Does Your Organization Have a Procedure to Handle a Ransomware? Is It Worth Paying the Attackers?
By Zsolt Baranya, Information Security Auditor, Black Cell Ltd.
The number of ransomware attacks is growing from day to day, as mentioned many of the publications and reports. The ransomware kill chain, describes the phases of a ransomware attack, and each phases the security trams can implement some actions to mitigate the probability of occurrence. For example, the first phase of the ransomware kill chain is the campaign, where the security team can reduce the success of the campaign with awareness trainings. The second phase is the infection, where the security team can handle the situation with restricted file downloading methods and so on.
But if the chain reaches the encryption phase, the preventive actions were not effective. In this case, only a few organizations have a playbook specified to handle the consequences of ransomware attacks. A decision tree had been created to help organizations where this type of playbook is missed.
Consider actions for ransomware attack event
Firstly, all the affected devices and systems that have been attacked have to be identified and must be disconnected from the network as soon as the detection occurred. This is the most important action before the incident handling starts!
- Check that the encrypted data classified or not. In case of the classified data is mission critical, the incident handlers must know the recovery point objective (RPO) of the data to identify how much time the organization have from the business continuity perspective. (This may be related in the future to how much time the attacker gives to contact or pay.)
- The security event should be reported to the relevant CERT or CSIRT. The response teams maybe have some information about the specific ransomware or the attacker that can help.
- Make sure that your organization have security backups of the affected data. If there is, check the backup restoration tests results, and if the restoration was successful there is no risk to the restore. Before you restore the data, you should check the system status. System could have backdoors in or other relevant risks. If the organization didn’t have such a test, or the test result was unsuccessful, you can consider that the restoration as a risk factor.
- If your organization doesn’t have a backup, you should check other alternatives to replace the data has been encrypted (for example: whether it exists on paper or may be available from another organization, etc.). If yes, consideration shall be given to recovering it within the time limits referred to in point 1. set up encrypted files with an alternative solution. If so, this may be the solution for incident management.
- If steps described in point 3. and 4. did not lead to results, you can search on the internet and open-source databases (for example: nomoreransom). There is a possibility you could find some information related to the specific ransomware or system to find some recommendations to restore your files. Sometimes these sites publish the secret key pairs (decryption key) to decrypt the affected files.
- If your efforts unsuccessful after the 5 points, and the data counts as mission critical, you should consider paying the attackers.
Pay or not to pay decision process
- The first thing to consider is whether it is worthwhile for the organization to get Bitcoin. If the last chance to give back the data is the paying, not necessarily have to spend time purchasing Bitcoin.
- If the affected data counts as mission critical, and the earlier actions were unsuccessful, it should be to check if we have files that is both encrypted and original available. If so, you can turn to expert organizations, but it is not guaranteed the success. If not, you can go to the next step.
- There are some cyber security firms, who are expertise of cyberattacks handling. If the organization has received the cyber security firms quote, and it’s more than the attacker’s demand, the head of the organization should consider that whichever is better, paying to the attackers or the experts. (In neither of these cases have 100% guarantee that the original of all encrypted files will be decrypted and returned to organization.)
- Attackers usually give a deadline for the payment of the dept. If the victim organization wants to use the professional services of a cyber security firm, must consider the deadline and the expertise’s recommended returning time. There is a chance that an expert team needs more than 24 or 72 hours (which commonly given by the attackers) for the restoration of the original files .
- If the encrypted files count as critical and the management decided to pay the attackers, it should be considered whether it is worthwhile to communicate to media about the ransomware attack, in the hope that attackers obtain information about the incident coming to light. In this case, there is a chance for the organization to get help for a fee. It would be extremely bad ‘marketing’ for the attackers if the organization did not get the original.
- Another opportunity to mandate a negotiator to reduce the amount of the attackers. Sometimes it works, so the decision makers should consider this solution.
These are very important issues to be decided to handle a situation after a ransomware attack. In any case, it is necessary to consider what damage a ransomware attack can cause. In comparison, incident management needs to be built and implemented for a price that an attack could cost.
Pay for attackers is not recommended. In any case, this should be the last option to solve the incident. The present study is not intended to encourage paying to attackers. The study merely attempts to draw attention to the complexity of such an attack, and what all is worth considering before doing anything an organization does after a security incident is detected.
About the Author
Zsolt Baranya is an Information Security Auditor and head of compliance of the Black Cell Ltd. in Hungary. Formerly, he has filled information security officer and data protection officer roles at a local governmental organization. He worked as a senior desk officer at National Directorate General for Disaster Management, Department for Critical Infrastructure Coordination, where he was responsible for the Hungarian critical infrastructure’s information security compliancy. Zsolt can be reached online at email@example.com and at his company’s website https://blackcell.io/