Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

6/21/2019
12:45 PM
50%
50%

Pledges to Not Pay Ransomware Hit Reality

While risk analysts and security experts continue to urge companies to secure systems against ransomware, they are now also advising that firms be ready to pay.

When a Florida town of 35,000 paid a $600,000 ransom to regain control of its computer systems and critical services — from e-mail access to management of a water-pumping station — critics immediately warned that paying ransomware operators would only lead to more attacks.

Yet businesses and city governments need to stay operational. While risk analysts and security experts continue to recommend that companies keep focused on securing their systems and speeding incident response to minimize the impact of crypto-locking ransomware, they are now also recommending that companies be prepared to capitulate.

In a June 5 report, for example, Forrester Research published a guide to paying ransomware, advising its audience to consider third-party firms that negotiate with cybercriminals to ensure the best outcome.

"Our recommendation is to work with someone who is essentially a specialized breach coach for ransomware," says Josh Zelonis, senior analyst for cybersecurity and risk at Forrester. Companies need to "go through a staged process to make sure that you are building a rapport with the actor and ensuring that they are able, and willing, to decrypt the data — to essentially deliver a 'proof of life.'"

The list of municipalities that have been hit with ransomware is growing. Baltimore, Maryland; Atlanta, Georgia; Riviera Beach, Florida; and Albany, New York, have all faced the decision of whether or not to pay. Some, such as Riviera Beach, decided they had no other choice but to meet the ransomers' demands. Others, such as Atlanta, reportedly refused and faced massive clean-up bills.

The list of companies that have had to deal with crypto-locking ransomware is even longer. Large companies, from Merck to Fedex to Renault, wrote down hundreds of millions of dollars from the WannaCry and NotPetya attacks. Now, clients of some managed service providers are facing ransom demands after attackers gained control of their administrative portals. Paying $17,000 in 2016, Hollywood Presbyterian Medical Center got off fairly lightly. 

"I don't think you can make a blanket statement of 'pay the ransom' or 'don't pay the ransom,'" says Adam Kujawa, director of the research labs at security firms Malwarebytes. "If you have failed to segment your data or your network, or failed to check your backups or other measures to get your company back on track quickly, then you will have to deal with the fallout."

One problem for companies: Ransomware operators have shifted away from blanketing consumers and businesses with opportunistic ransomware attacks and now almost exclusively target business and municipalities. Along with that shift, the cost of ransoms has quickly grown because such organizations can afford to pay. Now, many organizations are faced with seven-digit ransom demands, Zelonis says. "That's a heck of a payday," he adds.

The increase in ransom demands is driven by attackers' targeting and research on victims, he says.

"It is interesting because the other thing we are seeing is that these actors are not just looking at your infrastructure and where your backups are to make sure that you cannot recover from backups," he says. "A lot of the actors are looking at a company's annual revenue to figure out what they can afford to pay."

For companies that want to stick to their pledge to never pay ransomware operators, that intent needs to start before an incident — with preparation. Organizations need to focus on security, incident response, and recovery to minimize the cost of a ransomware attack. Incident response exercises are key, Zelonis says. 

Yet cybercriminals have become more savvy. They will often spend time in a target's network looking for the most sensitive data and making sure they can compromise the backups, as well, he says.

"The ransomware market from two or three years ago has totally evolved," Zelonis says. "[Cybercriminals] are understanding where you are backing things up and going after those systems. This is a full-scale breach."

The Forrester report advises companies to invest in cyber insurance as a way to offset at least some business risk. Organizations should also test their ability to recover from a massive data loss event using their backups.

"A harsh reality is that a majority of organizations aren't testing their ability to recover a single system from backups, much less validating they have the ability to recover potentially hundreds of systems at the same time," the report states.

To be most responsive in the case of a ransomware incident, companies need to have a plan for acquiring cryptocurrency or have a fund already in place, as well as have an incident response provider on retainer and select a ransomware specialist, the report stated.

The focus for companies is to stay in business, so even for companies that could recover all of their data, it is often easier — and cheaper — to just work with the attacker to restore the data.

"If you are losing data, that will cost you more to recover or to deal with the fallout of losing it, and you are dealing with the cybercriminal and they are willing to negotiate, then you are in a situation where paying might not be the worst idea in the world," Malwarebytes' Kujawa says. "It's not what we like to do, but at the end of the day, a business needs to stay in operation."

Related Content

 

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
0%
100%
REISEN1955,
User Rank: Ninja
6/24/2019 | 9:49:11 AM
And if .....
Suppose .... A server failed or data center went offline, you cannot pay ransom to recover that event.  So what to do?  Gee, isn't that what a recovery and backup plan is supposed to do?????  And what is any damn different from a ransom attack to a failed RU-42 rack full of servers?   Except exfiltration of data = NOTHING.   So give up people and just have a back account set aside for ransom and heaven forbid planning for any other eventuality.  The only one thing IT needs to worry about -ever- is a ransomware attack and otherwise things never, ever go down ..... right?
Simon Hunt
50%
50%
Simon Hunt,
User Rank: Apprentice
6/24/2019 | 9:12:31 AM
To pay, or not to pay.
The difference is, we know any payment will be used to commit further crimes, in particular, "real world" crimes like drug manufacturing, people trafficking etc. Plus any payment inspires other criminals to follow suit. https://www.bromium.com/wp-content/uploads/2018/05/Into-the-Web-of-Profit_Bromium.pdf
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
US Mayors Commit to Just Saying No to Ransomware
Robert Lemos, Contributing Writer,  7/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "SpearPhish! Everyone out of the office!"
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1919
PUBLISHED: 2019-07-17
A vulnerability in the Cisco FindIT Network Management Software virtual machine (VM) images could allow an unauthenticated, local attacker who has access to the VM console to log in to the device with a static account that has root privileges. The vulnerability is due to the presence of an account w...
CVE-2019-1920
PUBLISHED: 2019-07-17
A vulnerability in the 802.11r Fast Transition (FT) implementation for Cisco IOS Access Points (APs) Software could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) condition on an affected interface. The vulnerability is due to a lack of complete error handling conditi...
CVE-2019-1923
PUBLISHED: 2019-07-17
A vulnerability in Cisco Small Business SPA500 Series IP Phones could allow a physically proximate attacker to execute arbitrary commands on the device. The vulnerability is due to improper input validation in the device configuration interface. An attacker could exploit this vulnerability by access...
CVE-2019-1940
PUBLISHED: 2019-07-17
A vulnerability in the Web Services Management Agent (WSMA) feature of Cisco Industrial Network Director (IND) could allow an unauthenticated, remote attacker to gain unauthorized read access to sensitive data using an invalid X.509 certificate. The vulnerability is due to insufficient X.509 certifi...
CVE-2019-1941
PUBLISHED: 2019-07-17
A vulnerability in the web-based management interface of Cisco Identity Services Engine (ISE) could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based management interface of an affected device. The vulnerability exists because th...