By Lee Pitman, Global Head of Response Services, BreachQuest
As we close out 2021, the biggest trend in the security and insurance space has to be the heightened regulatory scrutiny on the payment of ransoms, and the general reduction in the number of ransoms being paid by insurers in a hardening market. It’s interesting that this shift only happened recently in the US. Having worked in the ransom recovery space for a number of years, I have seen only around 20% of companies in Europe pay ransoms, whereas in the US that number was closer to 90% of the time, just 12 months ago. So what changed?
There has been a litany of events this past year that have changed the equation on paying ransoms. At one point there was a sense from US-based companies that they would rather pay the money and get back to doing business. However, the practicality of that approach has shifted dramatically, new laws have been passed and public perception has changed.
Shockingly, you can’t trust criminals
There used to be a myth that acquiring a decryption key would make all problems post ransom attack magically disappear. But this has never been true. It should go without saying that you can’t trust criminals, but up until this year that is exactly the approach many businesses have taken.
First off, the keys provided by the threat actors are never 100% effective in recovering all the data. Unsurprisingly, the threat actors are more focused on locking the valuable data away than with being able to unlock the data. In my experience, at least some data is always lost. The keys provided by the criminals are clunky and cumbersome to utilize and require more time, energy and money to go through the recovery process.
Secondly, paying a ransom has never guaranteed that a threat actor would not publish stolen data further down the line. Whilst the premise of Ransomware as a Service (RaaS) would suggest it is in the best interests of the threat actor’s business model to comply and support their clients – victims – post a ransom being paid, the very nature of the criminal underworld underpinning these groups is unstable. As such, groups often merge or are acquired, or simply cease their operations, but the data they have stolen will remain and is often disclosed anyway.
Laws are driving change
While there aren’t any major laws in Europe that prevent businesses from paying ransoms, the United States has looked to curtail ransom payments with new legislation. The US Department of the Treasury released an advisory stating that organizations that facilitate ransomware payments to hackers on behalf of ransomware victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, are potentially violating OFAC regulations. The Biden administration has been particularly boisterous on the topic since the colonial pipeline attack, making it much more difficult for companies to pay threat actors – which is a good thing.
Businesses can do a lot to protect themselves
With the worsening risk-benefit equation and the changing laws, many businesses are now looking at alternatives to paying ransoms, and in most cases, there are good alternatives to paying ransoms. Or at the very least, better alternatives. With the right cyber hygiene, most companies can protect themselves fairly well. While there is no hard and fast solution that will always protect a business, they can certainly mitigate the potential damages by having some sound security principles in place. Having worked in the IR and recovery space for some time, here are some of the top tips companies need to take to protect themselves:
Have a good backup policy. A good policy means that the backups are saved often and in intervals. Your company should have a recent backup of a week or so ago and a longer-term backup of a month ago. The more backups you have the more you are protected. It is very common that companies don’t know when they were breached and their backups don’t do them any good because the backup was saved after the hackers were already in the system. It is also critical to have both online and offline backups. If a company can protect their backups they are well on their way.
Don’t assume that you are safe after restoring from a backup. Another common mistake is restoring from a backup and not rebuilding the OS to ensure that you can keep the hackers out. They obviously got in once so companies need to ensure that they can’t get in again.
Be insistent with security training, even if it is a little annoying. It is still true that most attacks are successful because an employee clicked on a malicious link or let the hacker in through some kind of social engineering hack. I know employees often don’t love those training courses, but increasing employee knowledge around the ways hackers will attempt to trick them is an underrated defense mechanism. This is particularly crucial for senior executives who are often the most targeted employees within an organization.
The decline of ransom payments in 2021 is a positive trend to come out of this year and I suspect we will see the number of payments drop even further in 2022. We have already seen a general tightening of controls around insurers underwriting cyber risks, such as the push to insist their insureds implement MFA if they want coverage. Moreover, the focus has shifted to preparing for and recovering from attacks more organically via restoration, rather than by simply paying a ransom. I am optimistic that this shift in thinking will lead to better security hygiene and a decrease in the lucrative nature of hacking.
About the Author
Lee Pitman is the Global Head of Response Services for BreachQuest, a company revolutionizing incident response, where he is focused on delivering reduced breach costs and maximum recovery speed in IR and Recovery services to clients globally. Lee began his career as an intern in Big 4 Risk Consulting, spending 6 years working at KPMG and EY. He has worked exclusively with the world’s largest conglomerates in a variety of sectors.