To Pay or Not to Pay? Recovering from a Crypto-Ransomware Attack
Part 2 of a 2-part series on Crypto-ransomware
By Andrew Paulette
As discussed in Part I of this series, crypto-ransomware is quickly becoming the extortion tool of choice for cybercriminals. Even when an organization trains its employees to guard against social engineering, disables macros and configures ad-blockers, and takes an array of other steps to protect its data, it only takes one misstep for threat actors to hold data hostage. Part II of this series investigates what actions organizations can take after an attack and what they can do to remediate its effects.
The Cost of an Attack
While data breaches often result in the compromise of confidential information such as sensitive customer data, ransomware aims specifically to disrupt the availability of the data to its users. This arrangement is ideal for the attacker because it:
- allows for mass distribution of malware via phishing campaigns and malvertising,
- removes the need to stay hidden in the network while stealing data (possibly terabytes), and
- removes the additional effort required to find a party on the black market interested in the information.
Even though the data is still in the possession of the organization, the cost of making the data accessible again can add up quickly. Understanding the value of the data can help an organization decide how to proceed. When the encrypted data is used in day-to-day operations, losing access to the data can be significant, especially for organizations that rely on either critical information files (legal documents, AutoCAD files, training materials, etc.) or large stores of electronic information such as patient data. With black market estimates of patient records estimated at $50 per record, a hospital that sees over 10,000 patients yearly faces a loss of over half a million dollars of information if encrypted files are not recovered. This estimate of loss does not encompass other factors such as productivity lost and resources wasted due to day-to-day operations being disrupted. Information security calculations such as Single-Loss Expectancy (SLE) can be used to determine the damage done to a company’s profits.
Once an organization understands the value of its data, it can understand the best resolution to a ransomware attack. While there are many steps that can be taken to determine the best course of action after an attack, organizations ultimately choose between three options:
- Attempt to restore the data from backups – IT departments that conduct regular data backups that are stored offline in the event of emergency can restore otherwise encrypted information without having to pay a ransom. While restoring from backups is ideal when compared to paying cybercriminals, companies with rapidly changing data or an ineffective backup schedule will often find this solution costs more than paying the ransom. At this point, a company must consider the ethics of paying cybercriminals as well as the cost-benefit of taking the cheapest option.
- Accept the loss of data – Companies that can replace the lost data at little cost or find the data to be of minimal value in the first place can choose to accept the loss of data. In these cases, it is still important for the company to review how the security incident occurred and take steps to prevent future exploitation. Companies should also save a copy of their encrypted data, in the (rare) event a method to decrypt the data is found, or released by the attacker. In some instances, for example in planning or automation systems where data is used to drive decisions by software, entire databases may need to be recreated before the affected systems can be brought back online at full capacity. If files or databases that contain price lists, inventory levels, or planning and execution plans are lost, they may need to be recreated before the systems are fully back online. In these cases, it may not be feasible to recreate the lost data.
- Pay the ransom – The unfortunate truth of crypto-ransomware attacks is that, after factoring in the single loss expectancy as well as additional losses in resources and productivity, paying the ransom is often the most cost-effective solution for recovering the data. Before opting to pay a ransom, however, organizations should consider the negative consequences that giving in to demands could have to its reputation – both with its client base and with other cybercriminals who may wish to exploit an organization’s perceived weakness. If the cost of the data or the cost of recovery from backups is only a small amount over the ransom, it may be cost-effective in the long run to fall back to the previous options.
Risk of Paying a Ransom
While paying the ransom and receiving a decryption key can be the fastest method to recover encrypted data and is often designed by the cybercriminal to be the most cost effective solution, it is important to note the risks and ethical considerations involved in this option. First and foremost, there is no guarantee that cybercriminals will provide an encryption key. In most cases, cyber criminals will deliver a decryption key when an organization pays a ransom; however, this practice is not assured. For instance, recent reports from Kansas Heart Hospital show that attackers sometimes attempt to extort more money from an organization after an initial payment is made. In order to maintain their credibility and ensure their continued stream of income, attackers will need to continue decrypting most instances of ransomware – but they do not have to decrypt them all. If files are decrypted, this does not ensure that the organization will not be struck again by crypto-ransomware. Recent reports of a new ransomware variant called ZCryptor illustrate a possible next step for ransomware to act as a traditional malicious worm that propagates itself on removable devices such as flash drives. This allows for malware to re-infect the same network after the ransom is paid and the malware is removed from the network. Aside from the direct financial risks involved in paying a ransom, there are also ethical considerations. While this article does not intend to delve into the ethics of paying a ransom, it is important to at least note that by paying a ransomware perpetrator, a company reinforces the profitability of ransomware to cybercriminals. As more companies affected by ransomware pay to receive their decryption key, more individuals will try to distribute ransomware to reap the benefits. Recent FBI figures suggest that victims of ransomware reported costs of $209M in the first quarter of 2016, a dramatic rise from the $24M reported for all of 2015. Cybercriminals see that victims are paying the ransom, and they know that it works. If a company opts to proceed with paying the ransom, it is worth engaging the cybercriminal in an attempt to negotiate the cost of the ransom. Many cyber criminals are employing customer service tactics to ensure the best chance of extracting a ransom from their customers. They might, for example, offer the victim the opportunity to negotiate the ransom. Early reports from the recent Hollywood Presbyterian Hospital stated that the ransom was originally set at $3.6M for decryption of patient data, yet the final amount paid by the hospital was $17,000.
Other Considerations during and after an Attack Regardless of the option chosen to resolve the attack, an organization must:
- Ensure that minimal damage occurs to the network,
- Work toward restoration of business operations, and
- Prevent future attacks.
Larger business and organizations often can employ their established cybersecurity operations center (CSOC) and cybersecurity incident response team (CIRT) in the event of an attack. In the absence of in-house professionals to fulfill the role of a CSOC or CIRT, organizations can also employ contracted security teams or engage with government agencies such as the FBI’s Internet Crime Complaint Center to offer advice and assist with incident response. Regardless of the source of the expertise, the following should be addressed:
- Ensure that the attack has either been stopped or completed before attempting to resolve the effects of the attack. If an attack is still in progress, remove the machine from the internet and internal network either manually or via security tools. If at all possible, do not turn the device off; this action destroys information that can be used by incident response teams and in some recent malware variants, may delete encrypted files from the computer.
- Determine if other devices have been infected. For smaller organizations, this may be accomplished by reviewing each device individually. Larger organizations will be better served by using any central management tool with corporate antivirus, host intrusion prevention systems (HIPS), or security information and event management (SIEM) systems.
- If a SIEM is present, organizations can create an Indicator of Compromise – a set of patterns that essentially create a rule for the SIEM to follow – to identify and block the command and control URL. This prevents further compromise and assists with identifying other devices affected by the ransomware.
- Perform computer forensics to determine the point of origin of the attack and how the malware executed on the system (phishing email, malvertising, from a USB device). This will also assist in determining if the malware could re-infect the network after the ransom is paid.
- Analyze the malware to determine the variant and if any vulnerabilities exist that allow for decryption without paying the ransom.
- Once the incident is contained and data can be restored, ensure that malware is removed from infected systems, or ideally, reformat infected systems.
Once the data is restored, companies should implement a backup plan if one is not already in place, and employ preventative measures to mitigate the risk of future attacks.
Conclusion With so many considerations, it can be difficult to navigate the decision making process in the wake of a crypto-ransomware attack. Organizations without in-house information security professionals should consider hiring consultants to advise on the best course of action. These experts can review attacks on a case-by-case basis to help guide the decision making process and they can offer information to help companies avoid paying a ransom altogether. Once the incident has been resolved and the data recovered, consultants can also provide recommendations such as those in Part I to prevent further attacks and review the organization’s policies and procedures to help strengthen a company’s security posture. If nothing else, the potential disaster of a crypto-ransomware attack can be used in a manner similar to a professional penetration test, alerting companies to gaps in their security policies and practices. Ultimately, how companies handle their response to and protection from crypto-ransomware is dependent on their size and need to protect their data. Regardless of the company, proper response and resolution to crypto-ransomware attacks require thought and care to choose the best actions specific to that organization. Senior leadership within all industries should take time to consider the effects crypto-ransomware can have on their business and determine the appropriate methods to defend against it – as these attacks will only become more common in the future.