Last month, two agencies of the US Treasury department issued advisories warning against paying ransomware.
The Office of Foreign Assets Control said that by paying ransoms, companies are not only encouraging growth of the ransomware sector but also risk violating OFAC regulations. Violators can be held civilly liable even if they did not know that the groups they were sending money to were under sanctions.
This means that before they make a ransomware payment, companies need to conduct checks to make sure that the ransomware group is not on any prohibited list, said Greg Baker, senior associate at Booz Allen Hamilton. There are several such lists, he told DCK, all of which are related to terrorism or hostile-nation status.
In the case of ransomware payments, however, the attackers are generally not forthcoming with their identities. What happens if, later, it turns out that the hacker group was in fact associated with a prohibited entity?
The OFAC does have a provision for this, Hamilton said. "The test applied will be, one, was [law] enforcement (the FBI or DHS) notified? And, two, at what point was law enforcement notified – before or after the payment? The emphasis here is that the Office of Foreign Asset Control is pushing for greater, earlier law enforcement coordination in ransomware events."
Meanwhile, FinCEN, the Financial Crimes Enforcement Network, issued an advisory to financial institutions warning them of potential red flags associated with ransomware payments.
Ransomware Attacks, Ransoms Asked are On the Rise
Ransomware attacks have been up dramatically this year. They increased by 40 percent in the third quarter, according to a report released by SonicWall Capture Labs at the end of October.
And the payments are getting larger.
The average ransomware incident law firm BakerHostetler worked on in 2018 involved a payment of $28,920. Last year, the average payment went up more than ten-fold, to $302,539. This year, the firm said, the numbers are expected to be even higher – it is seeing ransomware demands of more than $50 million.
In 73 percent of the cases, the victim organization was able to recover from the attack without paying the ransom. When they did pay, they received an encryption key 96 percent of the time. But when restoring from a backup or a decryption key, it can take weeks, or months, to return to normal operations, the law firm said.
Data centers are particularly tempting targets for ransomware gangs, said Justin Heard, head of security analytics at Nuspire, a Michigan-based cybersecurity firm. It’s the same logic that drives bank robber to rob banks: data centers hold the most valuable data that can be encrypted.
"The more impact they can make, the more money they can demand, and the more likely the victim is to pay that ransom," Heard told DCK.
There's Time to Act
Obviously, the best way to avoid paying ransomware is to have multiple levels of defense to protect the attackers from getting in, adequate backups of both data and systems, and a well-tested disaster recovery plan.
But something can always go wrong. Someone may click on the wrong link, letting the malware slip through all your levels of protection.
Ransomware is designed to spread quickly and encrypt files before the defenders have a chance to react. Or that's how it may appear.
In reality, attackers will typically spend five to 20 days in a company's systems before they launch the actual encryption, according to Max Henderson, incident response lead and senior security analyst at Pondurance, a managed detection and response firm based in Indianapolis.
"You have the opportunity to oust them," he told DCK. "If you can catch them and prevent them, that's wonderful."
For a small or mid-size data center, a ransomware attack that takes it down for days, or weeks – or requires a multi-million dollar ransom payment – could be an extinction event.
It's worth paying attention to early indicators of compromise.
Don't Rush to Backups
So, what happens if your data center's security team missed the early warning signs, the attackers executed the ransomware, and your key systems are now encrypted?
Immediately rolling back from backups would be a mistake, said Henderson. Before you do anything, make a forensic snapshot of all affected systems.
First of all, there might be regulatory or compliance implications for data centers that deal with sensitive data, he said. "When a compliance team comes in and says, ‘We need to know if that data was accessed,’ and you rolled back without preserving that evidence, it's a huge mistake."
Second, you need to know what systems the attackers got into, and how long they've been there. For example, if the attackers have been on a system for a week, and you roll back to the previous day's backup, the ransomware will still be there and can be reactivated – or the attackers could have created a backdoor to get back in.
"That happens all the time," he said.
If there's a backup data center ready to go, and you push the switch before making sure it's safe, the attackers can hop over to the second location. That happens all the time too, he said.
Can You Beat the Encryption?
Back in the days when ransomware attackers were new to the game, they made mistakes. They'd use flawed encryption methods or the same key in all their attacks. That's rarely the case anymore, said Henderson.
Not only that, if the attackers are still in your systems, they can retaliate, said Kurtis Minder, CEO and co-founder at GroupSense, a threat intelligence company. "They can corrupt the files and make things worse.”
And while he's heard of people being able to decrypt ransomware files, he hasn't personally seen that strategy be successful.
Is Paying the Ransom Faster?
It can take time to recover from backups, said Tony Harris, director of cyber incident response at Booz Allen Hamilton.
How long, exactly? "It's dependent on the quality of the backup, network speed, location of systems, need for manual configuration, restoration systems, extent of encryption... This can potentially be very time consuming," he said.
However, if a data center has an effective disaster recovery and backup plans, the restore could be completed within 72 hours. That's quicker than the typical ransomware negotiation.
Plus, paying for a decryption key is a mixed bag, he said. If the ransomware didn't accidentally destroy any files while encrypting them, and if the decryptor is well written, critical systems and devices could be decrypted within 24 to 96 hours.
"But if the encrypter and decrypter are not well written, all bets are off," Harris said. "The client recovers what they can."
And for the rest, they'll have to recover the systems, get them working properly again, and restore from backups – a process that can take two weeks or longer.
What About the Threat of Releasing Data?
One of the tactics attackers use to put additional pressure on their victims is stealing copies of the data before encrypting it and then threatening to release it to the public if the ransom isn't paid. They may send a few of the files over to prove that they're holding your data hostage.
Paying the ransomware might seem like a quick and easy way to avoid the embarrassment of a data breach. However, the breach has already taken place. The bad guys have the data.
Maybe they won't release it on a public shaming site if you pay up. After all, they don't want to get a reputation for taking your money and then releasing the data anyway. But there's nothing preventing them from keeping it, using it themselves, or passing it along to another criminal group.
"Who would trust criminals?" asked Mike Weber, VP at Coalfire, a cybersecurity firm. "All that means [is] that yes, the compromised company needs to treat it like a breach."