Ransomware: Hope for the Best, Prepare for the Worst

Synopsis

The frequency of ransomware attacks has increased exponentially over the last few years. Major attacks targeting Fortune 500 companies, vital public services, and critical infrastructure are now commonplace (1). Reported ransomware attacks are likely only the tip of the iceberg, as many organizations do not report attacks (2) for fear of brand damage and legal liability.

In view of this growing threat, organizations need to take steps not only to prevent a ransomware attack, but also to allow for easy and quick recovery in the event an attack takes place. This report examines the consequences of falling victim to a ransomware attack, mitigation strategies for preventing an attack, recommendations for a quick recovery, and considerations for when and how to negotiate with the ransomware actor.

Consequences and Impacts of a Ransomware Attack

There are a variety of disruptive consequences in the aftermath of a ransomware attack. It is important that each organization assess the potential impacts of a ransomware attack that could bring business to a complete halt. These impacts can affect the organization itself and upstream and downstream organizations such as customers, suppliers and partners. Three of the major effects are:

• Business Continuity Interruption. Ransomware actors usually encrypt the “crown jewels”, the data and applications most vital to business continuity causing a full or partial interruption of operations. The immediate outcomes commonly include an inability to produce and deliver goods and services to customers, leading to reputational damage to the victim organization, and often a drop in its stock price (3).
• Monetary Fines. With the rise of “double extortion”, an attack method in which ransomware actors exfiltrate data before encrypting it (4), every ransomware attack should be considered a data breach. Regulatory fines for data breaches can add up to millions of U.S. dollars or Euros (5) (6), and can easily dwarf the ransom amount demanded. For many organizations, receiving one of these fines can mean the end of their business.
• Disruption of Critical Services. Even more catastrophic consequences can result when the targeted victim is a critical services provider. When Colonial Pipeline was targeted by a ransomware attack in May, its industrial control system (ICS) was not directly targeted but the company had to stop operations and shut off the pipeline for 11 days to prevent further damage (7). This shutdown caused a series of cascading events that ultimately led to panic buying of gasoline on the U.S. East Coast and a gasoline shortage that lasted more than a week. Over the course of 2020 and 2021, multiple hospitals were targeted by ransomware (8), forcing them to shut down emergency rooms and redirect incoming patients to other hospitals, causing one known casualty in Germany (9).

Responsibility for Prevention and Recovery

Law enforcement organizations and security agencies around the world are doing everything in their power to stop these attacks and bring the perpetrators to justice. Their responsibility, though, is limited to investigating and prosecuting crimes. Responsibility for data recovery and business continuity lies with the victim. It is up to each organization to implement steps to prevent, respond to, and recover from an attack as quickly as possible.

There are several best practices to prevent ransomware attacks and to recover from a successful attack.

Preventing an Attack

• Make sure there is a strict vulnerability management process in place and that employees consistently adhere to process guidelines.
• Provide users with ongoing security awareness training.
• Implement security controls such as restricted use of administrative privileges; multi-factor authentication; and maintenance, monitoring, and analysis of audit logs on all systems and devices that might contain company data.
• If a choice must be made between purchasing an insurance policy and increasing security posture, go for the second option. Insurance should be complementary to a stronger security posture, not a replacement for it.
• Leverage Cyber Threat Intelligence to understand the current threat landscape affecting an individual organization so the most appropriate and effective mitigations can be put in place.

Ensuring a Quick Recovery After the Attack

• Test disaster recovery procedures and perform drills on a regular basis.
• Make sure backup data is physically disconnected from the corporate network.
• If buying an insurance policy to help with recovery costs, ensure it covers the ransom payment, fees from a consulting company engaged to deal with the ransom negotiation process, and the costs of hiring external IT staff to help with forensics, re-imaging of the environment, and the backup restore process.

To Pay or Not to Pay

Except in cases where it’s illegal to pay a ransom due to sanctions (discussed below), the decision to pay or not is left to the victim. Obviously, the goal is to avoid paying whenever possible, but there are, unfortunately, scenarios where not paying is infeasible or unacceptable.

In rare cases, ransomware actors employ weak encryption or use already cracked encryption. If so, tools such as NoMoreRansom (10) allow victims to decrypt the encrypted data for free. Unfortunately, most ransomware actors know their tradecraft well and ensure the encryption algorithm cannot be cracked.

Ultimately, if the encrypted data cannot be recovered through backups or decryption, and it is vital to the business continuity of the organization, paying the ransom may be the only option available to restore services as soon as possible.

Considerations for Negotiating with the Ransomware Actor

There are companies that specialize in negotiating with ransomware actors, but engaging a professional negotiator is not always necessary or advisable. The use of professional negotiators is frowned upon by some ransomware groups, as they see these companies as an obstacle to the execution of the ransom payment. In a recent public release on their leak site, the Ragnar Locker group stated that if they suspect a professional negotiator is engaged by the victim, they will immediately stop the negotiation process and leak the data online. (11)

While it’s up to victims to decide if they should engage a professional negotiator, those that choose to go it alone can take specific steps to negotiate efficiently with the ransomware actor:

• Engage the threat actor via the instructions in the ransom note.
• Take it slow. Buy time by asking the actor for technical assistance. Even if there are staff who are knowledgeable about cryptocurrencies and how they work, ask for assistance in purchasing, receiving, and sending cryptocurrencies.
• Keep the communication going. Build up rapport and trust with the ransomware actor.
• Leverage this trust and relationship to extend ransom payment deadlines, request more proof of decryption, and haggle to drive down the ransom amount.
• Ask for “proof of life,” i.e., the attacker’s ability to decrypt the data via a functional decryption key. Submit multiple samples of the encrypted files to the ransomware actor and ask for decryption.
• After confirming the threat actor is indeed in possession of the keys/decryptors, start the bargaining process.

Keep in mind that:

• Victims should take all possible measures to avoid paying the full ransom amount.
• Ransomware actors want to get paid; that is their bottom line and motivation, and in many cases, half the ransom is better than no ransom at all.
• Victims should assess the amount they are willing and able to pay and open negotiations with a lower amount, but not too much lower. The ransomware actor likely has profiled the target organization’s finances in detail and is aware of its ability to pay.

Current E.U./U.S. Restrictions on Paying Ransoms in Cybercrimes

The debate surrounding paying a ransom to ransomware threat actors is evolving rapidly. Currently it is legal for United States and European Union based victims to pay a ransom, with a few exceptions, such as sanctioned entities. Sanctioned entities are people and groups with whom any business relationship and associated money transfer is deemed illegal by the sanctioning country.

If U.S. or E.U. authorities discover an organization paid a ransom to one of these sanctioned entities, the victim may incur fines for the violations of these sanctions, even if the victim employs third parties to execute the payments.

In July 2020 the European Union imposed sanctions on Russian, Chinese, and North Korean threat actor groups for their involvement in developing and distributing the NotPetya, CloudHopper, and WannaCry malware. These sanctions have been extended until May 2022 (12). In September 2019, the United States imposed sanctions on the North Korean Lazarus Group (behind the WannaCry ransomware) and subgroups Bluenoroff and Andariel (13). In December 2019, the United States imposed sanctions on EvilCorp (13), a Russian threat actor group behind multiple malware operations including the WastedLocker ransomware (14).

Government sanctions against specific groups have not been very successful holding threat groups accountable, as ransomware actors rebrand themselves to mask their identity and appear as an entirely new group. The difficulty in providing definitive attribution makes this approach at curtailing the ransomware phenomenon even more problematic.

Outlook

Following the attack against Colonial Pipeline, the U.S. Department of Homeland Security’s Transportation Safety Administration (TSA) issued a Security Directive requiring owners and operators of TSA-designated critical pipelines to implement a number of protections against cyber intrusions and to report confirmed and potential cyber incidents to federal authorities (15). It is likely that the United States will expand these requirements and the European Union will follow suit with similar requirements for all organizations supporting critical infrastructure and critical services. Even in the absence of reporting requirements, organizations vital to the national interest should always report a breach, as this can prevent domino effects with impacts of a much larger magnitude.

References

1. The State of Ransomware in 2021
   https://www.blackfog.com/the-state-of-ransomware-in-2021/
2. (2020, October 5) INTERNET ORGANISED CRIME THREAT ASSESSMENT (IOCTA) 2020
   https://www.europol.europa.eu/activities-services/main-reports/internet-organised-crime-threat-assessment-iocta-2020/
3. RANSOMWARE: THE TRUE COST TO BUSINESS A Global Study on Ransomware Business Impact
   https://www.cybereason.com/ebook-ransomware-the-true-cost-to-business
4. Leddy B. (2021, May 19) Double extortion ransomware
   https://www.darktrace.com/en/blog/double-extortion-ransomware/
5. Swinhoe D. (2021, March 5) The biggest data breach fines, penalties, and settlements so far
   https://www.csoonline.com/article/3410278/the-biggest-data-breach-fines-penalties-and-settlements-so-far.html
6. Browne R. (2020, January 19) Europe’s privacy overhaul has led to $126 million in fines — but regulators are just getting started
   https://www.cnbc.com/2020/01/19/eu-gdpr-privacy-law-led-to-over-100-million-in-fines.html
7. Nakashima E. Aratani L. (2021, May 25) DHS to issue first cybersecurity regulations for pipelines after Colonial hack
   https://www.washingtonpost.com/business/2021/05/25/colonial-hack-pipeline-dhs-cybersecurity/
8. Goodin D. (2021, August 16) Hospitals hamstrung by ransomware are turning away patients
   https://arstechnica.com/gadgets/2021/08/hospitals-hamstrung-by-ransomware-are-turning-away-patients/
9. Tidy J. (2020, September 18) Police launch homicide inquiry after German hospital hack
   https://www.bbc.com/news/technology-54204356/
10. No More Ransom Project
    https://www.nomoreransom.org/
11. Sharma A. (2021, September 7) Ransomware gang threatens to leak data if victim contacts FBI, police
    https://www.bleepingcomputer.com/news/security/ransomware-gang-threatens-to-leak-data-if-victim-contacts-fbi-police/
12. (2021, May 17) Cyber-attacks: Council prolongs framework for sanctions for another year
    https://www.consilium.europa.eu/en/press/press-releases/2021/05/17/cyber-attacks-council-prolongs-framework-for-sanctions-for-another-year/
13. (2020, October 1) Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments
    https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
14. Heinemeyer M. (2020, August 19) Evil Corp intrusions: WastedLocker ransomware detected by Darktrace
    https://www.darktrace.com/en/blog/evil-corp-intrusions-wasted-locker-ransomware-detected-by-darktrace/
15. (2021, July 20) DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators
    https://www.dhs.gov/news/2021/07/20/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators

About EclecticIQ Threat Research

EclecticIQ is a global provider of threat intelligence, hunting, and response technology and services. Headquartered in Amsterdam, the EclecticIQ Threat Research team is made up of experts from Europe and the United States with decades of experience in cyber security and intelligence in industry and government. EclecticIQ’s Threat Research team strives to apply the analytic rigor principles of U.S. Intelligence Community Directive 203 to its analysis—please click on the link for more detail.

We would love to hear from you. Please send us your feedback by emailing us at research@eclecticiq.com.