According to the US Justice Department, more than 4,000 ransomware attacks happen daily, on average, in the US alone. Most of them don’t make the news. Many attacks are quietly paid off, and the businesses who fall victim often keep it under wraps. Cyber-criminals are counting on that, as they want victims to pay up and keep quiet.
Don’t do it. Victims—and potential victims—of ransomware attacks have choices beyond simply paying the ransom and learning an expensive lesson.
We’re going to consider three options and review each one. We’ll start with an option you may not have if you’re in the middle of an attack, but one that you should certainly know about: cyber insurance. Next, we’ll talk about paying the ransom and how to leave a trail for authorities to follow. Finally, we’ll discuss one of the riskier options, rebuilding impacted systems.
Cyber Insurance
Cybercrime-related data breaches increased an astonishing 273% in the first quarter of 2020. That trajectory continued throughout the pandemic-stricken world. Industry verticals under strict regulatory scrutiny likely already have cyber insurance, but many that aren’t under that scrutiny have begun to take notice of it.
Cyber insurance can offset or potentially eliminate financial losses related to cybercrime. This sounds great, but there’s a catch that goes beyond the premiums. In order to qualify for cyber insurance, you’re going to need some best practices in place. Typically, the more mitigating best practices you can prove to the insurer the better your premium will be, and if you have none at all, you will likely be denied coverage regardless of what you’re willing to pay in premiums.
If you’re a target, cyber insurance is eventually going to be an absolute requirement, since your general liability insurance will almost certainly not assist with ransomware. The existence and rise of cyber insurance has made general liability plans even less likely to work with you on ransomware attacks.
If you have cyber insurance, and are weighing your options for answering a ransomware attack, your insurance provider should already be involved. If you don’t have cyber insurance, your priority should be getting back online. Your next priority should be qualifying for and purchasing cyber insurance.
Paying the Ransom
Unfortunately, many victims of ransomware in the past have done exactly what the cybercriminals want. They’ve quietly paid the ransom, learned some lessons about information security, and, in some cases, had front-line employees pay the final price. The price of not paying can be even higher, as companies have even folded after devastating attacks.
The reality is that an attack can be so bad that the only choice to achieve any business continuity at all may be to pay.
Cryptocurrency
Nearly 14 years ago, Bitcoin was presented to the world. Since then, we’ve seen the rise of an entire cryptocurrency and exchange ecosystem—even during a downturn, the cryptocurrency ecosystem boasts total market capitalization of more than $2 trillion USD. There are hundreds if not thousands of crypto assets, all with unique names, attributes, benefits, and detriments. It is almost a guarantee that, due to difficult traceability, a ransomware attacker will be asking for the ransom to be paid in cryptocurrency.
If you aren’t familiar with the crypto ecosystem, the primary thing to consider is what coin or token they’ve asked you to pay with. If you’ve been asked to pay with a privacy coin, like Monero, you’re going to have a more difficult time. Bitcoin or more popular “ALT” coins like Ethereum, or even a meme coin like Dogecoin, are often requested.
The good news is that authorities have been following these markets closely—they know that, while identifying the cybercriminals may still be difficult, every transaction on a blockchain is completely traceable. A few API calls can reveal the exact path taken through and across blockchains for every cryptocurrency in existence. Each point of transaction is a potential lead for authorities, and they are becoming quite good at recovering ransomware payments made with cryptocurrency.
Because the hackers ultimately want to “wash” the crypto, they go to the far reaches of cyberspace. A person phishing in a chat room, asking for someone to trade them cash for cryptocurrency, may not be trying to steal your identity or your money. They may be a cybercriminal trying to enlist you in laundering a ransomware payment. They may alternately be a federal agent hunting cybercriminals trying to launder ransomware payments.
If you feel stuck paying the ransom, and you’re worried that you’ve been asked to pay with cryptocurrency, make sure there is a clear trail pointing to you as having held the crypto assets. This will help authorities find their trailhead.
Rebuild
Another path is to rebuild. In many cases, however, rebuilding will not be an option. Attackers will go after what they know can’t be rebuilt from scratch. They will try to hold the data ransom rather than application platforms.
Best practices that have long existed can mitigate time to rebuild. Mature data governance and data management make restoring and reconnecting to data almost trivial. A secure disaster recovery site that is kept up-to-date and isolated from primary systems can make all the difference.
For more modern applications and for established firms making an innovative leap, public cloud providers do provide another silver lining. Systems built from the ground up for cloud computing tend to be far more portable, and their setup and deployment can often be completed at the push of a button due to concepts like Infrastructure as Code, Database-as-a-Service, and Continuous Integratin/Continuous Deployment (CI/CD). If you need to rebuild after a ransomware attack, being in the cloud will make your journey a little shorter.
Still, rebuilding is a risky option. You will eat plenty of downtime. You will lose business and productivity. Ultimately, it may still be more costly than paying the ransom.
If you do choose to rebuild, you should still have authorities involved. You should still look into cyber insurance, and you should still ensure best practices are followed going forward. Lightening can, indeed, strike twice.
You’ve Got Options
We’ve looked at three options for answering ransomware attacks:
- Use cyber insurance
- Pay the ransom
- Rebuild impacted systems
Navigating an attack may see you engaged in all three of these, particularly if you never saw the attack coming and weren’t prepared at all. If you’re reading this, and you haven’t experienced an attack, my recommendation is to include all three as part of your IT governance. Ask yourself, “What would we do if we had to recover from ransomware today?”
Next, review your options given the list above as a starting point. If your only option is to rebuild, and you’re not prepared with DR and/or DevOps/Cloud-borne solutions that can be easily reconstructed, you should consider ramping up your defenses in terms of ransomware response.