Categories
General Cyber and IT Security

Do I Pay the Ransom? Insights from an Incident Responder

When people meet me, and I identify as a Cyber Incident Responder who has been a part of several ransomware extortion cases, everyone asks, “Should I pay the ransom if I am attacked?” I am about to share some insights gathered while working with companies that faced these questions in real life. Now, there are some people out there who hold absolute hardlines on this position, and while hardlines are always a good place to start, the reality is that many companies need to step off that first position and find a position that works best for them. 

Each company needs to make its own decision in concert with qualified specialized legal counsel. In sharing this information, I hope it helps you determine whether you should pay their ransom if that fateful day arrives. Viewer discretion is advised.

First, You may not even need to pay at all.

Our good friends at CISA and the FBI have developed several tools to decrypt files damaged by many popular threat actors. They are 100% free to acquire and use. CISA has created the ESXiArgs-Recover tool to assist networks whose ESXi infrastructure may have been encrypted.1 The FBI has created keys for victims of Blackcat, AlphV, and Sphynx ransomware variants.2 Obtaining the keys from these groups will strengthen your ability not to have to pay ransom much.

Now, the Company hard line.

At a recent security conference that I was speaking at I was fortunate enough to be sitting at a table with a bunch of local liaisons to a government agency that is very involved in ransomware activities. When one of the gentlemen asked me what I was speaking on, I told them to title my session, which was called “ESXi Host Protection 2024, why you can’t ignore this anymore”. This session was on ESXi hosts targeted by ransomware threat actors and how to prepare/prevent such attacks. 

Upon hearing my session title, the gentleman asked me my thoughts on paying the ransom while simultaneously telling me his staunch view. Unsurprisingly, he echoed the agency line that nobody should ever pay the ransom. Paying ransomware is the equivalent of negotiating with terrorists. You should never negotiate with terrorists. It just encourages them to continue. That is a valid point.

I stated that, in my experience, every situation was unique. Then I mentioned that I had recently worked with a company willing to pay their ransom even if they did not receive the encryption keys, which sometimes happens. (Newsflash, criminals are not honest. More on that later). Puzzled, the gentleman across the table asked why they would do that. My response was, well, it was simple. 

They viewed themselves as having a large liability for possibly causing the ransomware incident to take place in the first place. Therefore, their legal counsel was telling them that since they may not have done everything, they should have to protect the data; they now need to do everything possible, including paying a ransom, to demonstrate (to potential future judges and jurors) that they did everything they could to recover the data.  The company was preparing itself for pending litigation due to the cyber incident. 

I could tell by the look on his face that he didn’t like the answer. but he nodded and said he understood why someone would do that. Then, he immediately pivoted back to his agency’s line. As you can see here, the theory of never paying the ransom has real merit. But when the theory makes first contact with the enemy, companies need to be ready to adjust their stance. In this case, what was best for the government agency wasn’t necessarily the best thing for the business affected. The two can co-exist and do. Not paying is a good position to start at, but be ready to pivot if needed.

Can you restore and recover in time?

One factor to consider in whether you’ll pay the ransom is, once you receive decryption keys, how long will it take to decrypt your data (if you even receive the key)? The way ransomware works is that it’s designed to encrypt data for maximum impact rapidly. It can take just hours to encrypt a medium to large-sized network completely. Still, it is extremely slow to decrypt the same data, especially large data sets (hundreds of gigabytes or more). Therefore, you need to plan accordingly for just how long your restoration will take once you begin.

I witnessed one company days away from financial ruin and closing its doors for good due to the vast amount of encryption that had taken place with ransomware in its environment. The timing of the attack could not have been worse, and that was the point. The ransomware gang had stalked this company internally and knew the business cycle and when the company was most vulnerable. These people were under tremendous pressure to get their systems restored. Therefore, paying the ransom seemed viable, or at least harder to say no to, when all the other options may have led to total failure.

But here’s the catch. Is it really a viable solution? What if this company could not get the data restored within a couple of business days it needed? What if the ransomware actors don’t respond to your request or payment as quickly as you need them to? Threat Actors don’t work under Service Level Agreements. 

In this scenario, if it will take you a week or more to restore all the necessary data, what’s the point in paying when you exceed your window for restoration? The harm will happen either way, so you might as well not pay. Many people don’t factor in the time it takes to restore the data or systems in their decision-making process. They should. This might be a reason, albeit a sad reason, not to pay. Better yet, if you know that you can restore your systems from backups in a rapid time, the need to pay the ransom may no longer exist or never exist to begin with.

Should you trust a criminal?

Do I really need to answer this one? Despite working with some smart businessmen and women and helping them navigate some tough waters, I am always surprised when they express shock when the ransom is paid, and the other side doesn’t completely hold up their end of the deal. Maybe this is because they are looking at this like they would negotiate a contract for services with AT&T. Now, while the feeling of being held up for ransom and having to deal with poor customer service may be the same in both scenarios, I assure you that they are not the same situation, or at least not yet. Please repeat after me.

CRIMINALS CAN NOT BE TRUSTED

CRIMINALS CAN NOT BE TRUSTED

CRIMINALS CAN NOT BE TRUSTED

The recent takedown of LockBit Ransomware Group leadership shows what I have advised many customers about. Just because someone says they will delete your stolen data doesn’t mean they will. There are ways to easily fake the evidence that ransomware gangs provide as proof of deletion. You are taking a thief at their word that they will do what they claim after they just willfully wrecked your business. 

Investigators who took down LockBit have found massive amounts of stolen victim data on the servers of the ransomware gangs, even those victims who paid and were given proof of the deletion. The gangs hoarded the data for the next round of extortion or marketplace sale to other threat actor groups. While you are negotiating with them, the threat actors are selling your data to other criminal groups so that they may attempt extortion later.

To make things worse, the ransomware group is also selling to others how they initially gained access to your network to steal/encrypt your data, to begin with. The goal is that someone else will attack your network when they are done in hopes that the initial access was not properly fixed. Now, the ransomware group will have deniability that they were involved with your second or third cyber incident, thus giving them the appearance of credibility when there never was any. 

Not only is this being discovered by law enforcement, but now, sadly, a new wave of victims is emerging: those who paid group #1 but are now being extorted by group #2. All this being said, there has always been evidence of some ransomware groups skipping town with the ransom and not providing the decryption keys or not providing decryption keys that work properly, which is just as bad. Like before, the ransomware gang can claim that they held up to their end of the deal by giving you the working keys when they did not or falsely advertise their capabilities. There is no honor among thieves.

Insult to Injury

It should surprise no one that the cost of cyber liability insurance and services around ransomware has skyrocketed. Just like your auto insurance rates increase when you open a claim for an accident, your cyber liability insurance will most likely increase dramatically, or you may get dropped completely when the matter is over. Those are business costs that sometimes get overlooked during the heat of the battle. You may have paid $25,000 in one-time ransom, but if your insurance premiums go up $25,000 per year for every year you are in business from now on, is this a wise financial move? 

I hate to paint Insurance as a bad guy, as they provide a much-valued service for businesses today. But at the end of the day, ransom payments are a business decision with wide-reaching implications long after the battle. Costs are still costs. Paying a ransom might cost your business more in the long run than enduring the short-term financial pain today.

Final Advice

I will summarize what you need to know and incorporate it into your business equations to determine whether you should pay the ransom.

1. Check to see if your variant of ransomware is one that either CISA or FBI has decryption tools available before you start any discussions on paying ransom.

2. You cannot trust the extortion groups regarding their capabilities or commitments. They will lie, and they have. They are criminals.

3. Ransomware/Theft negotiations ARE NOT enforceable business contracts. Don’t treat them as such. You can’t sue them for breach of contract when they double-cross you.

4. Don’t get caught up in the emotions. I’ve seen people think this is a scene from a movie and get the adrenaline rush of “talking to the bad guys” or have strong emotions as they feel violated or the pressure of the situation gets to them. It’s human. But adrenaline and emotions skew the rational, analytical conversations that need to take place. Take a breath before moving on.

5. Don’t do this alone. You need to have good, experienced legal counsel advising you along the way.

6. Don’t do this alone. You need a good, experienced Incident Response Team to help your company’s recovery efforts while you have a business conversation with legal counsel. Remember, these gangs are selling information on how they broke into your systems. You need experienced experts to determine how they did it and provide a path to remediation so that future attacks can be properly fended off. While multitasking during negotiations with Khan may have worked for Captain Kirk, in the movie The Wrath of Khan, it is not a good foundation for success, and we’re not Captain Kirk.7. Companies that prepare for ransomware/breaches fare better than those that do not. Do you know how long it will take to restore your systems? Is this good enough for a business to survive? The best time to handle ransomware is during the preparation stage when you can plan your defenses and response strategies and when things are calm. Engage with an experienced Incident Response team to help you prepare. Your Cyber Insurance carrier may even have plans or programs to help you at no additional cost. Don’t overlook these policy benefits.

 

8. Finally, don’t hide from regulators. Some business leaders discuss the pros and cons of not disclosing the breach if they get their data back. It’s been my experience that you were breached will eventually come to light, whether you want it to or not. You won’t be able to hide this forever.

If you become a victim, there is no one-size-fits-all answer for dealing with extortion gangs. Learning what happened to others in similar situations may help you consider those facts while determining what to do. I never fault a company for doing what is best for them in these situations. What works for one company may not be appropriate for another. If you are a ransomware or data theft victim, the experienced team at SecurIT360 is ready to lend a hand. You can contact us at https://securit360.com/contact. I hope this has been helpful and we can meet someday under favorable circumstances and not when my team’s response services are not needed.

1 To obtain a copy of ESiArgs-Recover tool, visit CISA’s GitHub page at: https://github.com/cisagov/ESXiArgs-Recover.

2 For the FBI tool, you need to open an IC3 report at: https://www.ic3.gov

In the description, ask for the specific decryptor tool that you need to route your request to the right team. (Blackcat, AlphV, Sphynx variants only).