This is the call you hope never to receive. Your business has been the victim of a ransomware attack. Your systems are offline. Your customer data has been stolen by an unknown malicious actor who is threatening to disclose it. You have many questions and few answers. And now in the midst of this crisis, you have to decide whether to pay the ransom or not.
A growing problem
Ransomware1 and digital extortion2 incidents are on the rise. US cybersecurity authorities reported a significant increase in ransomware-related incidents in 2021: over 600 ransomware-related suspicious activity reports were filed with the US Treasury Department’s Financial Crimes Enforcement Network (FinCEN) in during the first semester of the year alone, according to a recent analysis— involving nearly every sector of the United States economy.
Hackers continue to professionalize, offering commoditized “ransomware as a service” for hire. There are more vulnerabilities than ever to exploit, with the pandemic-induced shift to remote working exposing additional attack surfaces. Threat actors hunt “big game” less and instead target mid-sized companies to avoid scrutiny while achieving volume by targeting more potentially easier targets. And extortion strategies are diversifying. Hackers don’t just lock down networks; they exfiltrate data and threaten to release it on public leak sites.
And a profitable
Of course, the main reason for the proliferation of ransomware attacks is that they are profitable. In his recent Analysis of financial trends, FinCEN predicted that the total value of ransom payments in 2021 alone would exceed those of the previous 10 years combined – in the first half of 2021 alone, identified ransomware-related transactions amounted to $590 million. And this figure represents just the value of reported ransomware-related events.
Take your precautions
against it ever-growing ransomware threat, companies need to take precautions. They should—and increasingly are necessary for—invest in network defenses to thwart ransomware attacks before they happen and formulate incident response plans to react and recover when hackers gain access. But companies also need to consider when and under what circumstances they would make a payment to a threat actor during a ransomware event. It is important to note that the time to reflect on these considerations is not during an event, but before it occurs.
The US government generally discourages ransom payments to eliminate the inducement to threat actors. Before an attack, many companies take the same approach and maintain the “no payment under any circumstances” principle. Yet, plagued by a ransomware threat, there are potential pressure points that have caused companies to rethink their “no-payment” principle and, in some cases, change their minds, or at least do an exception.
Each ransomware and digital extortion event presents a unique set of challenges. They vary depending on, among other things, the characteristics of the threat actor or group of threat actors, the type of attack and the strain of malware, the persistence of the attack, the the victim’s ability to restore and recover data and the victim’s risk tolerance. .
With this variation, we believe that a single decision tree with “pay” or “don’t pay” outcomes is not feasible. Instead, we offer the following insights from our front-line experience that every business can use to inform the final payment decision:
- Intelligence. It is essential to make good attempts to identify the attacker and the recipient of the ransom. This diligence involves both insurance and penalty concerns. In a 2021 advisorythe US Treasury’s Office of Foreign Assets Control (OFAC) has highlighted the risks of sanctions to facilitate ransomware payments, including by those who make them.
- Ransomware and/or known threat actor. Can you identify the threat actor and/or ransomware variant or strain? If so, is there a history of what happens when the payment is made? Is there a risk of re-extortion of ransomware from the threat actor? Does your incident response provider have an encryption key from a previous customer dispute with the same set of attackers?
- Availability of benchmarking and/or intelligence. Can you collect information from your incident response provider or ransomware broker? Do you have benchmarks for the following: (i) general threat actor trends; (ii) what others have paid for that malware bundle or variant; (iii) whether the decryption key provided after the ransom payment worked or possibly contained more malware; (iv) whether the threat actor has consistently disclosed exfiltrated data despite payment and has committed to delete it; and (v) whether the threat actor returned after payment to extort the business again?
- Law enforcement. There are important reasons to consider contacting law enforcement before deciding whether or not to pay a ransom note. Law enforcement generally discourages the payment of ransoms, in part to avoid inducing other actors to engage in this activity. But law enforcement understands that business realities sometimes require paying, and agencies like the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) can provide helpful intelligence and reporting coverage to regulatory and insurance purposes.
- Additional Information. Do you have an existing link to law enforcement that you or your attorney can leverage for threat actor intelligence or recovery and decryption expertise without paying?
- Insurance Requirements. Does your carrier require you to notify law enforcement as a precondition to cover the ransom payment? If so, consider filing a report with the FBI Internet Crime Complaint Center.
- OFAC guidelines. Not sure if you are paying a sanctioned entity or an actor in a sanctioned country? If so (and as we discussed in a recent update), OFAC will consider disclosing an advance payment to law enforcement as voluntary self-disclosure under its Application guidelines.
- Business continuity. From an IT and business perspective, organizations should carefully consider the scope of the ransomware attack and the economics behind the likely business disruptions, significant IT costs, and time to rebuild. The following questions are key to understanding general preparation.
- Encryption. Are some or all of your systems encrypted by ransomware?
- Impact. Which systems host your most sensitive data? Is encryption disrupting key critical business functions and critical information repositories? What is the extent of the disturbance?
- Recovery and downtime. Will the company quickly and adequately restore functions? Does the company have unaffected and up-to-date backups (or were the backups unavailable or damaged during the attack)? Is the cost to the business of lost data and/or restricted access significantly higher than the ransom?
- Exfiltration. Organizations should consider the potential consequences of data exfiltration by the entity’s threat actor. As mentioned earlier, conducting a thorough forensic analysis of the breach is essential to fully understand the extent of any exfiltration. If data has been stolen, there can be multiple business impacts: loss of key intellectual property, compromise of financial reporting information, regulatory fines and possible class action lawsuits for personal data breach and public disclosure of information embarrassing, confidential or sensitive.
- The prospect of regulatory notification, costs and class actions. Does the exfiltrated data contain sensitive information about customers or other third parties that would require notification to data subjects and/or regulators and expose the company to litigation?
- Loss of key commercial crown jewels. Does the exfiltrated data contain sensitive business information, such as trade secrets, the disclosure of which would seriously harm the business?
- Lack of ability to control the public narrative. Can the company send the required notifications to government agencies and victims of data subjects prior to the leak of personal, sensitive and valuable data indicated by the threat actor?
- Consequences of payment. When assessing ransom payments, companies should seriously consider whether they have complied with their insurance company‘s payment preconditions, as well as the governance and reputational aspects of the payment.
- Assurance. Will your cyber insurance company and policy cover the ransom payment? What requirements does your operator impose before allowing cover for a ransom payment?
- OFAC Considerations. Can you take steps to determine if the threat actor or payment recipient is in an OFAC-sanctioned country? What are the government law enforcement risks and costs associated with such payment? Are you able to assess the potential consequences of penalties linked to a payment before making it? Given these demands, is payment a legally permitted option?
- Board/Shareholders. How will the board and/or shareholders react to the payment?
- Reputation. How will news of the payment, if made public, affect the company’s reputation?
Companies cannot answer most of these questions before an attack. But, given the prevalence of ransomware attacks, they need to anticipate how to generally react in common attack scenarios. Payment contingencies should be part of a company’s incident response plan and updated to reflect changes in the business and threat landscape.
1. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.↩
2. Digital extortion is the coercion of an individual or company to pay in exchange for access to stolen cyber assets.↩