Patrick O’Connor MBCS, CISSP, CEH, looks at the aftermath of a ransomware attack and how you might limit the damage with some planning and the right help.

Medical pandemics aside the largest infectious threat to society today is ransomware. The indiscriminate encryption and/or exposure of data held by private companies or public institutions if a ransom is not paid. The Oxford English Dictionary only included ‘ransomware’ in 2018 as it joined other made-up words like ‘malware’ and ‘scareware’.

They all describe mutations of software made for financial gain by bad actors. In just three years this malevolent scourge has caused panic in companies both small and multinational. Governments worry about their institutions and critical infrastructure falling victim.

Ransomware as a Business

Today’s cyber criminals are business-oriented, organised and technically sophisticated. While we recognise acronyms such as Infrastructure as a Service (IaaS) and Software as a Service (SaaS) we can now add Ransomware as a Service (RaaS).

Many groups advertise RaaS in dark web forums and have support sites for customers to report issues and get help with that service. Most discussions about ransomware today involve what to do to prevent it. Often the debate about response, when you are hit by ransomware, only mentions restoring encrypted systems and databases. The situation is more complicated than that, however.

Sophisticated ransomware groups, always looking for new ways to grow their business, are increasingly opting for what is termed ‘double threat’ ransoms. The double threat is that your data is encrypted but has also been exfiltrated by the criminals. They then threaten to publish the data if no ransom is paid.

While the title of this article concerns what you can do after the event, the effects can be drastically mitigated by sensible preparation. This doesn’t simply mean having sophisticated security tools in place. Nor does it only mean having good corporate processes and training to make security as tight as possible. Nor is it just the very real need to have comprehensive off-site and offline backup data and a practised means to restore it. From the first intrusion, the company and its management are involved in a real-time, fast-moving crisis.

You should have a plan agreed with business management for what to do. Difficult discussions and decisions must be faced when drawing up this plan.

To pay or not to pay?

The first decision that must be anticipated is whether to pay any ransom demand. This has been shown to be effective in real life cases. This is the first item on the pre-crisis planning list. Law enforcement advice is universally to never pay a ransom. The reasoning is sound. There is no guarantee that paying the ransom will get you back your data. Until recently US insurance companies advised their clients to pay ransomware groups.

In the last 18 months the insurance landscape has changed. Premiums and deductibles for what insurance companies term cyber extortion have risen dramatically. Many companies may find it hard obtaining cover at all, unless they meet strict security criteria set out by the insurers.

So the decision to pay or not is complicated, if insurers may not accept the responsibility. It is also important to consider what your cyber insurance policy requires you to do in the event of a cyber extortion event. In many cases, the policy will itemise actions that must and must not be taken. Often it requires an insurer-specified negotiator to mediate and/or specialised security company for triage and recovery. If your insurer does not specify third parties for these roles you should find your own - well before you actually need their services.

Such specialists have access to current threat intelligence that could quickly identify the criminal group. Such intelligence feeds important information into negotiations and informs your own Public Relations team as they handle the public face of the crisis. Motivations, reliability and flexibility of known criminal groups vary and this level of intelligence about the adversary can be crucial to improving the outcome.

Wargaming

There is a good reason why armed forces play war games on a regular basis. Planning and exercises for those that will be at the front line in the crisis are essential. It is important to enact situations, using the people that will be involved, to discover potential snags in any plan. Simulating rebuilding large parts of your network. Ensuring backups are frequent enough to minimise business impact and able to perform a complete re-build of your environment if negotiations fail.

Actively monitoring and minimising publicly available data on your company is also helpful. Criminals will seek to discover as much as possible about potential targets as they assess the likely profitability of any attack. One detail that must be secret is your cyber insurance policy. If adversaries know that you carry £10 million ‘cyber extortion’ cover, it doesn’t take a genius to guess what their ransom demand will be.

It’s good to talk

When selecting help for this crisis, there is no substitute for experience. From the time your first host is compromised the clock starts ticking. Ransom demands carry a time limit and the quicker you are able to respond the better. Experienced incident response experts and negotiators are key. Intelligence, as mentioned earlier, is vital.

Where is the crime group based? What have they done in previous attacks? Have they been open to negotiation? It is also important that the negotiators avoid ‘triggering’ the group, perhaps questioning their validity or motives, which might cause retaliation or otherwise jeopardise successful negotiation.

If you need to use a third party negotiator, that is not mandated by your insurers, make sure that they are aware beforehand of your objectives from the crisis. This might be non-disclosure of any stolen data or reducing the ransom to an affordable level. During negotiations be sure to monitor communications between the negotiator and the crime group (usually conducted on messaging platforms - so record the sessions).

This will avoid the slight possibility of bribery of the negotiator by the crime group. If the negotiator represents your insurer, determine if they are attempting to agree some sort of bulk deal. Large insurers may be dealing with multiple similar attacks by the same group. Insurance negotiators may be trying to get the best deal for the insurer and not for your company.

Watch the clock during negotiations. The gang may panic if things take too long and their actions may become unpredictable. This is especially important if they possess sensitive data and threaten to publish. Keep communications open.

Negotiations like these are similar to hostage negotiations with terrorist groups. It might appear initially that no lives are at risk in a ransomware event. When the institution attacked is part of Critical National Infrastructure (CNI) such as power stations, airports or hospitals, the risk of deaths as a direct result of such an attack, is clear.

Advice from experienced professionals in this area is not to succumb to fear but to trust your planning and the professionals that you have chosen. Always remember you are dealing with criminals. No humility should be expected from groups that would attack hospitals.

Beware the helpful imposters

As if the crisis wasn’t enough, once it becomes public, impostors may try to capitalise on your distress. They may pretend to be either good or bad, coming with offers of help or fresh threats. Your third party professionals should be able to quickly identify impostors, avoiding wasted time and resource.

Some companies have even emerged that will secretly negotiate with the ransomware gang, without the victim’s knowledge. They then present claiming to be able to remove the encryption using advanced tools. Many businesses feel more comfortable paying an apparently legitimate business.

In fact, victims are simply paying a middleman that has passed on their money to the criminals while taking a commission. The criminals recognise the benefits of such firms and almost consider them partners, in some cases even setting up promo codes on their sites to make the negotiations easier and reward their ‘partners’.

Sadly there is also the high likelihood that you will be subject to a second wave of attacks, either from the same group or others, once the incident has been made public. This means identifying the source of the original compromise is very important.

Prepare, prepare, prepare

For now there is no silver bullet. With profits from ransomware increasing, the likelihood of being a victim increases proportionally. Planning, preparation, testing, backups, insurance - these are all key components to help you maintain your resolve if you ever need to face this pernicious threat.