Your cyber intelligence source

The reality of ransomware: so, you’ve decided to pay – what now?

The reality of ransomware: so, you’ve decided to pay – what now?

Part two: in the second part of our deep dive into ransomware, Davey Winder explores why you pay, how your company should deal with it and, if you get a decryption key, what really happens next… Don’t have nightmares

Regardless of any pre-attack strategy, the worst case scenario has unfolded: criminals have exfiltrated your data, your systems are locked down and the ransom countdown clock is ticking.

In such a nightmare scenario, and an unfortunate reality for many, what is the process of incident response that leads to a pay-the-ransom decision? What are the mechanics of payment and recovery and, inescapably, as we are talking the murky world of cybercrime, what are the ethical implications?

It’s locked, but is it critical?
Funnily enough, Jon Niccolls, EMEA incident response lead at Check Point, says the conversations they have had with customers who have both paid or not have been quite similar. “One part of the conversation we don’t really get involved with is whether they should pay,” Niccolls says, “ or actually convincing them to pay or not – we shouldn’t weigh into that conversation.”

It usually comes down to the obvious stuff: how much of the environment is encrypted, what is the value of the data lost and can a business rebuild without that data. “With organisations that have paid,” Niccolls says, “it was their only way back to business, their only way to recover data central to their operation.”

Given how the data exposure side of ransomware has evolved, the stakes are ever higher. Assessing the value of assets the attack impacted, which includes the external impact on customers and the potential steps an external party may need to take to exclude themselves from that impact, is central and time-sensitive.

"Organisations have to remember that they are in full control of what can be done to secure themselves," Calvin Gan, the manager of the F-Secure tactical defense unit says, "but when it comes to a third party, they do not have full control over them so the magnitude of the impact can be larger."

Ultimately, though, “having a pre-thought-out ransomware response plan that allows for variables to change will help a company get more rapidly to a calculation of cost versus merit to pay,” Carolyn Crandall, chief deception officer at Attivo Networks adds.

Assuming that response is to pay, then, what happens next?

Tick tock, tick tock, tick tock
The biggest players in the ransomware industry – and it really is a big business sector, albeit a criminal one – more than live up to their organised crime labelling.

Once the ransom countdown clock starts ticking, these advanced players do everything they can to encourage a swift closure to the criminal sale. From online technical support lines to smooth cryptocurrency payments through to old-fashioned strong-arm tactics such as publishing data excerpts to ‘remind’ their ‘customers’ of the risk, ransomware gangs play the time-critical card hard.

Any ransomware incident response plan needs to go beyond involving just the security team, management and the board. “Lawyers, public relations, finance, customer service, and sales will all go on high alert and into response mode,” Crandall says.

While legal and finance work with cyber-insurance companies on validating coverage, PR has to prepare an agreed customer communication plan and prepare for any news coverage. The security team, and the board, meanwhile, “may find themselves working closely with law enforcement,” Crandall says.

This latter point needs to be central as the incident response kicks off. “Before any company decides to pay, there are the legal ramifications on whether it is indeed legal,” Joseph Carson, chief security scientist, Thycotic, says. “Do you need to inform any regulators or customers so it is not later considered hush money?”

Carson says some organisations will often, through their existing incident response team, involve the service of specialist ransomware negotiators to try and talk down the ransom. (Unsurprisingly, none of these specialist operators came forward to talk to SC Media UK about this most stealthy part of the ransomware process.)

The pick-and-pay approach
Israel Barak, the Cybereason CISO, did confirm that once the decision to pay has been taken then he recommends "negotiating a deal with the attacker focused only on the subset of assets that you do not have a way of recovering without getting the decryption key".

During the negotiation, he explains, the criminals would rather walk away with something reasonable in terms of a sum of money than nothing at all. "Some of the ransom demands are absurd," Barak says, "and there is not a need to pay outrageous amounts of money. As a decision maker, leverage that to make a deal."

As part of the negotiation process, it’s also vital that the organisation attempts to get some kind of proof that a means of recovery will be provided: a decryption key, in other words.

Here’s the thing, getting any meaningful ‘proof’ that a decryption key will work is like trusting a politician: sometimes the gamble pays off, sometimes it doesn’t. "The ransomware business model is such that if you paid a ransom and the decryption key didn’t work," Niccolls says, "then you’d be on the internet providing your view and the attackers business would fold as no one would pay their ransom."

Dirty money, dirty IT
Barak agrees that “in most ransomware attacks when ransoms are paid, the organisations will receive the decryption keys and the keys will work”. But, he again cautions that patience is needed between decrypting data and recovering business systems. “In some cases, IT infrastructure is compromised and systems cannot immediately open. You need to clean leftovers.”

Even with an encryption key that will hopefully work, Crandall says: “The security team needs to meticulously comb through all of their systems, security policies and controls to make sure the attacker cannot return or that another opportunistic attacker won’t also take a shot.”

“There are multiple ransomware families out there where the decrypter may end up damaging files – for example ProLock, Ryuk and Avaddon,” Emsisoft CTO, Fabian Wosar, says, “in these cases it may be better to use tested, enterprise-level third-party tools to perform the actual decryption.”

Emsisoft has a reputation in providing custom decrypter keys. “These tools do not avoid the need for the ransom to be paid,” Wosar continues, “they use the key from the attacker-supplied decrypter, but simply provide safer and speedier decryption.”

The ultimate reality of ransomware recovery is painfully slow, according to Sophos incident response manager, Peter Mackenzie, “decryption is very slow, normally one machine at a time. There will almost always be a percentage failure where some files will not decrypt; issues of this nature are common in databases and larger files.”

What’s more, the promise of technical support from the attackers often doesn’t pan out to be of as much value as is made out before a payment is made, according to Mackenzie. “Some groups go to a lot of effort to make their decrypter work well,” he concludes, “whereas others may take the money and not provide you with anything at all.”

The ethics of a criminal
Modern ransomware steals data with a threat to sell or publish it as additional ransom payment leverage. While the criminal gangs give you their word this data is deleted once payment is made, can the word of a criminal be taken at face value?

“While some ransomware groups attempt to put a professional veneer on their operations,” Brett Callow, a technical analyst at Emsisoft, says, “the reality is that they are bad faith actors, conscienceless criminals, and it would be a mistake to believe any claim they make.”

Calvin Gan, F-Secure tactical defence unit manager, agrees there is no sure way to verify the integrity of any stolen file is intact. “Ransomware gangs have started auctioning data if the organisation refuses to pay the ransom,” Gan says, “and since the infrastructure has been set up, it does not take huge effort to switch that functionality to auction stolen data even when a ransom has already been paid.

“They will go after whatever brings in the money.”

“Most industry professionals would highly encourage businesses not to pay,” Crandall says, “the more companies that pay, the more attractive it becomes for attackers to continue and for others to join in.”

Alan Melia, F-Secure principal investigator, agrees. “From an ethical standpoint, being the source of funds to any criminal organisation is abhorrent,” he says, “you can be sure of only one thing: your money is not going to fund good works.”

But as Barack says: “It’s very difficult to make these ethical decisions in a vacuum. It’s hard to judge. Organisations are making decisions based on keeping the business operational when their business existence is potentially in jeopardy.”

There is only one answer to the problem of ransomware: prevention is better than cure, so be prepared and invest in the right level of security to make such a scenario as unlikely as possible.

Revisit Part one of our Ransomware Special: The Reality of Ransomware: mitigation, negotiation and recovery here