanced. Getting us up to speed is Rob Gresham (LinkedIn, @rwgresham) Sr. Consultant with the Foundstone Services DFIR team, a part of Intel Security. Rob also serves in the National Guard. He brings vendor agnostic experience in dealing with advanced adversaries techniques, tactics and procedures. Which is why he leads the Threat Intelligence program for Foundstone Services team.
When I brought the concept of ransomware up, Rob quickly brought me up to speed. Now it’s my turn to share our conversation with you.
You mentioned that ransomware is evolving. It’s more of a business now. How so?
With over $445 billion in losses to consumers, Cybercrime is a big business. Like all business though, initial rollouts of ransomware didn’t live up to expectations, so criminals are innovating. Would you continue to pay for a product if it never delivered on those expectations?
If the criminals want the extortion to work, they have to deliver the goods. Otherwise, caveat emptor right? Additional issues apply to takedowns, where the authorities took down the sites, but the customers didn’t get the keys or products to get their data back. Some companies have helped in this area when taking part of the takedowns and created decryption tools to help consumers.
Innovation in cybercrime is must. As we learn the techniques, we protect our customers. For example, first versions of cryptolocker didn’t take into account Windows Volume Shadow Copy services. So customers could just right click their data and rollback. Criminals innovated to turn off the service prior to encrypting. Now it is a standard process. If the ransomware is of a static build, then we find creative ways to block it consistently. Criminals innovate and use malware techniques to create polymorphic ransomware. Very much like supply and demand, criminals are creating SaaS solutions and selling them in the dark corners of the Internet.
We always told people not to pay. We cautioned them it was akin to negotiating with terrorists. Has this advice changed? Should companies pay?
It is still extortion/blackmail and I personally tell customers not to pay. However, the authorities have said differently. It boils down to motivations. If we keep paying, the market keeps innovating ways to keep us paying. However, if nobody paid, criminals would have to find something else to make money. For me, the advice hasn’t changed. What has changed is the acceptance of risk and cost to recover. We are choosing the easy way and for some it may be the only way if they didn’t have a good business continuity plan (BCP) and tested it. This way you know what your real losses are and you choose the moral right over easy wrong.
But it doesn’t always work that cleanly. Some customers get attacked and vital company information is compromised. They don’t have a solid BCP in place. With no way to recover the information, I can’t honestly tell them not to pay.
In most cases, it is a business risk transaction on a ROI cost equation. Compare the cost of the ransom to recover data versus the loss of time (which might include new business), actual business loss, reputational damage, and the like. The hope is that payment results in data restored with no loss. Not so much because of the shady criminal element, but because the programs are designed by people, and sometimes the decryption process doesn’t always work as well as we’d like.
There is an upside: payment changes the legal dynamic. It starts a money trail which helps authorities prosecute, eventually. There are a lot of skilled investigators who know how to follow the money either virtually or physically.
Do the companies who pay get their data back? How does that work?
I like to explain to leadership teams like this: when you leave on vacation, I come to your house and change all the locks and board up all the windows. I leave a note on the front door with ransom instructions on how to get back into your house. If you pay, I drop the keys off. If a week goes by and you don’t pay, I burn your house down.
You may have to break a few things to get back in and stop the fire. Some customers pay, there are others that don’t. They understand the cost when it comes to their business user’s data and most are quick to share the pain thru the data loss. At least that’s how it used to be.
More criminals use tactics that convince consumers to pay and pay now. Getting ransomware to critical business data by using their externally compromised resources to deploy and spread ransomware to critical internal systems. This innovating change in tactics is frightening. Before, it was a phishing attack, local to phished customer and could compromise shared data, but server infections were rare.
Either scenario creates additional issues. Take what happens, a malware dropper is implanted on the system or external exploit is used deliver the encryptor payload and export the encryption keys. Both require you to clean up the systems after the files are recovered.
Otherwise, what stops them from doing it again?
After paying the ransom, they have more work to do? What does that involve?
Customer have to determine the initial infection point and time of infection. They still should call incident response processes into play and ensure they don’t get blackmailed again. Traditionally, extortionists keep coming back until the money is gone.
You need to ensure the integrity of your business environment. That means determining systemic cause and root cause OR it will happen again. Frequently, we have arrived at a customer site for them to tell us it has happened multiple times. Why doesn’t our software fix the issue!?!? Then we have to explain why you don’t get mugged every time you go to the store. Crime is opportunity and location and both have to be in the criminals advantage. How does that happen on the Internet? Unrated websites, dark web connections, vulnerabilities, and phishing opportunity (awareness).
What can security leaders do to better prepare against ransomware?
Customers need to have a business continuity plan. This includes tested backups, alternate processes to get work done. Those organizations in high risk natural disaster areas usually do. Yet, we find they don’t regularly test their backups. Customers need to keep their patches and antivirus signatures up to date which reduces their attack surfaces. It may not help if you are one of the first in a new variant, but it ensures you aren’t the last and learn from others mistakes. Avoid being the first through monitoring, hygiene, and awareness.
Monitoring doesn't require fancy tools. Take notice when ‘protected’ processes are being ‘attacked’ by another process. This usually signals some type of malware. Ransomware wants to shut off the antivirus services, so it hits those files quickly, usually within the first hour.
Monitoring for these types of events makes a difference. Catch the event within the hour, remove it from the network, and shut it down. Done right, it stops the ransomware and future loss of data. Most everyone watches server uptime and availability. How hard is it to have a malware event timeline? Adjust what you look for to get ahead.
Hygiene and awareness are harder to implement.Just as you learned or gained experience to avoid certain areas at night with no friends or lights. You walk fast, no eye contact and get to a populous as quick as possible. To improve hygiene and awareness, communicate more. Share the stories. Engage them in conversation. Let people know what you're doing to protect yourself and your organization. Show them simple things they can do, too. And make sure they know your door is open for them to come to you with concerns.
The incident response process makes the difference in organizations. Those who choose to monitor and ACT are the ones that don’t have to pay criminals. All others have to choose between the cost and risk of paying or losing their information.