Table of Contents:
- To pay or not to pay
- Victims at the crossroads
- Considerations and legal challenges of compliance
- The real cost of downtime
- Fact or fiction, common misconceptions about ransomware attacks
– Myth 1: Pay the ransom and get back to business
– Myth 2: The IT engineers can easily decrypt the data
– Myth 3: I have a firewall and antivirus so we protected
– Myth 4: It only impacts the infected device
– Myth 5: My company doesn’t have any valuable data
- Beyond perimeter defense
In this blog we look at some of the myths around ransomware and how data exfiltration prevention can facilitate compliance and mitigate the risks associated with an attack.
Ransomware is now the biggest cybersecurity concern for organizations and the most profitable type of attack for criminal gangs, so it’s unsurprising that it continues to evolve, with hackers utilizing a myriad of new techniques to target devices, industries and individuals. Gone are the days of encrypting data until a ransom is paid in exchange for an encryption key. Cybercriminal gangs now favor the double extortion technique; exfiltrating data to use as leverage to pressure victims into paying extortionate ransoms. Snapshots of sensitive data are often published immediately to indicate intent, and if the victim refuses to cooperate more data is leaked and the ransom is doubled or even tripled.
Data exfiltration, the unauthorized movement of data from a company’s network for the sole purpose of extorting the organization for a large ransom payment, has become the weapon of choice for cybercriminals.
Even more disconcerting with this new technique is that paying the ransom is just the tip of the iceberg, and it doesn’t solve the underlying problem – the security of your organization. The fallout for organizations who find themselves victimized by ransomware extend far beyond the ransom. Recovery and clean-up costs, business disruption, PR costs, and the inevitable reporting and compliance costs associated with data breaches can be crippling to organizations of all sizes.
To pay or not to pay
In October 2020 the US Department of the Treasury issued an advisory that warned companies not to pay ransoms to sanctioned entities. The Department of Justice stated that victims or the companies facilitating victims in paying ransom payments to criminals would be considered a federal offense, and a threat to national security. In short, it means that the US Government has the ability to prosecute organizations or “cybersecurity consultants” deemed to be acting on behalf of victims. As per the advisory, the US Government can sanction any company found facilitating the payments of extortion money, alongside imposing heavy fines. As part of the law victims are also required to officially report the ransomware as a crime to law enforcement authorities.
Victims at the crossroads
Ransomware attacks strategically employ data exfiltration when deploying payloads, activating devices, performing key exchange and stealing data on the victims device and network. The ransom payment is only the beginning, with financial losses, data breach reporting and potential PR disasters to quickly follow. Victims often feel they have no choice but to pay the ransom before their sensitive company data is published and sold on the Dark Web.
It has now become common practice for hackers to publish all or parts of stolen data on the Dark Web, such as hacking forums where it is sold to other cybercriminals. Sensitive data such as full names, email addresses, social security numbers and credit card details can cause permanent damage to a victims’ identity. This is also a PR disaster for any company which can lead to class action lawsuits. Recently, over 533 million Facebook users’ data including full names, email addresses, phone numbers and locations was leaked online. The data, believed to be hacked back in 2019 was released in the first week of April 2021.
Considerations and legal challenges of compliance
Refusing to pay a ransom often leads to even higher recovery costs. Large multinational companies with networks involving thousands of servers can be crippled trying to restore from backups, and many find themselves resorting to pen and paper to manage operations following an attack.
Following a ransomware attack organizations quickly find themselves faced with several legal challenges and a race against the clock to make some very quick assessments and decisions.
- Do they have the in-house capabilities to respond to an attack?
- Will they hire an attorney or legal consultant to negotiate with the hackers and report the incident to state, local or federal law enforcement authorities?
- Should they pay the ransom? If yes, how?
- Can they prove that no data has been compromised in the attack?
- On paying the ransom should they take into account the OFAC’s warnings on ransom payments?
- Will their insurer pay the ransom amount?
- What plan do they have to mitigate the reputational damage?
- What solutions and plans can they implement to ensure they don’t become a victim again?
In today’s global economy time is critical. The longer an organization is offline the higher the disruption costs. Businesses under pressure often resort to paying the ransom in the hope that the cybercriminals will restore their systems as quickly as possible (often they don’t). When it comes to compliance, best practices dictate reporting the incident to the authorities and data regulator as quickly as possible. Not doing so can cause costly penalties if a data breach results from the ransomware attack. Companies who fail to disclose the incident in a timely manner are often faced with larger fines and reputational damage that can take years to repair.