Should I Pay the Ransom? Answering 10 Common Questions About Ransomware

Ransomware, cybercriminals, ransomeware as a service, reasons for paying the ransom
Ransomware, cybercriminals, ransomeware as a service, reasons for paying the ransom

Ransomware continues to make headlines, especially as cybercriminals aligned with nation-states continue to perpetrate attacks. According to a 2022 report, attackers fall into two categories. First, sophisticated attackers who continually improve their techniques, tactics, and procedures (TTPs), learning from their mistakes and establishing their own group of highly skilled cybercriminals. Second, Ransomware-as-a-Service (RaaS) models which lower the barrier to entry so that inexperienced or less technical cybercriminals can deploy attacks.

In response to increased ransomware attacks, a group of international Ministers and Representatives representing 59 countries released a Joint Statement in October 2021. The statement detailed common priorities and complementary efforts to reduce ransomware risks, including:

● Improving network resilience
● Addressing the abuse of financial mechanisms
● Disrupting the ransomware ecosystem

While these broad plans may reduce the long-term impact of ransomware, businesses still need to address their current risks. Ransomware attack volume nearly doubled in 2021, with 73% of organizations saying that at least one attack targeted them in the preceding 24 months. This number represents a 33% year-over-year increase, indicating that ransomware remains a fundamental business concern.

In this article, we’ll answer some questions about ransomware so that you can make informed decisions and protect your business.

Should I pay the ransom?

As unsatisfying as it may be, the answer to this question is “it depends.” Often, companies need to make difficult decisions, balancing their business needs with legal or regulatory requirements.

Additionally, system outages impact companies and industries differently. For example, a manufacturer may need functioning systems to ensure employee physical safety. Meanwhile, an online business may be able to afford downtime and lost revenue.

Being armed with facts can help you make a more informed decision. The same research that found attack volume nearly doubled also noted the following:

● 80% of companies who paid a ransom were victims of a second attack
● 68% of companies who paid once were hit again in less than a month for a higher ransom
● 54% who paid still reported system issues or corrupted data after decryption

Is paying the ransom illegal?

In September 2021, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory listing potential sanctions risks associated with making and facilitating ransomware payments.

OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) includes groups that deploy ransomware attacks and those that facilitate the payments. Financial institutions are required by law to block payments to anyone on the SDN List.

The OFAC advisory applies to ransomware victims and any company that engages with them, including:

● Cyber insurers
● Digital forensics and incident response
● Payment processors, including depository institutions and money services businesses

Will cyber insurance cover a ransomware payment?

Over the last year, cyber insurers changed their position. Many stopped selling coverage while others increased premiums in response to rising attack numbers. Further, in light of the OFAC advisory and sanctions, many won’t be able to pay a ransom if the ransomware gang responsible for the attack is on the SDN List.

What is a double-extortion ransomware attack?

Ransomware has been around since the late 1980s. However, the traditional attacks only encrypted data so that businesses wouldn’t be able to use it. In response, organizations started implementing more robust data backup strategies.

Cybercriminals evolved their methodologies so that ransomware attacks would remain a viable business model. A double extortion attack is when cybercriminals encrypt data to disrupt business operations and steal sensitive information. They hold the stolen information “ransom,” threatening to leak the information unless the company pays the ransom.

How is a ransomware attack different from other cyberattacks?

As double-extortion attacks become the norm, it’s essential to understand how they differ from other types of cyber attacks.

Typically, cybercriminals deploying ransomware are financially motivated. They steal just enough data to make you nervous, but they don’t want to linger in your systems.

Traditional cyber attacks focus on long-term goals, like stealing customer information for identity theft or gaining access to intellectual property.

Why do companies pay the ransom?

Most companies choose to pay the ransom because they’re worried about reputational and revenue impacts. With news organizations reporting ransomware attacks, companies worry they will lose customer trust and business.

The concerns are well-founded. Research found that 21 out of 40 data breaches resulted in worse stock performance in the six months after a data breach. The data didn’t stop there. After two years, the average stock price underperformed the NASDAQ by 11.9%. When companies pay the ransom, they often seek to mitigate these revenue risks.

How are ransomware and cryptocurrencies linked?

Whether true or not, many cybercriminals believe that cryptocurrency gives them more anonymity, making it harder to trace. Since many traditional banking systems don’t deal in cryptocurrency, cybercriminals use these payment forms as a way to evade law enforcement.

Noting that these virtual currency exchanges are critical to the ransomware ecosystem, the US Treasury Department added one cryptocurrency platform, SUEX OTC, S.R.O, to the SDN List because it facilitated ransom payment transactions.

This sanction makes paying a ransom more difficult because any company working with a sanctioned cryptocurrency company faces potential enforcement actions, like fines.

Does a company need to report a ransomware attack to law enforcement?

Whether you need to report the attack or not depends on your industry. No federal law requires all victims to report a ransomware attack to law enforcement. In a heavily regulated industry, like healthcare or financial services, you may be required to report the ransomware attack under data breach notification requirements.

How does a company report a ransomware attack?

Reporting a ransomware attack can help law enforcement disrupt the cybercrime ecosystem. The Federal Bureau of Investigation (FBI) suggests that companies report an attack by:

● Contacting their local FBI field office
● Submitting a tip online
● Filing a report with the FBI’s Internet Crime Complaint Center (IC3)

What prevention and business continuity strategies can help reduce a ransomware attack’s impact?

A robust cybersecurity program focusing on cyber resilience may reduce the impact of a ransomware attack.

Some prevention methods include:

● Anti-virus solutions
● Preventing users from downloading unknown or unauthorized software
● Cyber awareness training focused on phishing risks
● Applying security updates to software and operating systems as soon as possible

Some business continuity strategies include:

● Regularly backing up data
● Verifying backup integrity
● Securing backups

Mitigate Ransomware Risks with Securicon

Although you won’t be able to find a silver bullet to protect you from a ransomware attack, you can mitigate risks and be best postured to protect, detect, respond, and recover from them. Identifying and remediating security weaknesses and having organizational ransomware response playbooks before an attack makes a cybercriminal’s job more difficult. When you architect secure networks and systems, cybercriminals are less likely to move laterally from one system to another. When they can’t steal sensitive data, you thwart their double-extortion goals.

Securicon’s professionals can help you define, deliver, implement, and manage an information security program that mitigates ransomware risks and prepares you to respond when they occur. Our experienced, knowledgeable staff uses architecture designs and security policies based on insights gained in the field – not theory. Acting as a trusted advisor, we help customers cost-effectively manage risk, operating as extensions of their internal cyber-security teams so they can balance information and operational security needs.

Contact us to learn more!

What the Federal Government is Doing to Fight Ransomware in 2022

ransomware
ransomware

Among the cybersecurity threats that are escalating in 2022, ransomware attacks remain one of the most damaging and impactful to federal agencies and contractors. According to Verizon’s yearly Data Breach Investigation Report (DBIR), this year has seen ransomware incidents increase by 13%, which is more growth than the past 5 years combined.

The cost of ransomware is high, with many cyber actors embracing a double extortion model which extracts twice the payment from their victims – but cost is far from the biggest concern for the U.S government. Foreign adversaries – including China, North Korea, and Russia – are increasingly using ransomware against organizations in the West: sometimes, they even work together.

Government Initiatives and New Security Burdens

With all that being said, ransomware is a risk that organizations in the public and private sectors should be worried about: not only is it capable of driving businesses into bankruptcy, but it also represents a national security threat that can cripple critical infrastructure and expose classified information to nation state actors.

Fortunately, 2022 has also brought multiple initiatives across agencies and branches of the U.S government which will help curb the incidence of ransomware and keep businesses safe for years to come. Some will also impose new security burdens which government contractors will have to apply if they want to stay compliant.

In this blog post, we will share five recent developments in legislation and policy while explaining their implications for ransomware and compliance.

1.  New Cyber Reporting Requirements

In the aftermath of a cyber incident or data breach, organizations have an ethical responsibility to inform their customers – sadly, that doesn’t always happen in a timely matter. But when a ransomware attack occurs against critical infrastructure, public safety is at stake, and rapid disclosure is all the more urgent.

In March, the ‘Cyber Incident Reporting for Critical Infrastructure Act of 20221 (CIRCIA) was passed into law – under CIRCIA, critical infrastructure companies will be required to report any substantial cybersecurity incidents within 72 hours, and any ransom payments within 24. While the precise scope of covered entities remains to be determined, it will likely include sectors like:

      • Critical Manufacturing
      • Financial Services
      • Energy
      • The Defense Industrial Base (DIB)

Ultimately, the new cyber reporting requirements will help law enforcement agencies to gather intelligence on attack patterns, track the activity of advanced persistent threat (APT) groups and respond to cyber emergencies in a timely way.

1 The official source for CIRCIA is the Consolidated Appropriations Act of 2022; for readers’ convenience, the PDF linked above contains only the portions of the Act which comprise CIRCIA.

2.  The Joint Ransomware Task Force

Within the text of CIRCIA, legislators proposed the formation of a ransomware task force, which was formally announced by Cybersecurity and Infrastructure Security Agency (CISA) director Jen Easterly on the 20th of May.

The task force – which aims to combine cybersecurity initiatives across multiple U.S agencies – will be co-headed by the Federal Bureau of Investigation (FBI), allowing law enforcement to collaborate with CISA more effectively.

Today, government agencies suffer from entrenched barriers to information sharing that hinder cybersecurity efforts. Better collaboration will be a major boon, allowing agencies to share and react to intelligence more quickly while building attack profiles that will help businesses to defend themselves against advanced ransomware strains that evade popular detection methods.

3.  CMMC 2.0 and Updated CMMC Timeline

Following the release of Cybersecurity Maturity Model Certification (CMMC) 2.0, the Department of Defense (DoD) is now working with federal policymakers on an implementation timeline that could see CMMC enforced on DoD contracts by May of 2023.

CMMC 2.0 seeks to protect controlled unclassified information (CUI) by requiring federal contractors to undergo third-party assessment for cybersecurity compliance before they can be eligible for most Defense contracts. For less sensitive “Level 1” contracts, the DoD will accept self-assessment – for more sensitive “Level 3” contracts, organizations will need a more official government assessment.

By enforcing cybersecurity controls proportional to the sensitivity of each contract, CMMC 2.0 will not only encourage better security throughout the DIB – it will also ensure that the most sensitive CUI is only shared with contractors who are ready to defend it against a variety of threats, including ransomware.

4.  Zero-Trust Legislation and Implementation

In 2021, the ‘Executive Order on Improving the Nation’s Cybersecurity’ instructed federal agencies to adopt zero-trust security models to defend their IT infrastructure. Shortly afterwards, CISA and the Office of Management and Budget issued documents outlining a zero-trust maturity model (ZTMM) to help agencies comply with the executive order.

The road ahead is difficult, especially with many federal organizations still relying on outdated, legacy IT architecture. But zero-trust adoption is well underway, and – difficulties notwithstanding – 6 out of 10 federal IT officials believe their agencies will be able to meet the challenge. More than 75% say they already have some form of zero-trust security policy in place.

From the perspective of reducing ransomware attacks, this is good news: zero-trust architecture won’t render organizations invulnerable to cyberattacks, but it will bring about significant transformation by forcing organizations to continually validate user identities, monitor apps, and accelerate modernization.

Most importantly – with zero-trust in place – it won’t be enough for ransomware actors to “get past the door”: they will be faced with multiple barriers to lateral movement and penetration that will halt many in their tracks.

5.  Updates to NIST’s Cybersecurity Framework (CSF)

The National Institute for Standards and Technology (NIST) is updating its cybersecurity framework (CSF), a set of standards that have guided cybersecurity efforts in both the public and private sectors since it was first issued in 2014. In February of this year, NIST requested comments for an upcoming update to CSF, prompting an outpouring of responses from industry experts.

Recently, DoD sources have stated that they want better risk-management guidance in the next version of the CSF framework, to align it with another NIST special publication (SP), 800-30, ‘Guide for Conducting Risk Assessments’. Aligning the two NIST resources would help organizations who are currently following CSF to develop a better understanding of risk and risk factors that lead to data breaches, ransomware attacks, and more.

Whether NIST implements this advice or not, an update to CSF could not come at a better time – cyber tactics have developed rapidly since the last update was released in 2018, and organizations are in need of guidance. According to the agency, a majority of respondents to its request for comment stated they find CSF to be a “useful model for organizations seeking to identify, assess, address, and manage cybersecurity risk” – it can only remain useful as long as it remains up to date with leading risk sources.

Cyber Expertise to Help You Stay Compliant

Compliance with federal cybersecurity standards and laws are non-negotiable for any businesses in the federal space, and a very good idea for businesses outside it. But the cyber landscape changes, protecting revenue and customers demands a steadily rising cybersecurity baseline that can be hard to meet without guidance.

Securicon helps your business to comply with Federal and regulatory requirements through program and risk assessments. With a team comprised of veterans from the U.S security community – including DoD, DHS, and the U.S Cyber Commands – we are equipped to provide organizations with gap analysis, compliance consulting, assessment support, and audit preparation. To learn more, contact us today.

When it Comes to Picking Targets, Hackers Don’t Care About Size

hackers, small business cybersecurity
hackers, small business cybersecurity

As a small business, it’s easy to think that malicious cyber actors only want to target the largest companies. After all, those are the ones who have the most data and sensitive assets. At the same time, those companies also have the highest security budget, making attacks against them time-consuming and resource-intensive. Meanwhile, attacks against small businesses are not only easier – they can be just as profitable.

In mid-May, Illinois’ Lincoln College announced that it was closing its doors because a ransomware attack from December 2021 exacerbated the financial issues arising from lowered enrollment caused by the pandemic. From a broader perspective, this story is increasingly common: according to a recent report, small businesses are 350% more likely to be targeted by cyber actors than large organizations. Furthermore, 61% of all small-to-medium-sized businesses (SMBs) experienced a cyberattack between 2020 and 2021, according to a Ponemon Institute report.

With the news cycle constantly reporting large cyberattacks against Fortune 500 organizations, SMBs can feel a false sense of security. The reality is that cyber actors are equal opportunists who will take advantage of any organization – no matter its size.

What do Cyber Actors Want?

Most cyber actors have predictable objectives that can fall into a few basic categories. Typically, they’re motivated either by money or politics. Depending on your business’s industry vertical, you present a valuable target under one or both of those categories.

Payout 

The quickest way to profit from a cyberattack is a ransomware payment. All businesses have money, and thanks to Ransomware-as-a-Service (RaaS), cyber actors don’t need to be sophisticated to deploy an attack. With ransomware frequency surging, everyone is threatened.

Personally Identifiable Information (PII)

Cyber actors target PII either as part of a double-extortion ransomware attack or to sell on the dark web. In a normal ransomware attack, they force victims to pay a ransom in order to decrypt their files; in a double extortion attack, they also pressure victims to pay an additional fee to avoid making stolen PII public. In either case, all small businesses store PII on their customers, employees, and clients which makes them an attack target.

Credentials and Access

Attackers will often target one organization in order to access another. Most businesses work with other businesses and vendors and may possess information, credentials, software, or networked connections that cyber actors can use to move between targets. This is the mechanism behind software supply chain attacks like the SolarWinds hack.

Intellectual Property (IP) and Trade Secrets

Competitors often target IP and trade secrets as a way to get ahead without doing the work themselves. Whether you’re a small business or not, if your IP gives you a competitive edge, foreign companies will know and cyber actors will target you to make a profit in their own country.

Classified Information

Disrupting critical infrastructure and gaining access to classified information is high on the priority list for nation-state actors engaging in espionage and terrorism. Small government contractors may have valuable contract information that falls under a controlled unclassified information (CUI) designation, while cleared organizations may have classified information.

An Easy Target

Many attackers prefer to target small businesses because they lack the resources that larger companies have. Research notes that 47% of businesses with 50 employees or less do not have a dedicated cybersecurity budget. Further, not every business has a dedicated cyber security staff due to the shortage, cost, and high turnover of cybersecurity talent.

Adding to these challenges, many SMBs also struggle with legacy technologies. Purchasing new hardware is expensive, and many companies lack the budget to pay for the newest, most up-to-date IT infrastructure. Further, the move to remote work coupled with the increased adoption of cloud technologies complicates things further. Remote employees who may lack the needed cybersecurity awareness are often vulnerable to phishing attacks.

If you’re looking at it from a cost-benefit analysis, cyber actors need to expend less effort to get as much, if not more, information and money from multiple small businesses than one large organization.

How to Harden Your Small Business

The good news is that even as a small business, there are many ways to insulate yourself against cyberattacks and find cybersecurity experts to help you guard your sensitive assets.

Cyber training

According to Deloitte, more than 90% of all cyberattacks begin with a phishing email. The first step to protecting yourself is providing your employees with cyber awareness training so that they can recognize phishing and social engineering attacks. This will go a long way to protect your organization.

Incident response/Disaster Continuity plan

Alexander Graham Bell once said, “before anything else, preparation is the key to success.” Knowing what you plan to do before an attack occurs will reduce the impact if you experience one. The best form of harm reduction is harm prevention, and that can be achieved through a proactive enterprise security strategy that includes a protocol for incident response.

Protection of Perimeter

Nearly every company has Internet of Things (IoT) networked devices, and many are vulnerable. From printers to sensors, these devices enable work but create new cybersecurity risks. To protect the perimeter, you should:

      • Adopt a zero-trust policy
      • Place air gaps between devices
      • Move away from open-source protocols
      • Continually update operating systems, software, and firmware

Choose a Cybersecurity Partner

You don’t have to do everything alone. Hiring in-house talent is cost-prohibitive, but with the right outsourced partner you can achieve your security goals and protect your business. Providers, like Securicon, who can provide risk management, and compliance solutions prepare your company for the worst while offering continuous support at a more affordable cost than in-house talent.

Conclusion

Small businesses have a lot of things to worry about, and few have the cyber expertise of a large enterprise. This means many are unable to create the robust security program that they need to survive the current risk landscape. But as cyber actors become more advanced, good cybersecurity can mean the difference between survival and bankruptcy. Fortunately, you don’t have to go it alone.

At Securicon, our seasoned cybersecurity experts work to find vulnerabilities in your IT infrastructure, providing solutions and long-term support. Contact us today for a rapid assessment and learn how we can help your business survive in the midst of an evolving threat landscape.

Right-of-Breach Mentality Leads to Cyberattacks on Critical Infrastructure

The dust is still settling from the latest in a series of highly publicized cyberattacks affecting critical infrastructure in the U.S. Two Fridays ago, Colonial Pipeline – the single largest provider of natural gas across the Eastern U.S – experienced a ransomware attack and announced that it was shutting down all 5,500 miles of its main pipeline, running from Houston, TX to Linden, NJ.

The news prompted a fearful response from consumers. Because Colonial Pipeline supplies 45% of gas, jet fuel and diesel across the East Coast, prices soared above $3.00 a gallon in some places, and gas stations experienced shortages as customers piled up to buy as much as they could. Since then, the pipeline has resumed operations and the cost of gas has slowly gone back down.

In retrospect, things could have been much worse.

According to Colonial Pipeline, the cyberattack affected its business networks rather than the industrial control systems connected to its delivery infrastructure. And thanks to a reserve supply, wholesalers serving retail customers did not report any shortages before the pipeline resumed operation. Even so, this incident serves as a stark reminder of the cyber war that is unfolding all around us and the risk it poses to national security.

Ransomware Attacks on the Rise

In August of 2020, CISA warned of a rise in cyberattacks against critical infrastructure and advised operators to take immediate action. Since then, their predictions have materialized in at least two major security incidents, including the SolarWinds breach in December and the breach of a Florida water treatment facility in February. According to one source, ransomware attacks rose by 62% in 2020, with ransom demands rising 225%.

Why is this happening? For one thing, bad actors are becoming more sophisticated. According to analysts, the Colonial Pipeline attack was an instance of “ransomware-as-a-service”. DarkSide – the Russia-based hacking group who claimed responsibility for the incident – provides its code to lower-level hackers and helps with execution in exchange for a cut of the profit.

But more importantly, organizations are not applying CISA’s recommendations until it is too late. They aren’t taking inventory of their assets, implementing a robust cybersecurity plan or enforcing access rules that would prevent a majority of attacks from succeeding.

Right of Breach Mentality

While the cause of the Colonial Pipeline attack has not yet been disclosed, recent high-profile security breaches have precipitated from notoriously bad cybersecurity practices. For instance, a SolarWinds update server was protected by a weak password (Solarwinds123); meanwhile, the Florida water facility lacked any user authentication mechanism to prevent unauthorized remote access.

But this does not prove that organizations are incapable of better cybersecurity practices. According to a study from Ponemon Institute, companies that experience a security breach are 26% less likely to experience another breach in the future. This research proves what we already know: organizations react “right of breach,” waiting for the worst to happen before they act to prevent it.

Until then, they cheat regulations in dozens of tiny ways that add up to a weak overall cybersecurity position, from skipping double authentication to creating loopholes in their own remote access rules. Many assume they are either too big and sophisticated to fail, while others assume they are too small to fall under an attacker’s radar. Both are mistaken.

Nobody is Safe

In 2020, 1,600 security breaches were reported to the North Carolina Department of Justice, and most of them were not large enough to make any headlines. During the SolarWinds attack, over 18,000 organizations were infiltrated, including 425 companies on the Fortune 500 list. Victims ranged from federal, state and local governments to critical infrastructure entities and small businesses.

Today, there is a bad actor for every organization, and all are looking for a niche. Some are motivated by geopolitics, and some are in it for the money. Others are simply agents of chaos looking for any opportunity to cause destruction. At the end of the day, every organization will eventually fall victim to a cyberattack: it is not a matter of “if,” but “when.”

These organizations should take the threat of a breach seriously for the good of their customers, shareholders and employees. Federal contractors and critical infrastructure entities have an additional burden: they must do it to protect national security and the American way of life.

Preparing for Ransomware Attacks: CISA’s Advice

Following the Colonial Pipeline breach, CISA has once again issued a warning to critical infrastructure operators in publication AA21-131A, titled: ‘Best Practices for Preventing Business Disruption from Ransomware Attacks’. In the following paragraphs, we summarize the most important recommendations:

Reducing the Risk of a Breach

Organizations can reduce the likelihood of a successful ransomware attack by applying security controls that protect against common attack vectors.

  • Prepare for phishing attacks – phishing and spearphishing are among the most common methods of hacker reconnaissance. Train your employees to recognize and avoid compromised emails through simulated attacks; enable strong SPAM filters to prevent phishing emails from reaching them.
  • Protect against bad connections – block traffic from known bad IP addresses, and protect against malicious entry attempts by restricting remote desktop protocol (RDP) access. Additionally, block traffic from TOR exit nodes and other anonymization services.
  • Prevent unauthorized execution – prevent unauthorized programs from running on organization computers by disabling macro scripts in Microsoft office files (PDFs, documents, etc.); use allowlisting so only trusted apps and dependencies can operate.

Protecting Business Functions

Should a ransomware attack occur, the following protections and redundancies will ensure that critical business functions can continue.

  • Segment IT/OT networks – regulate communication between operational technology (OT) and information technology (IT); minimize network connectivity to industrial control systems (ICS) and Supervisory control and data acquisition (SCADA) devices.
  • Prepare for manual control – ensure you can switch to manual operation if necessary. Find and disable IT dependencies in the event of a cyberattack; conduct exercises to test manual controls on a regular basis.
  • Conduct regular backups – regularly back up system data and store it separately from the rest of your network. Create backup images of critical systems so they can be rebuilt from scratch if necessary.

Worst Case Scenario

If the worst should come to pass, have an emergency plan to protect the rest of your organization and mitigate damage from attackers.

  • Isolate infected system – immediately identify infected devices, power them down and remove them from your network.
  • Disable devices – power-off and segregate unaffected systems that are on the same network as infected devices. Do not allow them to communicate.
  • Secure your backups – your backups are your last line of defense. Make sure they are offline and secure; scan to ensure they have not been compromised by attackers.

In the hours after a data breach is discovered, an organization’s actions are critical. For more preparation and emergency response strategy, see our blog post: How to Survive a Data Breach: 14 Disaster Response Tips.

Harden Your Organization

While it appears that Colonial Pipeline made several mistakes leading up to the recent ransomware attack, the company did one thing right: it reacted quickly by taking critical systems offline and partnering with a third-party firm to investigate the incident and prevent future attacks.

Moving forward, critical infrastructure operators cannot afford to ignore the threat of ransomware. As cyber-actors advance, your organization is a target. With years of ICS expertise trusted by the U.S security community – including DoD, DHS and the U.S Cyber Command – Securicon can harden you against today’s risks and prepare you for tomorrows threats. Contact us to learn more.