The debate continues in ransomware attacks, do you make the ransom payments or not? Lately, we have seen many payments being announced. This should be in your incident response plan ransomware playbook. These decisions should be discussed now, not when an attack happens. What are the pros and cons to paying and what should be in your ransomware response plans?
Consider ransom payments BEFORE attacks
The fact that ransomware attacks seem to surprise some businesses is indicative of how naive many of them really are. That statement includes governments, school systems, healthcare providers, and large enterprises. You should have an Incident Response Plan in place where you have considered ransomware. A ransomware specific playbook should be in place where you have a plan to stop the spread and recover. That plan should include your decisions about paying a ransom BEFORE the attack happens. During the attack there are so many more pressures in play. Know how you feel now vs how you will feel then.
Let’s be fair, though, most of the people who do pay don’t have a plan in place anyway. If they have a plan it may have been minimal policies like “we will restore” if that happens. What are the pros and cons to paying and what should be in your ransomware response plans?
First, your plan should include some specific things. We have talked about these plans repeatedly. There is a long list of contact information that should be maintained and readily available. You should also have facts like, what does your insurance cover.
Insurance coverage is often the source of ransom payments. I have heard many people recommend payment just because it is covered by insurance. It is imperative that you understand your coverage for all your business in your response plans. You should know your cyber coverage and the requirements it may have. You should understand what equipment can be replaced, how long will it take to get payment, what your limits are, and how to file those claims. That includes the claims for ransom payments.
Other things like steps to take to stop the spread and preserve evidence are key to an effective response. A woman at a conference this year thanked me for a presentation I gave at that conference before on dealing with a ransomware attack. When they were hit she knew what to do. She said that would have never happened if she hadn’t been in my session. Granted, I did not ask for details of their response but I felt really good that I had helped them be prepared. They had an understanding of what to do.
Some things to include in your playbook:
- All staff members must know how to stop the spread.
- The best case would be, they knew how to disconnect from the network. That preserves most evidence and stops the spread. By keeping the computer running you don’t lose any digital evidence.
- The concept of disconnecting from the network is hard to teach. That makes the second option easier which is to pull the plug, shut it down, make it stop!
- Teach them to take pictures of screens and document the date and time with as much other detail as they can remember for the investigation. The more they document the better things will go for everyone.
- All staff members must know who to notify when they pull the plug.
- That includes multiple numbers and people. Do not create delays by having one person who happens to have the day off or be at a conference.
- All staff members must know how to do their work when the systems are shut down
- All staff members must know how to communicate the situation.
- You don’t tell patients or vendors or the media that you were hit by ransomware or you have a data breach.
- Your staff must know that you only say that there are computer problems and your team is working on it. No matter what the problem is, just call it computer problems if you can’t use the computer. No details and certainly no mention of data breach or ransomware.
- Teach staff that anything that happens will need to be investigated by experts before we know for sure what we are dealing with so wait for the experts to figure it out.
- Who does the response team contact first to open an insurance claim, preserve evidence, and start the investigation? Of course, after the spread has stopped.
- What inventory must be done first?
- What systems and applications are most mission-critical to determine if they were impacted?
- Who will do the technical analysis and how do you get them involved?
- What your restore options are and how do you restore and how long will it take?
That isn’t a full list but it gives you an idea of what a playbook would include. The item for this discussion is the ransom payments decision which would also be on the list.
Ransom payments considerations
To be fully prepared for a ransomware attack everyone should take the time to evaluate the business decision required concerning ransom payments. There are pros and cons that must be taken into account. It is much easier to evaluate your options without being under the pressure of an actual attack. However, keep the level of pressure in mind when thinking about your decision also.
The whole reason ransomware attacks are so popular for criminals is because it is very lucrative. People do pay to get their data back. Payments happen a lot or they wouldn’t be continuing to pursue this business model. In fact, you can get ransomware-as-a-service where multiple criminals take a cut of your ransom payments.
Reasons people make ransom payments
When deciding to pay, some businesses have no other choice. Other businesses have other choices but elect to pay the ransom anyway. The standard answer from the FBI, law enforcement, and experts is not to pay. However, they all understand sometimes you really have no choice in the matter, a payment must be made.
The best way to avoid a payment is to actually have a plan in place that is tested. Of course, the plan could still be just to make the payment. Why would you make the payment?
- Time constraints to get back up and running.
- Lack of complete backup for restoring systems.
- Backups not tested and they fail when trying to restore.
Reasons people do not make ransom payments
As more people pay the ransom payments keep going up. If they know you are a business you get asked for more. If they know that your kind of business has valuable data or must have access to the data in a timely manner, you get asked for even more. The payments that used to be a three or lower four digit number are now 5 or 6 digit numbers. Two cities in Florida just announced payments of $500,000 and $600,000 days apart. With numbers like that getting paid, this isn’t going away anytime soon.
Another big problem with making the ransom payments is that criminals lie. Yes, it is shocking to many of us! Sometimes, they disappear after you pay them. Those cases are criminals that are looking to make some quick money for something else. Most ransomware attackers are in this for the long haul to make more money so they don’t just disappear but it does happen.
Sometimes authorities catch them but their ransomware is still out there running. Remember it is all automated. If they are caught they may not be able to give you the encryption key because they are in jail. There is no way to know where in the world they are in jail. But, they are criminals after all. They could end up in jail for a number of reasons in a number of places around the world.
It isn’t completely out of the question that you will pay more than once for a single attack. Even those who make the ransom payments have found that the key they are given or program they run opens up some of the files but others are still encrypted and you have to pay them another round of ransom payments until you get all of your files recovered. Interestingly, that second payment rarely makes the news.
All ransomware is not the same. When we first reviewed Ryuk ransomware earlier this year we noted experts who said the decryption program you run doesn’t always work. In fact, it was something like 60% of the time it worked. You may have systems that make their programs not work just like any other software program.
Ransomware programs can damage your data. If their program malfunctions, remember it is still software, you may not get all your data back even when you get the key. Data does not always look the same. Sometimes, the process they use to encrypt the data actually damages it to a point it can not be recovered even with the decryption.
Once you have paid you are now a known mark. If you don’t fix the way that you got hit in the first place you will likely be hit again very soon. You must have a plan to fix the problem if you let them know you are willing to pay. That means you pay them and you still make the investment to correct the problems that got you in the mess. If that means a substantial investment to replace old XP computers that you have ignored the cost for, that job isn’t going to go away. You still have to pay for that project plus the ransom payments. It may be better to spend the ransom payments money on improving your security posture to prevent future attacks.
One final thing to consider on the malware, sometimes the malware is still there in the unencrypted data. Sometimes it is other malware. Without a clean restore, you aren’t sure you got rid of everything they put in your systems before they encrypted everything. It is critical to make sure everything is scanned fully by experts, not just the latest AV. This could go much deeper into your systems.
What do we recommend?
Our recommendation is to have a plan so that you don’t have to pay. Yes, it may be time consuming to restore or rebuild but if you have a plan in place it is not worth dealing with the issues in the list above of why not to pay.
Put together your plan and make sure that you test your backups and know exactly what your RTO and RPO requirements of your team.
If you fall under HIPAA, you can’t just pay or restore and keep going. You have a data breach that must be investigated to determine if you must notify patients and HHS about the data breach. Ransomware is a data breach, you must investigate to determine if a notification is required any time you have a data breach.
If you do decide to pay
Make sure you have a plan even if you plan to pay. Knowing in advance how to handle the transaction will protect you from further issues.
- Have an intermediary working with you so that the criminals don’t have your contact info. Keep in mind there were recent stories that companies out there are charging people to recover from ransomware and all they are doing is paying. Not the best way for you not to pay. It is still very worthwhile to not be the person dealing directly with the attackers.
- You can negotiate with them. Make a lower offer and sometimes they will take it. They just want money. If you agree to pay anything they will often just take it.
- Always negotiate in the digital currency, not dollars. Bitcoin and other currencies like them fluctuate. If you negotiate in dollars then you may end up paying more in bitcoin than the other way around.
- Be prepared to pay more than once. This is another reason to negotiate because those that hit you twice are much more likely to take the first payment for less knowing they are going to have you back at the table soon.
- Be prepared to quickly invest in closing the loophole they used to get into your system in the first place, if possible. You must invest that money or you will likely be hit again the same way very soon.
- Have experts run deep scans on your system for things the criminals may have also done while they were there.
- Don’t forget you still have to do the data breach investigation.
No matter what you think you want to do it is essential that EVERY business take the time to build a plan or at least understand what a ransomware attack could do to their business.
As I write this post I am getting messages about another company under attack. Many of the things we know should be done have already NOT been done. It makes me feel certain that you should pass this information along to others who haven’t taken the time to think about ransomware and ransom payments. It is very likely that you or a business you work closely with will have to face on of these attacks in the next 12 months.