Data Breach Digest: A practical guide to corporate ransomware and cyber extortion
Imagine if you woke up one day and found yourself the CEO of a large international shipping company. You get a call from the head of risk management alerting you that one of your tankers was overtaken by pirates who are demanding a large sum of money in return for your vessel. This might seem like an outlandish scenario, but almost all security professionals are facing the equivalent in the digital world.
Ransomware, a type of malware that encrypts an entire computer or server and then demands that companies pay up or have the data deleted forever, is now a favored tactic of many organized cybercrime rings.
Recently, a few highly publicized cases have drawn attention to these types of attacks, including Hollywood Presbyterian Medical Center – a Los Angeles hospital – that recently paid $17,000 to unlock its systems after experiencing significant business disruption. Unfortunately, there are countless other similar scenarios that never see the light of day. Why? Simple economics. Many organizations conclude that it is more advantageous to pay to get their data back from criminals versus risking the potential business disruption that losing the data or restoring the system may cause.
However, when faced with a ransomware scenario, coming to the right decision for your organization is anything but simple and requires careful thought and attention. The following are the top five considerations and steps necessary to effectively prepare for and manage a major ransomware infection.
1). Understand the Criminal Mindset
First and foremost, understanding the likely mindset, interests and typical actions of the criminals behind these attacks is important for all the key decision makers to understand. One of the first questions that gets asked when organizations find themselves facing a successful attack is if they can expect to get systems restored after paying the ransom. While there is no such thing as an honest criminal, there trends to be at least some honor among thieves in this case.
According to experts, data almost always gets recovered following payment of the ransom. At the end of the day, criminals are most interested in making money as quickly as possible and from as many potential victims as possible. If the attackers did not hold up their end of the bargain, then word would spread in corporate security circles and other companies would be less willing to cooperate with them.
The next question that gets asked is if paying will encourage criminals to come back again for more. While this is a valid concern, these criminals have largely automated their attacks and tend to go after new targets versus hitting up the same companies who likely put additional safeguards in place after an attack.
2). To Pay or Not?
It’s important that organizations discuss what they would do if they were facing a major ransomware shut down well ahead of finding themselves in that situation. In the heat of the moment, emotions tend to run high, different stakeholder groups will be conflicted about the proper course of action and coming to a consensus can take valuable time.
Ultimately, deciding to pay a ransom is not a typical security decision; it must be addressed as a broader business risk that requires input from the C-suite, as well as operational and communication leaders at an organization. Security professionals must ensure that all parties understand the risk and meet ahead of time to decide in principle if, and under what circumstances, to pay.
For example, determining if there are certain systems that if infected would always lead to payment or if others, say an infection limited to Greg from accounting’s laptop, would not. Or if the company will not pay a ransom under any circumstance, stakeholders must determine ahead of time how they plan to manage any operational disruption that may occur. Finally, it’s important to determine if a reliable back-up of the data exists and can be easily restored, because a good backup often means not needing to pay to gain access to the ‘old’ data that was locked up.
Along with agreeing to the proper approach in principle, it’s important to incorporate this particular threat into an incident response plan. As part of that process, security decision makers should establish who is able to make the call during a real incident. Ultimately, the decision should come down to a small group of stakeholders who are most knowledgeable about the threat and potential impacts to the IT infrastructure. This group should have delegated authority from the C-suite and board to make the call and move quickly to avoid delay. Every hour a system is down can cost the company millions of dollars.
3). Determine Customer Notification Requirements and Needs
There is much debate about if a ransomware attack that compromises systems with personal information should be considered a data breach that requires formal notification to the individuals who had their information exposed. On one hand, it’s a real possibility that the attackers did gain some sort of access to the compromised data. On the other hand, ransomware doesn’t actually steal and/or exfiltrate information from systems, so the information may not ultimately be lost and legal notification may not be necessary.
It’s important that organizations consult with outside legal and breach resolution experts to understand if their particular circumstance legally requires notification. Even if legal notification is not required under state law, organizations should consider if there are any other reasons they may want to inform key customers or stakeholders about the incident. At the very least, it’s worth notifying the FBI about the incident because they are actively working to identify and take these cybercrime groups down.
4). Insure Against the Risk
Just like how businesses typically have insurance coverage for traditional forms of ransom, they should talk with their insurance brokers to understand if their cyber insurance plans cover ransomware. This coverage could include everything from paying the actual ransom to covering the cost of any business disruption it may cause, as well as any forensics work to try to recover systems.
5). Prepare and Protect Against the Risk
Much like other security risks, there are several steps that companies should consider today to make their systems more resilient to ransomware attacks. Creating and regularly maintaining back-ups of critical data and systems remains one of the best ways to combat this growing threat. Organizations would also be wise to take an inventory of where critical information and systems reside within their networks. As part of the inventory process, classifying the types of data into high, medium and low impact on business operations can help provide the situational awareness in the time of a crisis.
While ransomware may be the most prominent example, we’ve seen several other forms of cyber-centric extortion. From stealing sensitive trade secrets and demanding a payment for their safe return to requiring companies pay a “consulting fee” to disclose a vulnerability in a product or website, this issue is unlikely to go away anytime soon. The best thing to do is be prepared and understand the consequences. Oh, and also be glad you are not actually dealing with a real hostage situation like the poor hypothetical shipping executive.
About the Author: Michael Bruemmer, CHC, CIPP/US, is vice president with the Experian Data Breach Resolution group. With more than 25 years in the industry, Bruemmer brings a wealth of knowledge related to business operations and development in the identity theft and fraud resolution space where he has educated businesses of all sizes and sectors through pre-breach and breach response planning and delivery, including notification, call center and identity protection services. Bruemmer currently resides on the Ponemon Responsible Information Management (RIM) Board, the International Security Management Group (ISMG) Editorial Advisory Board and the International Association of Privacy Professionals (IAPP) Certification Advisory Board. He can be reached at [email protected].