Targeted ransomware: Open Season
Part 3: Under attack
After covering what they are and who the victims are, let’s talk about possible outcomes.
Once you’ve been hit with a ransom demand, what are your options?
Payment is, of course, something that many victims resort to in order to resume their operations. There is an ongoing debate regarding payment vs non-payment, including regarding the legality of paying ransomware demands .
Case in point, it already is illegalin the U.S. and the EU to facilitate payments individuals, organizations, regimes and in some instances entire countries that are on the sanctions list. If they are on such a list (which many cybercrime groups are), payments to those entities would be considered illegal?
Outside of the legality of things and hypothetically speaking, if cybercriminals attack and demand ransom, and victims pay the ransom, and culprits keep getting away with it, would a generalized non-payment stance be a deterrent for this type of attack?
Otherwise, if making ransom payments is illegal, what would the penalties be for a business who is a victim of ransomware, who chooses to pay but now also has to answer to its country’s justice system? What options would that leave businesses with?
Is this a debate even worth having?
The evolution of ransomware:
Typically, ransomware scenarios consisted of malicious code rapidly encrypting files with public-key RSA encryption, and then deleting those files if the victim did not pay the ransom.
However, with notorious attacks such as WannaCry and NotPetya, companies ramped up their cyber defense. More emphasis was placed on backups and restoration processes, so that even if files were destroyed, organizations had copies in place and could easily restore their data.
When it rains, it pours: Introducing double and triple extortion
In response, cyber-criminals have also adapted their techniques. Rather than only encrypting files, double extortion ransomware exfiltrates the data first. This means that if the company refuses to pay up, information can be leaked online or sold to the highest bidder. All of those backups and data recovery plans suddenly become worthless.
Or, as it happened with Finland’s Vastaamo psychotherapy clinic, attackers can later send ransom demands to patients who had sensitive information stored within the clinic’s system.
You get what you pay for? Well, not always.
For the sake of example, let’s say you are hit with a ransomware attack and the decision has been made to pay the ransom. Payment is sent and received. Then nothing.
I truly am sorry to be the bearer of bad news, however, it is very difficult to ignore facts: paying a ransom does not guarantee data recovery.
According to the Sophos State of Ransomware 2021 report, 92% of organizations do not get all their data back after making a ransom payment. For increased perspective, 29% could not recover more than half their data.
And what can people do about it? You guessed it: nothing.
What would you do?
Recovering data without paying the ransom: Possible?
What if you don’t want to pay? There always is another way, of course.
In fact, according to this ThreatPost article, 80% of ransomware victims do not pay up. The top reason cited was that paying a ransom does not guarantee a decryption key. And when a decryption key is obtained, as I mentioned a little earlier, the recovery of data may not be total.
Cybersecurity insurance can help in various areas after an attack:
Notifying customers about a data breach
Restoring personal identities of affected customers
Recovering compromised data
Repairing damaged computer systems
While some of the damage may be irreparable, cyber insurance helps businesses get back to their ‘new’ normal. There are many layers to a cybersecurity strategy and while we recommend cybersecurity insurance, it does not constitute an entire strategy. Mitigating risk through security and corrective controls should always be at the top of any cybersecurity strategy.
Better to be safe than very, very sorry.