When it comes to the ransomware game, it's worth comparing it to another high-stakes activity, poker. It's important for organizations to understand what they're gambling with when they decide whether or not to "negotiate with terrorists."
There's still a certain secrecy or even shame attached if an organization decides to pay the ransom to unlock systems and files — which can cost anywhere from thousands to millions of dollars. However, there shouldn't be, according to Brandon Clark, CEO and founder of cybersecurity consulting firm Triton Tech Consulting.
He should know, as his security strategy and compliance practice — with expertise in business continuity and disaster recovery — often deals with clients who have to clean up the mess that ransomware attacks leave behind.
"Let's say if you have a hardware failure and a vendor comes in and says, 'We can get you back up and running for a grand total of a million dollars,'" he says, referring to ransomware negotiation services. "It would be unfortunate — and that would be bad press and nobody wants to see that — but there would also be a fair amount of, 'Yeah, that happens.'"
Ransomware also happens, to organizations both large and small. They're then faced with a complex dilemma encompassing not only practical, logistical, and business consequences, but also emotional ones — especially if reputations (or even lives, in healthcare settings) are at stake, when systems go down.
Ransomware Response: Know When to Fold 'Em
"There is a lot of moral ambiguity," says Clark, who plans to present a session at this month's RSA Conference 2023 that lays out a rational strategy for navigating ransomware response.
When ransomware actors target hospitals with potentially life-threatening attacks, for example, "what's the moral obligation we have to our customers to get our customers back up and running?" he asks. "If systems are down with ransomware and a patient dies, should they have paid the ransom just to have their systems back?"
And while poker and ransomware may not seem to have much in common, they are both activities in which a lot of money can be won or lost, Clark says. Just like each poker player and game is unique, so is every ransomware scenario, which means there is no one-size-fits-all solution for every organization.
Deciding whether or not to pay a ransom, then, must be an informed decision that takes various factors into account without the knee-jerk response of balking at giving attackers what they want purely because it's not seen as the right thing to do, he says.
Know Who's at the Poker Table & When They Bluff
When deciding whether or not to pay a ransom, an organization should take a similar approach to a poker player sitting at a table, Clark says. That is, it should have an idea of with whom it is playing, along with a knowledge of the typical aspects of the game, such as how much money is at stake.
"When you're at a poker table, the cards are important, but the person sitting across from you is even more important," he says. "We need to be making an informed decision about who we are playing against."
Thus, threat intelligence is a key aspect of this, he says, because you need to know if your opponent could be bluffing. For instance, if the ransomware attacker involved has a reputation for claiming to have exfiltrated data when it hasn't, or if it is known for not unlocking files even after a ransom is paid, those are things to take into consideration.
"[Companies ask], 'if we pay the ransom, how do I know if they're going to lock us out again?'" Clark notes. "The answer is: You don't. That's when the threat intelligence piece is super important."
Organizations also need to know what's at stake — such as knowing what your system resiliencies are, what it's going to cost if something is not available — as well as what resources they have available to recover systems on their own, such as if they have good backups and segmentation tools, he says: "All of that goes in together to help you make an informed business decision."
For example, if a ransomware attacker is asking for $5 million but it's going to cost a company $70 million or $100 million to recover its data on its own, the question becomes, "Why aren't we paying that?" Clark says. "On the flip side, if it's only going to cost us $5,000, why would we pay that $5 million?"
Ultimately, it's up to the organization involved to decide, based on multiple factors, which route to take to recover from a ransomware attack — just as a poker player can go in several directions once a hand is dealt, Clark says.
"You can say, 'do I raise,' that is, are we are going to go this alone — and that's what a lot of companies do," he says. A company can also do the poker equivalent of folding by giving in and deciding that the data kept in some lost systems is not worth the cost to recover them, and thus rebuild them from scratch, Clark says.
Upping the Ante on Cyber Defense
In the meantime, there are a number of ways a company can put itself in a more empowering position to negotiate — or not — before a ransomware attack even happens, Clark says. Some of the advice is obvious, such as implementing secure passwords and multifactor authentication (MFA), so systems aren't breached in the first place, he says.
And in many instances, phishing remains the primary way that attackers gain access to user credentials and thus enterprise systems, so "making sure you have strong controls around that" in the form of email filtering and security awareness "is incredibly helpful," Clark says.
One recommendation that he says many organizations don't implement very often yet is to have "some sort of Dark Web scanning or threat intelligence" in place to identify when credentials for an enterprise user have been compromised, he says.
Organizations also should engage in ransomware-impact analysis using a ransomware simulation tool that they can develop alongside security consulting experts, he explains. This can help them understand better how to react if the situation arises, as there is not a lot of time to do a risk assessment in the immediate aftermath of an attack.
Regarding backups, which organizations cite as a surefire way to recover systems on their when they lose data to ransomware, Clark advises that organizations take a cautious approach to betting too much on them, versus paying a ransom or another alternative solution.
"According to some of the research we've seen, most of the attackers are in the environment up to 10 months before they detonate," he says. This means that's there's a good chance there is already malware in an organization's backups, Clark adds.
"You need to make sure you're working with a forensics team when you restore," he advises, "so you don't end up redeploying malware from seven months ago."