To Pay or Not to Pay: How to Deal With – and Avoid – Ransomware Incidents

Although ransomware incidents are not the leading data breach threat, their impact is considerable..  Victims of ransomware experience loss of data, high-cost expenses such as cleanup and remediation, and prolonged business interruption.

Unfortunately, there is a disturbing trend of paying ransomware, which is increasingly supported by insurance carriers.   But is there another option? In this article, we’ll examine the pros and cons of paying ransomware and give guidance on how to avoid ransomware incidents.

We’re locked up, what now?

Walking into the office on a Monday morning and having your IT staff tell you that your data is inaccessible and your employees can’t work is a gut-wrenching reality for organizations on a daily basis.

If you are unfortunate enough to find yourself in this situation, your first call should be to your General Counsel (GC) or outside legal counsel.  Ideally, you will have an Incident Response (IR) plan and program that you are activating as your technical staff execute pre-made runbooks for this exact circumstance. But, sadly, this is rarely the case.

Your first order of business should be to determine the extent of the damage.  At this point, it’s expected that you’ve pulled the proverbial network plug, to ensure the attackers can no longer access your environment.  Questions you should be asking at this stage:

• Is just part of your environment locked up, or is everything encrypted?
  • If it’s a partial encryption, assess which environment(s) this exists in and start to assess the impact.  You will also have to determine how to contain the damage based on a number of factors(environment segmentation, etc).
• Do you have backups for your most critical data and, if so, have you taken those offline?
  • Take the backups offline so they can not get encrypted and, if possible, create a copy of these backups that will remain offline and pristine, in case you have not successfully removed the attackers from your environment.
  • If the backups are very large and located in a place where physical access is not possible (e.g. AWS Glacier) you will need to determine the fastest way to get access to these backups. This is another aspect of IR and DR that should be determined well before a breach.

Calling in Outside Help in Case of Ransomware Incidents

If you have not prepared for a data breach, and specifically this type of cyber incident, you may have already done one of two things:

1. Contacted Law Enforcement, or
2. Communicated to the organization that you’ve been the victim of a breach.

This is not the best course of action for a number of reasons.  Most importantly, everything should be run through your legal counsel.  Your best level of liability protection would be having outside breach counsel, especially if you engage an external IR firm to assist you.  This external IR provider should be engaged through outside legal counsel.

Your legal counsel, and sometimes insurance coverage counsel, if you can engage them, will guide you on the next steps.  Many insurance carriers encourage ransom payments to get up and running as quickly as possible. However, we are strongly against paying ransom for numerous reasons:

1. Paying ransom enables criminals to build out their “business” and ensure more effective ransomware campaigns in the future.  When organizations pay, cybercriminals will continue to increase their staff, skills, and reach. This may be more impactful if you replace “the criminals” with “your competition”.
2. Paying the ransom could get you back up and running, but it will not remediate the original vector.  We may soon see criminals offer to remediate the vulnerabilities that allowed them access, but you will still need to do a thorough analysis of your environment and remediate yourself.   This remediation may cost as much as the bitcoin you paid !And you are open to other attacks while your environment remains in a vulnerable state. Worse still, it’s also possible attackers will maintain access for a future attack.
3. There is no guarantee your payment will get your data back.

How to Dodge the Ransomware Incidents

If you’re lucky enough to be reading this without the stress of being breached, then you have an excellent opportunity to prepare for this event and avoid it all together.  Proper logging and monitoring, vulnerability management and a strong governance structure goes a long way to defending against these types of attacks. A well planned out Incident Response Plan and Program, which is regularly tested, is your best protection in the event of a breach.  If you need guidance, CDG’s team are experts at Incident Response and IR preparation. Reach out for a free consultation to protect yourself today.