Ransomware: why you should not pay the ransom (and what to do instead)
Thomas Eeles, CSIRT Manager hos Orange Cyberdefence beretter om praktiske erfaringer omkring ransomware fra frontlinien i vores globale Incident Response Team:
- CSIRT teamet har aldrig set at et betalende ransomware offer få alt data igen – og for filer større end 5Gb er chancen for en dekryptering stort set lig med 0%.
- CSIRT teamet har aldrig set en ”Zero-day” være anvendt i ransomware. Størstedelen af de kriminelle er kun niveauet over ”script kiddie”.
- Stjålne data gemmes ofte og lækkes så lang tid efter et angreb – til trods for betaling.
Derfor opfordrer Orange Cyberdefense til så vidt muligt ikke at betale – de kriminielle sælger, anvender eller frigiver data alligevel. De fokuserer primært på at fastholde sit greb om virksomheden – også efter en evt. betaling – dekryptering fylder ikke så meget.
To pay or not to pay, that is the question
Whenever the CSIRT(1) meet with potential new clients we get asked some variation of the same questions:
- How do we deal with nation-state attacks?
- How many zero-day attacks have we handled?
- How do we handle ransomware?
- Do we have a way of paying attackers?
The last question is the most delicate for me to answer. Predominantly because it is a moral issue. I know that I am looking at this atop my moral high horse, in the real world some of my morals would fly out of the nearest window when faced with the dilemma of paying a ransom or losing a business through data loss. As with any situation, when faced with the possibility of people losing livelihoods dubious moral choices can be made. I also understand that a lot of the business my team handles, is a direct result of ransomware attacks. It is difficult for me to talk about ransomware and attack groups without acknowledging the fact that we directly profit from the investigation, containment, and remediation of them.
Also, for this blog, I want to put aside the fact that attackers are stealing data and demanding money not to publicly release it.
Orange Cyberdefense’s position regarding ransom payment is clear: no one should ever pay that demand, attackers will sell/use it or release it anyways.
The logic for us is simple: we cannot trust cybercriminals and neither should you. Why should you believe the words of someone who illegally accessed your network, encrypted your data and demanded money to decrypt it, then stole data while threatening to publicly release it to shame your company?
Ransomware is above all an extortion scam and should be handle as such.
Ransomware: a not so risky business
As with any illegal criminal activity, the perpetrators are only in it for the money. If you take that away, you take away the incentive. Unfortunately, for a lot of cybercriminals the risks are small, they have little to no chance of getting caught, and if they do virtually, they have no worry of prosecution.
So, logic dictates that if the money is there, they will carry out the crime. The old cliché “crime doesn’t pay” doesn’t hold any water. Just in the last 12 months, my team has seen a sharp increase in the amount of money that attackers are asking for. Amounts that would have previously seemed extreme are now the norm, with most demands that we see coming in being over £200,000, and sometimes running into the millions.
There are lots of reasons for the increase. In the 4 months of 2021, the Orange Cyberdefense’s CSIRT has seen three cases of attackers adding this (or similar) to the ransom note, “we have looked at your financial documents and know that you can afford the requested amount”, or attackers claiming to have “done vast amounts of research” and targeting the company because they know they can pay large amounts.
In one extreme case, the attackers had what seemed like legitimate bank statements to prove that a company had “deep pockets”.
Attackers have a high chance of making bank, and we know for a fact that a lot (if not all) of specialist attack groups that the CISRT track have tens, if not hundreds, of attacks on the boil at one time. I’m not the first person to say “ransomware is big business”. But it doesn’t have to be.
Did you give your attacker five stars?
There is a myth that I have heard a lot “ransomware groups are like business, they want good reviews so will help you if you pay”. The theory being, that if attack groups didn’t restore data, word would get out and no one would pay.
There may be a slight shred of truth in this but from what I have seen, the attackers have an aggressive disdain for victims and see them as just collateral in the way of payday, and once they have been paid, they offer little or no support.
Even the most sophisticated ransomware and decryption tools can go wrong. This is especially troublesome when dealing with large files like VHD’s. They very rarely decrypt in a usable state, rough rule of thumb is you will lose any files that are above 5GB’s in size even with the decryption tools. I have never seen (in ten years of working in DFIR) a client who has paid a ransom and managed to get 100% of data back.
Back to the future: what to do before getting there?
The main question remains: “how do we make sure that we don’t end up in the ransom situation in the first place?”
Firstly, a little exercise that I like to run with new clients. Think of an amount that you would be willing to pay to save your business, then halve it and invest that in doing the very basics of IT Security as well as possible. If every business did this then the need for payments would be drastically reduced, as the easy attack surface available to malicious groups shrank away to nearly nothing.
Why the basics? I would say 80% of attackers that we come across are hovering just above the “script kiddie” level.
Even the most organized of ransomware groups use basic off-the-shelf attack tools, exploit poor user and network controls, and go undetected because of poor network visibility/detection
Things like the CIST Benchmarks, advice given out by Microsoft, and the NIST Framework are great starting points. Then get any changes tested by a trusted independent penetration testing team, making sure that you follow up on all recommendations and get them retested.
Next, backups! Just having a Veeam Server running on the same flat network as every other server just isn’t good enough. It might save you from hardware failure but it’s a key target for attackers, and while a lot of companies rely on the trusty old tap backup solution, they are less than comforted by the time it takes to recover a whole network from tape. Try this in your next IT Team meeting: ask your team how long it will take to recover your entire network from your current backup solution. You should get back a lot of answers as your company should have recovery plans for a range of scenarios, for example, accidental file deletion, hardware failure, system rebuild, full network recovery. You should be treating your backup sources as your crown jewels or get out of jail free cards. They should be fully segmented from the main networks and monitored within an inch of their lives. Any attempt to access them should be alerted upon and fully investigated.
These are just the starting points for protecting against ransomware, once you are happy with the basics you can start looking at your detection and response, policy and procedure, and more advanced threat hunting and system hardening.
We hosted a panel discussion with our inhouse experts on how to beat ransomware and we have published a comprehensive guide to tackle the cyber extortion threat. Don’t hesitate to delve into. And of course, reach out to us for advice and help, before, during and/or after an attack.
(1)Computer Emergency Response Team.