Ransomware attacks have become one of the most dominant forms of cyber-attacks over the past few years. There is no doubt that those can be very disruptive, essentially when targeting key systems, critical data, or large populations of senior executives, who have to be given emergency – secure – replacement devices to continue working, and might have lost highly valuable or sensitive data in the attack. For large firms, losses can easily run into the tens of millions by the time everything is added up.
At the other end of the scale, there are also many ransomware attacks targeting isolated users with low ransoms, which as a result often get paid “to get rid of the problem quickly” so that the affected individual can resume normal work.
5 practical tips to deal with Ransomware attacks
We offer below 5 practical tips on how to deal with ransomware attacks, which for the main part come from the excellent #Hacked2016 event held at the Institute of Directors in London on 21st June 2016 (sponsored by Beazley) where specialist law firms DAC Beachcroft and BakerHostetler, alongside the UK National Crime Agency, presented on the matter and facilitated a very enlightening interactive session:
1. First, it is key to remember that it is illegal to pay any ransom if it can be traced and proven that your attacker is using the proceeds to fund or support terrorism. You could be prosecuted and your firm or its officers could face fines or charges. The resulting publicity could cause serious damage to your brand.
In other cases (beyond the support of terrorism), the situation is not entirely clear and could vary from one legislation to another, but it is generally not illegal to pay ransom. However, it should be broadly regarded as un-ethical as most proceeds are likely to go to organised crime networks. Paying money to such people – especially large sums – could also damage your brand if made public.
2. The best course of action is to consult first with the police or other relevant law enforcement bodies (in the UK, it should be reported to ActionFraud who will involve the relevant police force). Ransomware attacks are very common and they should be able to assist you or to put you in contact with somebody who can. Before taking any action, the main things to check with them are in the following areas:
- Is the attack real or fake? Is the attacker known? What are their motivations and their degree of virulence?
- What is the line of action the attacker is likely to take should you decide not to pay? (Do nothing and target someone else? Increase the level of attack?)
- Can the attacker be trusted should you decide to pay the ransom regardless? (Trusted to restore access to your affected users? Trusted not to attack you again for more money?)
- Is the attacker known for being receptive to negotiation attempts (in particular if the ransom is large)? What are the best channels to table an effective negotiation with them if possible and desirable? You may need to consider negotiating around the amounts demanded or timeframes involved.
3. Even if you end up deciding that the amounts involved are not worth your time and you decide to pay and “get on with it”, there might be some practical considerations to bear in mind: Most ransoms are demanded in bitcoins and should you decide to pay, you will have to obtain those. If you do not have a bitcoin wallet established, you’ll have to open one and start collecting (or buy) bitcoins. You should consider doing this from a public network in a way that is not directly traceable back to your organisation, to minimise any chance of brand damage. In all cases, this will take time, and if you leave it too late, it may prevent you from meeting the attacker’s deadline, leading to further complications.
4. When disclosed to the general public, those types of attacks – like most data breaches – have almost always had a short-term impact on the share price of affected firms in recent years. As such, if you are a listed company, you should consider from the start whether the attack should be treated a “price-sensitive” event and, should you decide it is, you must ensure you comply with your regulatory obligations, such as establishing and maintaining an insider list. This is a complex and delicate matter with ransomware attacks as you may not know from the start whether you might have to publicise details about the attack at some point down the line. Something small and limited in scale might escalate if ignored or poorly handled, and end up affecting your general operations and your customers.
5. Should things escalate, you may have to inform customers of the attack – and possibly other parties such as privacy regulators in the event sensitive data has been compromised. You should deal with this in line with your standard incident handling procedures, and all good practices in that space do apply (do not communicate too quickly; communicate clearly, transparently and consistently only once you have all the facts and a clear action plan is agreed; etc…)
Cyber security good practices have been known for a long time and do provide protection in that space
Overall, the fact that Ransomware has become such a hot topic over recent years should be a source of concern in itself. Of course, there will always be attackers targeting zero-day vulnerabilities, but It is worth repeating that well established Information Security and defence-in-depth good practices can go a long way in providing protection against ransomware attacks:
- Having an established scenario around that specific theme regularly tested and rehearsed with senior executives across the firms up to Board level
- Having a clear and efficient education programme in place that explains to all staff (including senior management) in their own language the nature, reality and virulence of the threats, and re-iterates security good practices (do not open email attachments from unknown sources, do not click on unwanted links, etc…)
- Maintaining regular contacts with law enforcement agencies, industry forums, and your peers in comparable organisations
- Reporting all incidents to law enforcement agencies so they can collate the attacks and go after the largest perpetrators.
- Having an up-to-date anti-malware solution in place on all workstations (desktop-laptop-tablet-smartphone) and blocking access to malicious sites and apps.
- Periodically applying software and OS updates on all workstations (desktop-laptop-tablet-smartphone)
- Taking frequent backups and testing your restore procedures regularly
None of this is new. Those topics have been regarded as good practice for the best part of the last 10 years – if not longer – and should be in place to a degree in most firms, large or small.
So the prominence of ransomware attacks in the news these days questions once more the real cyber security maturity of organisations, and their ability to execute strategy and deploy solutions in that space.
Beyond, it is also the validity of their investment decisions around security over the last decade, and the attitude of senior management towards the topic that should be challenged.
After-the-fact Knee-Jerk reactions often do more harm than good, and could cost considerably more than preventative measures.
This article was originally published on the Corix Partners blog on 14 July 2016 and can be found here.