Unlocking Ransomware: Options, Outcomes, And Ethics
January 20, 2021 | Alex Terlecky
These best practices and considerations can help view your cybersecurity in a new light.
In October, federal officials at the Cybersecurity and Infrastructure Security Agency (CISA), the US Department of Health and Human Services, and the FBI reported an imminent and increased threat to hospitals and healthcare providers in the United States.
According to their joint advisory, cybercriminals were infecting systems with TrickBot and BazarLoader—two common types of malware—to set the stage for ransomware attacks, data theft, and the disruption of healthcare services.
What makes this wave of attacks so alarming is the specific targeting of hospitals. Cyberattacks are responsible for 39% of all causes of loss within the healthcare industry, and 73% of all causes of loss for government industries, according to a 2020 report from Beazley.
Since hospitals are more critical now than ever, they are targeted because there is a greater likelihood of cooperation, as hospitals cannot afford to have their systems compromised.
Beyond healthcare facilities, a 2016 report by BitSight, a cybersecurity ratings company, found that government entities have the second-lowest security rating and the second-highest rate of ransomware attacks.
With our members providing a range of necessary public services that include water and wastewater treatment, health, fire and emergency services, parks and recreation, and more, public entities form high profile targets for cybercriminals who are aware of their vulnerabilities and ready to exploit them.
Ransomware attacks happen without warning. One moment, your computer files, systems, and networks are in working order, and the next moment they’re encrypted and in the hands of criminals. Ransomware attacks comprise 43% of all reported cybersecurity incidents by government entities.
Alarmingly, ransomware attacks increased by 131% from 2018 to 2019, and the average length of a ransomware incident lasts for 15.7 days.
Due to the frequency and duration of ransomware attacks, it is important for employees and management to have protocols in place to handle an attack. If a cybercriminal is holding company data hostage, should the ransom be paid in order to get back to business? As we will outline below, the options are not quite that simple.
Options on the Table
Losing access to organizational data, servers, and networks can be a nightmare, especially when customers rely on an organization for services. But when a ransomware notification appears and the only thing that will get back access is payment—what should be done?
Shockingly, in 2021, an organization will be hit with a ransomware attack every 11 seconds, according to new research. That means that many business leaders will increasingly face the difficult question of whether or not to pay a ransom demand.
Some leaders may opt to take the high road if they feel that dealing with ransomware is essentially doing business with criminals. In essence, the money that an organization pays for a ransom is funding crime. On the other hand, critical infrastructure or people’s lives—in the case of healthcare—may be at stake if the ransom is not paid.
The FBI does not support paying a ransom in response to an attack. Their reasoning, as listed on their website, states that paying a ransom does not guarantee the safe return of your data. They note that in some cases where victims have paid a ransom, decryption keys were never provided by the cybercriminals, and even with a valid key, total recovery may not be feasible due to flaws in the encryption algorithms of certain malware variants.
The U.S. Treasury goes one step further and warns “that individuals or businesses that help facilitate ransomware payments may be violating anti-money laundering and sanctions regulations.”
Paying a ransom encourages perpetrators to target more victims, expecting further success, and may actually influence other cybercriminals to try their hand at ransomware attacks. Even if ransom is paid and files are returned for the time being, cybercriminals now know an organization’s vulnerabilities. Without following proper post-breach best practices, there is little in the way of stopping a second attack.
Paying a ransom should always be the last option. However, all things considered, withholding payment may not always be a practical option, according to the FBI. This is especially true when an organization is unable to function as a result of a cyberattack. An organization that chooses to withhold payment should be prepared to spend additional time and money mitigating the issues caused by the attack.
For example, the city of Baltimore fell victim to a ransomware attack in 2019, and chose not to pay the ransom. Instead, they resisted, focused on forensic analysis and detection of the attack, deployed new systems, constructed new hardware and software, and replaced all hard drives, but in the end, Baltimore incurred a loss greater than $18 million by holding out.
When critical functions are hindered, smaller districts and organizations may not have the choice to wait around to assess the options.
Nevertheless, there are a few questions to ask when considering whether to pay the ransom or not.
These questions include:
- Is the encrypted data critical to immediate organizational function?
- How long can we function without restoration of all systems?
- Who is affected if the organization has to shut down?
- Is it ethical to make a ransom payment?
Regardless of the path taken, the FBI states that any victim of ransomware should contact the local FBI field office to request assistance and to file a report with IC3. By completing this critical step, federal investigators will be provided the necessary information to track down the attackers, hold them legally accountable, and help prevent future attacks.
Defining and Preventing Ransomware Attacks
Ransomware is a type of malicious software that restricts access to computer files, system, and networks, as cybercriminals demand ransom for their return. According to the FBI, the major consequences of this kind of attack is disruption to operations and the loss of critical information and data.
Computers are most commonly infected by malware when an employee unwittingly downloads this software by opening an email attachment, clicking an ad, or following a link.
Once this step occurs, the malware code is loaded onto the computer behind the scenes. The results may occur immediately, but often nothing will happen for days or even weeks. It’s only once access to systems is lost, or a message appears demanding a ransom, that organizations realize something has gone wrong. At that point, company systems will be locked and all access to data and files is gone.
The interesting thing about ransomware attacks is that the success of an attack depends on the savviness of the user. After all, a cybercriminal may be trying their best to access company systems, but following cybersecurity best practices can ward off even the savviest of hackers.
The first thing all organizations should do to ward off a ransomware attack is to make sure all operating systems, software, and applications are current and up-to-date. This includes making sure antivirus and firewalls are updated and regular scans are run to detect any breaches or system vulnerabilities.
Next, make sure company data is backed up and double check that those backups were successfully completed. Secure your backups, and most importantly, make sure they are maintained separately from the rest of your system – i.e. they should not be connected to a company’s network. By keeping backups separate from your network, you ensure that if a hacker gets into company systems they will only have access to what is connected.
Lastly, and most importantly, focus on awareness and training. Make sure there is a continuity plan in the event of an attack. Keeping an open dialogue regarding best practices for cybersecurity among staff can make the difference if caught off guard. eRisk Hub, free to all members, offers staff the opportunity to train on virtual ransomware, phishing, and DDoS attack scenarios.
For a full list of considerations, visit IC3.gov.
Ransomware Training
For free ransomware and phishing training, CSD Pool members have access to eRisk Hub, a free cybersecurity service that also includes breach coaches, training videos, and ransomware awareness tools such as self-assessments.
Follow this link for more information on eRisk Hub’s ransomware additions for 2021, and check out our article on starting the conversation on cybersecurity at Board meetings.