The consultants here at Atredis Partners have delivered a lot of Incident Response table-top exercises over the years and personally, I learn something new nearly every time. Sure, the basic premise stays the same, but every client / organization is different, not only because of the idiosyncrasies of their industry verticals and unique business requirements, but also because their employees bring their own personal experiences and perspectives to the table.
Given the prevalence of ransomware attacks over the last few years, with what seems to be no slowing down, many clients are reaching out to us seeking focused ransomware incident response table-top exercises to better understand their ability to detect, respond, and manage a ransomware incident. In this blog, the first of three focused on ransomware, we will address one of the key questions that many organizations are not thinking about, or at least maybe not considering deeply enough.
While some organizations realize the very real threat that ransomware attacks pose to their operations and are asking good questions to help understand their preparedness, we have found that the questions being asked are usually falling short of the questions that really need to be asked…the challenging questions and maybe the questions people just are not thinking about. The typical questions most organizations want to be addressed are:
What are we doing to prevent or limit our exposure to ransomware attacks?
Can we detect a ransomware attack?
How quickly could we respond to a ransomware attack?
How would we mitigate an attack?
Can we recover from an attack?
Occasionally, this question comes up:
Would we pay an attacker if we determined that we could not contain or recover from an attack that is having a major impact on our business operations?
That last question regarding paying an attacker is one that is not being asked enough because it is a complex question to answer. But even with that, we are only scratching the surface of what businesses should be asking as it relates to a ransomware attack and the potential decision about making a ransom payment to attackers.
A common line of thinking (even recommended from some sources (including the FBI – see link) is that “an organization should never pay the ransom” because that only elicits more criminal behavior, and is somehow seen as taking the easy way out, making it worse for others down the line.
That sounds good in an academic sense; however, the real world is much different, and who are we to advise a CEO of any company that is facing a potentially financially devastating ransomware attack scenario due to an ongoing outage situation that the ransom should not be paid. Imagine scenarios where an organization is not able to provide critical services such as emergency patient care because of a ransomware attack. Should that organization be faced with the decision of patient harm or lives lost due to a hard stance on never paying the ransom? Like much of what we provide guidance on as Risk and Advisory Consultants, making this type of decision is a risk-based one that only an organization’s leadership can make.
Our job is to help make sure it is a well-informed decision made by the right people within the organization based on the business mission and risk tolerance, and not a decision made by public opinion.
Even as some organizations are starting to consider how to answer the tough questions about paying (or not paying) a ransom and what leads to that decision, it still may not be enough to be fully prepared.
Let’s say that you have talked with your leadership about key decision factors and as to whether your organization would pay attackers in the event of a ransomware incident. Your leadership has decided that if certain criteria were met, they would, in fact, make the difficult decision to pay attackers a ransom to restore business operations impacted by the attack. You have documented processes, procedures, and workflow Visios to drive that decision.
This is a great start, but it is only the beginning. Once an organization has made the decision to pay a ransom, there are many other actions that need to be executed after that decision that must be considered well in advance.
The first thing the business needs to consider is – if it is going to pay a ransom, how is the ransom actually paid? You might think this is easy… just pay the attackers some Bitcoin, right? Well, probably yes, but it’s not that simple. Making a Bitcoin payment, or any cryptocurrency payment is not as easy as buying your favorite things from Amazon. Although many attackers request Bitcoin as a ransom payment, some may ask for other types of cryptocurrencies.
Another key question to consider is: does your organization want to make the payment on its own, or will it want to leverage an outside firm that specializes in this type of service? We typically advise utilizing an experienced outside firm for these reasons:
The organization’s cyber liability insurance may require it.
Many of the above considerations are managed by the firm’s experts.
Additionally, the expertise of an outside firm to handle things like negotiations and data recovery is invaluable.
There are plenty of reputable firms that specialize in helping organizations navigate critical ransomware payment activities, and they are generally much better suited to manage these activities on your behalf.
While we recommend leveraging an outside firm, there may be cases when managing the payment in-house is the right option for your organization. If the decision is made to try and make the payment without assistance from outside experts, then there are other questions that need to be considered well ahead of time, so all necessary preparations have been made:
1. How does an organization obtain cryptocurrency?
a. You will need to establish a crypto wallet through an established service. There are several to choose from and many considerations needed to select the one that will meet your needs.
b. A critical component to keep in mind is that once you establish a crypto wallet, it will take 3-5 days to exchange your traditional currency into cryptocurrency.
c. Other less desirable options include using cryptocurrency ATMs, but due to certain limitations, this will likely not meet your needs in the scenarios we are evaluating here.
2. How much cryptocurrency is typically needed?
a. This will be different based on risk tolerance and will require research to determine the right amount to maintain in a crypto wallet.
b. Remember that any cryptocurrency obtained will be subject to the ebbs and flows of the market, so you are essentially gambling that your funds will remain and hopefully not disappear.
3. How does an organization manage the wallet/cryptocurrency?
a. Not to be forgotten here is considering who within the organization is going to manage the wallet and cryptocurrency. This could be a significant amount of money.
b. It needs to be managed responsibly, and likely under the control of more than one individual.
4. Should an organization negotiate with the attackers before making a ransom payment?
a. This may or may not be feasible, but in either case, negotiation planning, and terms should be outlined well in advance.
b. The organization would need to research the legalities and determine how and when to notify the FBI, etc.
5. How does an organization execute a ransom payment?
a. This is not as simple as it seems. There are many things to consider at the tactical level to execute a payment.
i. What accounts or email addresses do we use to make the payment transaction?
ii. Which device do we make the payment transaction from?
b. Should that device be internal or external to our network?
i. Do we need to install and/or use a TOR browser (or similar) for making the payment?
6. Once an organization makes the payment, how do they ensure that decryption tools are provided in return?
a. Once payment is made, there is still work to be done to recover.
b. Once the decryption keys/tools are provided, the organization will need to recover systems, and consider all the caveats that go along with recovery.
At a minimum, organizations should at least start asking these questions and thoughtfully making decisions well in advance of an actual ransomware attack.
Anyone who has managed a challenging incident response scenario of any kind knows that the time to make critical decisions such as these is not during a stressful real time incident. In our next blog in this series, we’ll dive into what it means to be “ready” for a Ransomware event….and not just “ready”, but ”REALLY ready”.
This blog post was written by Bill Carver with support from Kiston Finney and Taryn Yager, then edited for the web by Lacey Kasten at Atredis Partners.
This post is Part 1 of a series crafted by the Risk Advisory consultants at Atredis Partners. As the other parts are published, we will update this post with relevant links to the other parts of the series.
Part 1: Ransomware – To Pay or Not to Pay