Getting real about ransomware [Q&A]
For every high-profile ransomware incident in the headlines, there are many more that never get reported. Particularly among small- and medium-sized businesses, often with small IT and cybersecurity teams, a ransomware attack can be an existential problem.
To understand how companies should respond when they discover they're in the grip of a ransomware threat actor, we spoke with Kurtis Minder, CEO and co-founder of GroupSense, which helps companies navigate through these attacks to get their businesses back online.
BN: What do companies need to understand most about ransomware attacks?
KM: The first thing they need to understand is 'ransomware attack' is a misnomer. It only covers part of the techniques threat actors use to extort enterprises. Yes, infecting companies with ransomware is part of what they do. However, virtually all of the attacks we see today involve threat actors who have been on the victim's network for an extended period of time and stolen their data. Then they'll unleash ransomware to get the victim's attention and establish payment terms. But they now hit their victims with two points of leverage -- first, there's the ransomware itself and the need for the victim to get their operations back online. And then there's the data breach, and the threat to release all of the data if the victim does not pay up. So even if you can defeat the ransomware attack, you still have to address the data breach part of the equation. This becomes a complex situation that is beyond the capabilities of most companies to handle.
BN: What are the biggest mistakes companies make when hit by ransomware?
KM: The biggest mistake is for business executives to shunt it off as a cybersecurity problem, and leave it to the CISO to figure out. A ransomware attack is a corporate crisis and should be treated as such. This means having a crisis response plan and team in place before an attack ever happens. Everyone from the board and CEO, through finance and legal, right down to corporate communications and public relations, should be synchronized with an appropriate response, just as they would with other crises. Even the fundamental question, 'Do we pay ransom or don't we?' is a CEO-level decision, given all of the business ramifications associated with either choice.
BN: Given the demand for your ransomware response services, are most companies are choosing to pay the ransom?
KM: I don't know the statistics on that, but I can tell you that companies are under tremendous pressure and often receive divergent advice when they get hit by ransomware. The business pressure is obvious -- the company needs to get back online ASAP. So then the question becomes, 'Can we do that in an acceptable timeframe without paying ransom?' It's a pretty straightforward calculation. The divergent advice is a more problematic -- the US government and FBI are telling companies to never pay ransom, but their insurance companies may be telling them to pay it, because it'll be cheaper for everyone than undergoing an expensive remediation effort. And now the government is threatening fines if companies pay a threat actor who’s under economic sanctions. This is a simplistic approach to a complex situation -- we'd all like to take the moral high road, but if your company's welfare is at stake, the high road might also be a route to going out of business.
BN: What are the first steps companies should take when they get hit by ransomware?
KM: First, they shouldn't panic -- there is a way out. And that way out starts with verifying the threat actors' claims -- did they really steal your data? There are 'shame sites' on the dark web that ransomware syndicates use to warn companies of an impending release of their data. If a threat actor claims to have stolen your data in addition to installing ransomware, there is a possibility they will post on one of these shame sites. Beyond that, good threat intelligence companies will be able to validate the reputation of the threat actor, and even engage them to ask for proof they have the data. This is why dark web monitoring and threat intelligence is an indispensable part of the resolution process.
BN: Presumably these are not skills most companies would have in house?
KM: That's right -- these are specialized skills. When you're engaged in major litigation, you hire a specialized law firm to represent you. The same dynamic applies here -- companies need help from people who have 'seen this movie before' and can push all the right buttons to validate the threat. Once that's done, then the victim can make an informed decision about how to proceed -- pay ransom, or do self-remediation. It all comes down to risk appetite -- it may even be that a company has the resources to clean up the ransomware situation in an acceptable period of time, and having the data released will not cause significant harm. But to effectively evaluate the overall risk, it's critical to know who you're dealing with. That's where threat intelligence is indispensable.
BN: And if a company decides to pay the ransom, how should they engage the threat actor?
KM: This is an area where a lot of companies fall down, due to what I mentioned earlier -- thinking this is just a cybersecurity issue. This is a corporate crisis -- so you need a good crisis negotiator to engage the threat actor. That person is likely not your CISO, or your CIO, or your CFO or any other executive. If you're being held hostage in a bank by a hardened criminal, do you want the first cop on the scene to lead the negotiations? Or would you prefer that an FBI crisis negotiator take charge? Obviously, it's the latter. It's no different with ransomware -- there are a million ways ransomware negotiations can fly off the tracks. Aside from the 'paying too much' concern everyone has, you might anger the ransomware actor so they do even more damage to your company. These situations need to be handled properly by experienced professionals who can not only negotiate with threat actors, but also validate their threats and that they are living up to their end of the bargain (are they really destroying the stolen data as part of the settlement, or are they lying? Will you really be able to decrypt your data or not?). Most companies do not have experienced crisis negotiators in house, let alone ones that have a handle on the dark web and the company's overall risk exposure. This level of expertise usually can only be found in third-party specialists.
BN: Wrapping up, what else should companies think about when they've been hit by ransomware?
KM: Ransomware attacks are not ending anytime soon because it's easy money for threat actors. So, it's imperative that companies of all sizes take this threat just as seriously as they do other major business risks. It's not enough to just resolve a ransomware/data breach incident; companies also need to communicate with all relevant stakeholders to avoid things like regulatory violations, legal exposure and customer relationships damage. The best thing any company can do is to identify their outsourced ransomware response expert now, so they know who to call if they are attacked. And, that expert should also be able to help them incorporate ransomware attacks into their corporate crisis response plans. Companies that prepare ahead of time in this manner can dramatically improve the likelihood of having a successful outcome.