To pay or not to pay: In a ransomware attack, this is not always the question
Published by Nick Klein on 15 February 2022
Published by Nick Klein on 15 February 2022
One security research company estimates that 48% of UK organisations were hit by ransomware in 2020. In the US, the FBI’s Internet Crime Complaint Centre received 2,474 ransomware incident reports in 2020, a more than 300% increase from the previous year. Ransom payments by US organisations in 2020 also increased by more than 300%.
This post discusses why victim organisations might wish to open a channel of communication with their attackers for reasons other than paying a ransom. It then outlines principles for staying safe during this engagement.
Every year, my team responds to hundreds of cyber attacks against organisations. We monitor – and skirmish with – cyber criminals every day. And we help organisations respond, repair and rebuild after they’ve been hit by ransomware and cyber extortion attacks.
But this isn’t the most important question, or even the first question, which a victim organisation needs to consider. There are other reasons why we engage with cyber criminals, aside from negotiating a payment. And, depending on what the victim organisation aims to achieve, engagement can start at all stages of an attack – not just at the point of resolution.
In our experience, key objectives of attacker engagement include:
Of course, the word of a criminal should never be the sole basis of an investigation, reporting or security remediation. In CyberCX’s experience, attackers are often inaccurate or incomplete with the information they provide. But information solicited from an attacker can complement evidence recovered by forensic investigators.
There is one final set of reasons for engaging with an attacker:
Again, the word of an attacker can never be completely trusted, even in situations where our experience shows they have a strong track record of being true to it.
While CyberCX does not condone paying cyber criminals, we recognise that, in some situations, victim organisations feel compelled to consider paying a ransom.
Regardless of the reason for engaging with a cyber criminal, there are strategies victim organisations can use to engage with their attacker successfully and safely.
Cyber criminals generally want one thing: to monetise their attacks with minimal effort and conflict. They often apply the ‘it’s just business’ approach to their communication and negotiation. We have found that adopting a similar approach helps organisations achieve the best outcome, whether they choose to pay attackers or not.
Victim organisations will be best supported by a professional services firm with experience both assisting victims and engaging with cyber criminals, and with access to high-quality threat intelligence.
Organisations are often more inclined to pay ransoms in the early stages of an incident when the perceived impact is most dire. Some attackers employ tactics to create pressure on the victim organisation to pay at this stage because they know the more time that passes, the higher the chance the victim organisation chooses alternate paths to resolution.
Cyber intelligence can inform decision-makers about:
While intelligence about a cyber crime group is valuable and should be factored into decision-making, it doesn’t provide certainty. Many of the major cyber crime groups are composed of affiliate members, so even subsequent engagements with the same group can play out in different ways.
If an attacker provides a link to an online chat function on their dark web site, anyone with that link can often see the transcript of the discussion. This could simply be an employee who found a copy of the ransom note on another system. It is therefore worthwhile asking attackers to move communications to other channels.
Additionally, cyber criminals won’t identify themselves – neither should you. They only need to know they’re dealing with someone who is authorised by the victim organisation to deal with them. Personal safety is important.
While cyber criminals may provide assurances, and some even have strong reputations for keeping their word, they can’t provide absolute certainty regarding their actions. It’s important to remember that you’re dealing with criminals, therefore there are no guarantees.
The above is an edited extract from the CyberCX Best Practice Guide: Ransomware and Cyber Extortion. The Guide provides practical tools for people at all levels of an organisation to understand and manage the risk posed by ransomware and cyber extortion. The full Guide is available for download here.
If you’re concerned about the threats of cyber attack and want to protect your organisation through improving your security posture with testing and assurance, cyber security education and training or world-class managed services, contact us today.