Ransomware Part Three: During and After an Attack

Stephen DeAngelis

November 5, 2021

Ransomware attacks have made for sensational headlines the last couple of years; however, ransomware attacks are not new, but they are intensifying. According to The Economist, “The first attempt at ransomware was made in 1989, with a virus spread via floppy disks.”[1] The magazine adds, “Cybercrime is getting worse as more devices are connected to networks and as geopolitics becomes less stable. The West is at odds with Russia and China and several autocracies give sanctuary to cyber-bandits.” In Part One of this article, I discussed the growing threat of ransomware. In Part Two, I discussed what companies can do ahead of such attacks. In this concluding segment, I want to discuss what companies can do during and after ransomware attacks.

 

During an Attack

 

Lucian Constantin (@lconstantin) reports, “In an ideal world a ransomware attack should trigger a well-rehearsed disaster recovery plan, but unfortunately many organizations are caught off guard. While large enterprises might have an incident response team and plan for dealing with cyberattacks, the procedures for dealing with various aspects specific to a ransomware attack — including the threat of a data leak, communicating externally with customers and regulators, and making the decision to negotiate with threat actors — are typically missing.”[2] As Constantin notes, one of the most important decisions a company may have to make is whether or not to negotiate. He notes, “Ransom demands have grown from tens of thousands of dollars to millions and even tens of millions because attackers have learned that many organizations are willing to pay.”[2]

 

As I noted in the first installment of this article, governments are trying to discourage companies from paying. Tarah Wheeler (@tarah), a Cyber Project Fellow at the Belfer Center for Science and International Affairs at Harvard University‘s Kennedy School of Government, and Ciaran Martin (@ciaranmartinoxf), a professor of practice in the management of public organizations at Oxford University, report, “As victims have paid up in order to mitigate damage, there are now growing calls for businesses to be banned from paying ransoms.”[3] They go on to note that banning payments would put most businesses between the proverbial rock and a hard place. “These calls to ban ransom payments,” they note, “outright fail to capture what is an enormously complicated policy issue. As it stands, the ransomware model favors the criminal, but will banning ransom payments outright reverse this imbalance of incentives?” Making a victim pay twice seems an odd way to deal with criminal behavior.

 

Until bans or fines for paying are mandated, negotiation may be a company’s best option. Before opening negotiations, however, Constantin suggests a company take two other actions: First, “identify how attackers got in, closing the hole, and kicking them off the network.” Second, “understand what you’re dealing with, which means determining the ransomware variant, tying it to a threat actor, and establishing their credibility, especially if they also make data theft claims.” He notes, “The first action requires an incident response team, either internal or external, while the second might require a company that specializes in threat intelligence.”

 

If negotiations are opened, that action may also require a specialized company. Journalists Ellen Nakashima (@nakashimae) and Rachel Lerman (@rachelerman) report, “A mini-industry has arisen in companies that help victims of ransomware attacks. Firms such as Coveware, Kivu and Arete, specialize in negotiating with ransomware criminals. Often these specialists are called in by the insurer, said Michael Phillips, chief claims officer of the insurer Resilience, who noted that policies that cover ransomware became commonly available only about five or six years ago. Most insurers require that the bargaining with ransomware extortionists be conducted by experienced negotiators, said Phillips, who co-chaired the Ransomware Task Force. They have strategies for bringing ransom prices down. They know how to obtain proof, for instance, of stolen files and of a functioning decryption key, which might involve a limited exchange of encrypted files, he said.”[4]

 

Kurtis Minder, founder of the cybersecurity service GroupSense, indicates “hackers expect the negotiator to try to bring down the price.”[5] He states, “It’s almost like used-car dealers. They know you’re not paying the price on the sticker. And that’s why the price on the sticker is what it is.” The Washington Post notes, “For small companies, the entire process takes two to four days. For bigger ones, it could go as long as three weeks.”[6] That’s a long time to be locked out of operationally-sensitive data. With governments threatening companies that pay ransomware demands with fines and penalties and also trying to disrupt cryptocurrency exchanges used by cybercriminals, the future of negotiations and what companies do during an attack remains problematic.

 

After an Attack

 

According to the Washington Post, “It takes the better part of a year — an average of 287 days — for a company to fully recover from a ransomware attack. … For many companies, the actual ransom payment isn’t even the most expensive part of the attack. Companies have to restore backups, rebuild systems, work with forensic investigators to ensure that the hackers are truly locked out and, in many cases, implement stronger cybersecurity controls to prevent future attacks.” And, according to industry journalist Eileen Yu (@eileenscyu), ransomware attacks are not one-and-done situations. She reports, “The majority of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack. And almost half of those that pay up say some or all their data retrieved were corrupted.”[7] That’s why digital evangelist Evelyn Johnson (@EvelynJohns0n) agrees a post mortem is essential after an attack.[8] She recommends taking three following three steps:

 

Identify the Source of the Vulnerability. “After disconnecting infected devices,” she writes, “investigate your network to find the source [of the vulnerability]. Systems with misconfigured and out-of-date software are more vulnerable. Finding ‘patient zero’ is a bit difficult in a larger organization. You will have to reach out to employees to find who was first targeted with the attack. Discover whether they clicked on a link in an email that caused the ransomware to breach. Or did they notice unusual prompts in their browsers?” As you might imagine, ‘patient zero’ may be reluctant to fess up. When and if the vulnerability is identified, Johnson explains, “You need to determine what permissions were needed to modify the files and who has these permissions.”

 

Analyze the Backups. Johnson notes, “The fastest and most convenient way to recover your data without paying the ransom is restoring your systems from backups. This is the reason cybersecurity consultants insist that corporations create regular backups to protect their data. Data that is recent and unaffected by the ransomware is easy to recover. Typically, you can make this happen by resetting your systems to factory defaults. If your backups aren’t up-to-date, this strategy may backfire. The restoration process could take up hours and then fail, leaving you in a state where you have little to no time for paying the ransom or finding some other alternative. It’s always recommended to perform a restore test. Have a specific number of encrypted files restored to see it happens successfully. It wouldn’t take long to restore the onsite backup. In contrast, offsite data could take days. If the restore time is reasonable and you’re certain it will work, this is a good alternative to paying the ransom.”

 

Get Specialized Help. As noted earlier, a company may be ill-equipped to deal with a ransomware attack and its aftermath. Johnson explains why you may need expert assistance. “Unless you’re running a big firm that has a dedicated cybersecurity department,” she writes, “you won’t have the expertise to deal with such a situation. This is where you should consider hiring a firm that specializes in ransomware to steer the data recovery efforts. They might be able to decrypt the data and help you avoid the extortion altogether. Even if you’re considering paying the ransom, it will help to have individuals who have previous experience. Since cybercriminals are criminals, they might not return the data even if the amount is paid. A good anti-ransomware firm knows all the tricks online criminals play on their victims.”

 

Concluding Thoughts

 

The Economist notes, “Dealing with cyber-insecurity is hard because it blurs the boundaries between state and private actors and between geopolitics and crime. The victims of cyber-attacks include firms and public bodies. The perpetrators include states conducting espionage and testing their ability to inflict damage in war, but also criminal gangs in Russia, Iran and China whose presence is tolerated because they are an irritant to the West.” With little help coming from governments, companies must do all they can to protect their data and their operations.

 

Footnotes
[1] Staff, “To stop the ransomware pandemic, start with the basics,” The Economist, 19 June 2021.
[2] Lucian Constantin, “How ransomware negotiations work,” CSO, 15 February 2021.
[3] Tarah Wheeler and Ciaran Martin, “Should ransomware payments be banned?” The Brookings Institution, 26 July 2021.
[4] Ellen Nakashima and Rachel Lerman, “Ransomware is a national security threat and a big business — and it’s wreaking havoc,” The Washington Post, 15 May 2021.
[5] Gerrit De Vynck, Rachel Lerman, Ellen Nakashima, and Chris Alcantara, “The anatomy of a ransomware attack,” The Washington Post, 9 July 2021.
[6] Ibid.
[7] Eileen Yu, “Most firms face second ransomware attack after paying off first,” ZDNet, 16 June 2021.
[8] Evelyn Johnson, “What Can Enterprises Do After a Ransomware Attack?” Dataversity, 21 January 2021.