Picture the scene: you are the chief counsel at a large, multinational corporation, and as you attempt to log on to your system on Monday morning, you notice that your email box isn’t updating, and you can’t log on to your computer using the company VPN. You then discover that others in the organization are having similar issues.
Soon after, you receive a frantic call from the company CSO who explains that the organization has been hit by ransomware and the attackers sent a ransom note demanding a huge payment within three days–and if payment is not received, all of the organization’s private data will be published online and made accessible to anyone.
Ransomware attacks are targeting every industry globally, including highly regulated industries such as government and healthcare. Since the onset of the COVID-19 pandemic, the number of ransomware attacks has drastically increased. Security Magazine reports a 72 percent increase in the number of ransomware attacks since the beginning of the pandemic. Evidence suggests that having employees working remotely significantly increases the risk of a successful ransomware attack.
Incidents like this have been occurring on an unprecedented scale, and once a company has been the victim of a successful ransomware attack, the technical and legal considerations are significant. Where an organization is no longer operational due to ransomware, they must ask themselves:
The first thing you should consider is bringing an incident response team in post-event or on retainer before an attack (recommended) to guide you through the remediation process. It is important to ensure you have this team at your disposal in case you have already been the victim of a security incident, whether that be ransomware or otherwise, and you should have access to individuals at your disposal who have a unique background in cyber incident response and investigation.
If you have a cyber insurance policy, you should check your coverage requirements and whether you have access to a panel of response companies and/or legal counsel that you may be required to call on in the event of a data breach.
There are a variety of factors and risks which must be considered when deciding whether to pay a ransom, and organizations will need to establish some level of attribution to determine if the threat actor is subject to sanctions levied against specific nations.
The company should also determine if payment of the ransom is permitted under applicable laws, or else the company could find themselves facing another major incident if they unwittingly vilate international sanctions by making a ransom payment.
It is currently not illegal to pay ransomware demands, but there is a huge gray area when it comes to determining whether a demand should be paid for not. Facilitating ransomware payments to sanctioned entities may be illegal according to the US Treasury, and similarly in the EU cyber criminal groups may have financial sanctions placed on them. The UK Terrorism Act 2000 also makes it illegal to pay a ransomware demand where there is a suspicion it is linked to terrorism.
In many cases, it is often not worth paying a ransomware demand. Organizations may still be infected with ransomware, which will add on further costs to remove any malware before a further attack happens. Cybereason recently published the results from our second annual ransomware study to better understand the true impact on businesses.
The report, titled Ransomware: The True Cost to Business Study 2022, tapped the experiences of more than 1,400 global cybersecurity professionals and revealed that 73 percent of organizations suffered at least one ransomware attack in 2022, compared with just 55 percent in the 2021 study.
The study also once again finds that ‘it doesn’t pay-to-pay’ a ransom demand, as 80% of organizations that paid were hit by ransomware a second time, with 68% saying the second attack came less than a month later and threat actors demanded a higher ransom amount, and nearly 70 percent of companies paid a higher ransom demand the second time.
In order to determine if a ransom should be paid, organizations need to assess the severity of a threat and whether they can restore infected or lost data from backups, together with the overall financial impact of the loss of business per day.
Other risk factors to organizations include possible ineffectiveness of the ransom payment, as paying a ransom will not guarantee that systems can be unlocked successfully. Previous ransomware attacks show that some threat actors don’t provide decryption code following receipt of payment, or the decryption code simply does not work.
In the Cybereason study for instance, of the organizations who reported having paid a ransom demand after a successful attack, only 42 percent indicated the effort resulted in restoration of all services and data, while 54 percent said some were returned to normal but some issues persisted, or some data was corrupted after decryption.
There is also the loss-of-life scenario where critical infrastructure organizations like healthcare and utilities are concerned, where these organizations need to evaluate potential sanctions in applicable jurisdictions versus the possibility that any delay in restoring systems could result in injury or death.
Organizations infected with ransomware also face the high probability that the attackers also infiltrated their networks and exfiltrated sensitive proprietary or customer data, so further legal analysis should be conducted to assess risk to the organization accordingly.
Many ransomware threat actor groups engage in the tactic of double extortion, where exfiltrated data is used as further leverage to compel organizations to make the ransom payment or face the possibility that the data will be made public, a scenario where having data backups does little to keep the organization out of jeopardy. In situations like this, it is important to establish if a data breach has occurred as part of the ransomware attack and take the necessary steps accordingly.
The decision on whether to involve any relevant law enforcement bodies should take into account factors such as the applicable legal requirements regarding regulatory notice, the benefits in contacting law enforcement and any contractual requirements.
Will your law enforcement contact and any information shared with them become public? They may want to act quickly to publicly share any decryption keys at their disposal, or they may simply note that an organization has been victimized and ask that you share information regarding the breach such as any key indicators of compromise.
From a commercial perspective, business continuity issues as a result of a ransomware attack may cause an organization to be in breach of service agreements or delay fulfillment of other contractual obligations, so it is imperative to be as prepared as possible for a ransomware attack and have a strategy in place for how to deal with it.
Waiting until such an attack has occurred to assess your strategy and response to a ransomware attack is too late, and organizations should have an incident response plan in place that contemplates a potential ransomware attack before one actually happens. It is best to be as prepared as possible and be one step ahead against cyber criminals.
In preparing to defend against a ransomware attack, many organizations turn to data backups for post-attack remediation, but as we discussed above, that only goes so far. While still a smart choice to backup systems and data, it does not solve the problem of double extortion.
An effective ransomware prevention plan includes actions like:
Ultimately, a multi-layered defense approach should allow you to analyze ALL data in real-time (not just endpoint data), protect you against double extortion, and prevent never-before-seen executables so you can truly have a proactive anti-ransomware strategy in place.
Cybereason is dedicated to teaming with defenders to end ransomware attacks on the endpoint, across enterprise, to everywhere the battle is taking place. Learn more about predictive ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.