The recent news about ransomware originating in Russia hitting the Colonial Pipeline and meat supplier JBS have driven new interest in this issue in the U.S. media and business community. It also incentivized President Biden to declare that the Department of Justice will now place investigating and prosecuting ransomware attacks at the same priority level as terrorism.
That sounds really impressive. However, after being in the cybersecurity and intelligence fields for more than three decades, I can tell you with confidence that little will change.
The administration’s hope is that increased attention on ransomware and its purveyors will drive these criminals to lay low and stop their activity, at least for a time. The reality is that these groups are not scared of law enforcement. While it is likely that U.S. cyber intelligence assets know about the most significant ransomware gangs, this is not like blowing up a factory that’s creating weapons. Even dramatic kinetic military actions, like attacking the host country’s infrastructure, will likely do nothing to significantly reduce the threat.
That’s because ransomware — and most online crime, for that matter — benefits from a resilient ecosystem. Think of it like the automobile industry. There are companies that make cars, which in turn acquire parts from other companies around the world. Automakers and dealers contract for software and professional services to run their businesses. Finished cars go to independent dealerships large and small, which arrange financing to buy cars from manufacturers. The dealerships then provide financing to sell cars to end customers. There are a lot of moving parts.
It’s the same with ransomware.
Would-be criminals don’t have to be technical geniuses to launch a ransomware attack. They can purchase access to ransomware software affordably and anonymously, on an as-a-service basis. They can rent botnets to barrage individuals and companies with phishing messages to try to get their ransomware installed. There are even helpdesks for these services. When a target is compromised, attackers can use hosted websites designed for anonymity to communicate with victims. They then take in money through the magic of Bitcoin, which is a boon for the ransomware business owner. Yes, news that the DOJ recovered a majority of the $4.4 million(opens in new tab) in cryptocurrency that Colonial Gas paid is intriguing, but it appeared to happen only because the criminals were stupid.
And yes, the state of cybersecurity is such that even stupid criminals can steal millions of dollars.
There are countless ransomware infrastructure providers that exist only in “the cloud” with no physical addresses or bank accounts. Even if the U.S. government is successful in taking down a major player, there are more than enough other criminals ready to pick up the slack.
For that reason, CFOs need to consider ransomware prevention a cost of doing business. We’ve discussed how to decide if cybersecurity insurance is a good investment, and the fact is, ransomware is a key purchase driver because a successful attack is expensive even if you don’t pay ransom.
Unless your business, say, supplies fuel to 25% of the country, don’t expect help from the government. At a minimum, you will need to find a qualified cybersecurity provider to help you clean up.
And just because you have unencrypted backups doesn’t mean you’re in the clear, because like all savvy businesses, ransomware gangs evolve their models in response to market conditions. Some ransomware is referred to as “extortionware,” for example. These gangs have learned that more companies now back up their data. For that reason, before ransomware encrypts systems, extortionware makes a copy of all files, from financials to email, customer records to IP. Even if the victim can decrypt its data, the criminals still demand payment or they will release the stolen information on the Internet. This can have a devastating impact on a company.
So even if you can easily recover your information, you may still decide to pay.
More Cybersecurity Resources
Here’s a working checklist for finance teams to help prepare for a ransom or extortion attack.
Your IT team or service provider should one. If your team hasn’t seen it, ask for a copy, because odds are it’s missing financial and risk tolerance data or maybe even making flawed budget assumptions, such as that you can’t afford compensating controls, like better training or cloud-based backups.
Finance can also help assign value and sensitivity ratings to various data assets. This information will be invaluable when deciding if paying a ransom demand makes sense.
The FBI has a dedicated ransomware Internet Crime Complaint Center portal(opens in new tab). You may want to consult with counsel.
Specialized responders are companies that just swoop in to clean up cyber attacks. If your CIO or IT provider has plans to bring one in, set up any tax or legal paperwork that will be required to launch that service, and to pay the bill, so you’re not scrambling. These companies are in-demand, so any pre-established relationship is to the good. There are also nonprofit organizations that may help. One interesting group, the public/private collaborative No More Ransom project, provides free advice and assistance to companies worldwide.
Also consider purchasing currency in advance if prices dip.
Work with your IT team or provider to review weak points in financial systems, like data stored on local hard drives or spreadsheets, and considering additional training for finance staff, whom attackers see as high-value targets. Again, there are specialized firms that do both security audits and end-user training. Both are worthwhile investments.
Finally, I should warn you that even if you pay, decryption frequently doesn’t work, and the criminals may still release your data to the world. There are also many experts who believe that if you pay a gang once, they might come back later, or at least tell other criminals that you are willing to fork over ransom.
There is no clear answer that applies to every company. Colonial Gas paid $4.4 million and was lucky enough to get some of it back. JBS will neither confirm nor deny whether it paid, but at the time of this writing, it was mostly back up and running. In general, I am not a proponent of paying ransom, because that money funds not just more cyberattacks but potentially also terrorism, drug trafficking and other crimes. Diversification is a thing with these gangs.
That said, I am in the proverbial ivory tower. At least if you’ve laid groundwork, you have some breathing room to make an informed decision about what’s best for your organization.
Ira Winkler, CISSP is CISO for Skyline Technology Solutions and author of “You Can Stop Stupid.” By day, he performs espionage simulations and assists organizations in developing cost-effective security programs. Ira won the Hall of Fame award from the Information Systems Security Association, as well as several other prestigious industry awards. CSO Magazine named Ira a CSO Compass Award winner as The Awareness Crusader.
Ira is also author of “Corporate Espionage,” the bestselling “Through the Eyes of the Enemy,” “Advanced Persistent Security,” “Spies Among Us” and “Zen and the Art of Information Security.” He writes for a variety of industry publications and has been a keynote speaker at most major information security events.
Ira began his career at the National Security Agency and went on to serve as president of the Internet Security Advisors Group, chief security strategist at HP Consulting, and director of technology of the National Computer Security Association. He was also on the graduate and undergraduate faculties of the Johns Hopkins University and the University of Maryland.