Looking for insights in modern literature to address the challenges facing CISOs might seem farfetched, but there is some logic to this. Lewis Carroll’s Alice’s Adventures in Wonderland and Through the Looking Glass illustrates the challenges posed by ransomware. While this might seem contradictory on the surface, the options and twisted logic Alice faced are eerily similar to those posed by this pernicious malware.
Yet fight ransomware CISOs must do, so be prepared to abandon logic and enter the looking glass that is modern-day cybersecurity.
The good news is that there are ways to tilt those ransomware calculations in the company’s favor so you are less likely to have to pay the ransom. Fighting ransomware in 2019 forces CISOs to embrace quite a few contradictions that are most vexing. Here are some to consider:
• In a logical world, it is only the ransom-demander who is the criminal with the enterprise target merely a victim. But in the contrarian world of ransomware, there is an excellent chance that a company — or a company employee — paying a ransom might be violating federal law by sending money if the attacker is associated with terrorists or is in a country that doesn’t play nice with the U.S. Ultimately, you could be prosecuted for it. If you do not pay, you can lose your data. If you do pay, you might go to jail. Tough choice.
• There is potentially more legal trouble for the ransomware victim: Compliance and breach disclosure issues could be expensive and damage the company image. There could be related costs, such as states that require purchasing identity theft insurance for all impacted consumers. But were the consumers impacted? This raises a question that is difficult to answer: How far can a CISO trust the representations of the attacker? The company’s decision here can have expensive repercussions.
By all indications, an attack merely seemed to encrypt sensitive data. But given that the bad guys needed to first access it to encrypt it, might they have copied the data first so they could double-dip and sell the data on the black market even if the company pays the ransom? If the attacker has not yet done so, does that exfiltration still trigger compliance-related costs and efforts? Are companies required to assume that the attackers did more than they claimed? Will regulators make that assumption? Questions like these can send even the most grizzled CISO down the proverbial rabbit hole looking for answers.
• As is the case when anyone is dealing with a kidnapper who demands a ransom, it seems foolish to trust such a thief. What would stop them from taking your ransom and then opting to renege and not release your data? And yet, ransomware experts say that ransomware in 2019 is a highly professional business and that these ransomware businesses, which will often have customer service and free tech support, can be trusted to do what they say. If they do not, their highly lucrative business model would quickly implode. Is there a CISO or CEO willing to take that chance?
• The official policy of just about every Fortune 1000 company is to never pay a ransom. And yet, just about all of those same companies routinely will pay that ransom when the ROI calculation of fighting versus paying makes it clear that paying is better. That said, the calculation sometimes tells companies to not pay, depending on the situation and the nature of the attack. Was the City of Atlanta correct in saying no to a $51,000 ransom (the exchange rate for six bitcoin at the time of the attack) when experts say the costs to restore the data might well reach an estimated $17 million?
• If the situation is dire enough, CISOs always retain the option of surrendering and simply paying the ransom. And yet, many companies then discover that the nature of buying cryptocurrency — the ransom of choice these days — is next-toimpossible to do in volume given the limits the system imposes on cryptocurrency brokers, especially if the company does not have existing relationships with multiple cryptocurrency brokers. Buying a lot of cryptocurrency to hold in reserve for a future ransomware attack also does not work, both because of the potential loss of value due to the dramatic shifts in cryptocurrency exchange rates and because there is no way to know which cryptocurrency will be demanded.
• The limits as to how much bitcoin a single broker can sell changes from broker to broker, as do the precise procedures. Regardless, it is critical to start establishing those relationships before an attack hits so that your team can get as much of the paperwork wrapped before you need the virtual currency, experts agree. A second option is to get ransomware insurance and let the insurance company do all of that paperwork and logistics.
• Senior executives often assert that when the time comes to deal with ransomware, they will be the ones to decide, often in concert with the board. And yet, some ransomware attacks are now designed for mid-level or entry-level employees to be able to pay on their own — with demands as low as $100 or a few hundred dollars, in cryptocurrency — so the lowerlevel employee can, in theory, avoid the embarrassment and potential punishment of admitting to management that they clicked on the attachment and caused the problem.
Unraveling the contradictions
A typical first line of defense includes aggressive backups, but attackers plan for that. Attackers often plant malware that goes silent for weeks or more before sending a ransom demand. This is designed to not merely infect backups with the malware, but to make it difficult to determine exactly when the infection began. Also, even if the security team identifies the exact date of infection, it might mean restoring a backup from a month or longer ago, losing considerable critical data.
This is all part of the ransomware return on investment (ROI) strategy. Attackers want the enterprise’s ROI calculation to make it worthwhile to pay the ransom.
The most obvious way to combat this strategy is to separate data backups from executables backups. In theory, this would allow protection of all data, as a database of raw data should not be able to house a malware executable. But homegrown legacy applications, along with legacy apps made from companies that are no longer in business or at least no longer selling that application, make that executable backup essential. This would suggest keeping secure backups of all legacy code on disks that are entirely off-network, ideally with multiple copies in multiple air-conditioned and air-gapped vaults.
Bryan Kissinger is the CISO for Banner Health, an $8.5 billion chain of 28 hospitals along with physician groups, long-term care centers and outpatient surgery centers in six states. Kissinger argues that his security team has done everything it can think of to thwart a ransomware attack.
“We’re preparing ourselves as best as we can,” Kissinger says. “We don’t allow our workforce to have administrative privileges on end-user devices.”
That restriction on administrative privileges is a key part of Banner’s defense strategy. Given that the typical ransomware attack involves attachment malware intended to compromise administrative credentials, “we attempt to head that part off. Our remedy would be to flush the system and reload it from a clean backup.”
Given that Banner performs backups on everything in the network — applications, data and operating system — there is always a risk of the malware infecting the backup so “we try and go back to a good time.” But by sharply limiting who has administrative privileges, Kissinger is hoping an attack would not ever touch any of the backups.
When asked about whether his firm, if indeed caught in a ransomware web, would ever pay ransom, he says he would recommend such a payment in only a few circumstances, such as if the system was “hopelessly locked and if the ransom is lower than our operating costs to repair the damage.”
Kissinger adds that it is hardly practical to have an ironclad policy against ever paying such a ransom. “I think anyone who says flat out ‘no’ is not being realistic.”
But if it ever happened, Kissinger says, his top priority would be identifying how the attacker got in and patching that hole. “We would try and close the threat vector so they can’t just attack again” after the ransom is paid, he says.
The question of whether paying encourages more ransomware is a difficult one to answer, which is why most companies that pay do everything they can to keep the payments secret.
“Broadly, I would advise ‘don’t pay’ because I do think it encourages the problem,” says Sean Tierney, director of cyber intelligence for security consulting firm Infoblox of Santa Clara, Calif. “But (CISOs) have to be aware of what the business reality is and what the impact of not paying will be. This does require the decision-makers to decide in advance what their decision will likely be.”
When an enterprise is trying to craft strategies and policies to counter today’s ransomware threats, it must look closely at its abilities to pay a ransom if it chose to do so. Many companies have tried and quickly discovered that the logistics of paying a large ransom in blockchain currency can be overwhelming if arrangements have not been put in place months earlier, says Mark Rasch, a former federal prosecutor who today serves as a private practice cybersecurity lawyer in Bethesda, Md.
Can I? May I? Should I?
“With ransomware, the first questions a company must address are ‘Can I? May I? Should I?,’” Rasch says.
The “Can I?” part addresses the tricky nature of cryptocurrency. “Do I have access to cryptocurrency — in multiple denominations and multiple types? Anywhere from (a value of) $300 to $3 million?” Rasch asks rhetorically. “If you have a need to deploy cryptocurrency, who in the organization will be responsible for making that decision? And how do you get that information to that person?”
When an attack hits, the extortionist typically gives a very short window for paying, often 24-48 hours. That means that every minute is critical. When some employee receives an extortion demand, does that employee know where to send it? Does that employee’s supervisor know? And what if the designated recipient is on vacation, traveling or otherwise unavailable? Is there a backup assigned to handle it and is that backup’s contact information widely known among employees? If designated contacts and/ or their backups leave the company, is there an immediate trigger for someone to select a replacement? Are such plans routinely rehearsed to learn of holes?
“Who makes that decision? Is somebody is going to own that decision?” Rasch queries. Sometimes staffers have different spending approval limits, so it becomes a question of determining which person has the authority to approve the ransom spend.
The “May I?” part refers to the tricky legal environment surrounding ransomware. There are various regulatory rules — the most prominent coming from a unit in the U.S. Treasury called the Office of Foreign Asset and Control (OFAC) — that restricts where money can go (prohibited countries) and people/organizations where it can go (entities on suspected terrorist or terrorism organization lists).
This is where the nature of ransomware makes payments complicated. Communications between the victim company and attacker typically improves after a ransomware attack, which is at least a microdot of a silver lining. “You’re never more secure than you are two weeks after having been attacked. It’s a motivating event, at least temporarily. You’re going to be doing some locking down,” Rasch says. “The idea that paying ransomware invites more ransomware is probably not true. But being vulnerable to ransomware probably does invite more attacks.”
Rasch argues that there really is a professionalism among many of the larger ransomware groups and punishing a paying customer is rarely seen. “In the incidents where I have dealt with ransomware, we haven’t had the experience that they immediately get hit again,” Rasch says, adding that not delivering a paid-for decryption tool is something else that rarely if ever happens.
“They don’t make money if you can’t unlock it,” Rasch says. “They want to be known as a trustworthy thief. They want four stars on www.hostages-r-us.com.”
The final consideration, the “Should I,” essentially addresses the aforementioned discussion on comparing the ROI of paying the ransom versus not paying it. The CISO calculates what it will cost the company to try and repair the damage itself—factoring in down-time, status of backups, how long ago the system was impacted—versus paying the ransom. It may be galling, but a hard calculation will inform the “Should I?” decision. It also overlaps with the May I factor when it comes to the legality of paying, plus addresses a host of business and ethical considerations unique to each company.
Legal beagles
On other legal matters, there are the compliance issues dealing with states and other rules requiring disclosures, and possibly consumer insurance purchases, when Social Security numbers or other specified personally identifiable information (PII) is stolen. Given that even a forensic examination does not always deliver a complete and definitive picture of what attackers did (especially given the ever-present possibility that the bad guys manipulated security logs to hide their true tracks), it is hard to know if data was stolen (copied and exfiltrated) before it was encrypted.
As with almost everything in compliance, each rule depends on its definitions and phrasing. “One of the triggers is unauthorized access,” says Tatiana Melnik, a Tampa-based attorney who specializes in cyber issues. “At the same time, there is a requirement under HIPAA (Health Insurance Portability and Accountability Act) that requires integrity of the data remains in place. If someone has encrypted the data, does integrity of the data remain in place?”
The answer is to do everything your company can to determine what happened. “If you can, see what the malicious code was intended to do. If it was merely designed to find information and encrypt it, arguably, it may not be a breach,” Melnik says—and then make that argument to regulators and hope for the best.
Dante Disparte, CEO at the Washington, DC-based security consulting firm Risk Cooperative and a member of the national report entitled Black Market Ecosystem: Estimating the cost of ownership. “If either a nameserver or front-end is blocked or taken offline, a new one is automatically created in its place, allowing the back-end server hosting the criminal customers’ content to remain online.”
Deloitte noted that companies are quite open, on the dark web, at least, about the software suites they sell specifically for ransomware attacks, including whether fees are flat or involve a percentage of ransom acquired.
There is an advantage that the larger ransomware companies are so well known. That means that their tactics are well known. Companies, such as cyber insurance firms, often can identify the company attacking by looking at the code used. “Is it a variant of some known code? Has it been used before?” Rasch says.
Sometimes, attackers reuse their decryption tools and even decryption keys, which creates the slight possibility that victims can find the decryption items online from a recent victim of the attack rather than from the attacker.
Another concern is about the attackerprovided decryption tool. Not whether it will work necessarily, but how well it will work.
“In the last three months we’ve seen the Ryuk strain of ransomware become very active. It is the fast growing ransomware strain we see,” says Joshua Motta, CEO of San Francisco-based Coalition, a cyber insurance company. “More worrisome is that the ransoms for Ryuk are much larger than other strains of ransomware, totaling between $200K to $700K.”
He adds that “Unlike previous forms of ransomware, including SamSam and Dharma, Ryuk is extraordinarily difficult to remove. It is also very difficult to recover from. Even if you pay the ransom, the decryptor provided by the threat actor doesn’t work well. It does decrypt files, but it frequently fails making recovering extraordinarily time consuming for the victim.”
Scott Laliberte, managing director and global leader of cybersecurity and privacy for consulting firm Protiviti of Menlo Park, Calif., argues that ransomware is likely to get a lot worse before it, actually, it will just continue to get worse.
“My thoughts are that we are going to see escalation in ransomware over the next few years. I think the payload will start moving beyond just denying access to data to other types of actions that could threaten harm. For example, attacking healthcare providers to put patient lives in danger unless ransom is paid, distribution companies’ logistics systems to prevent them from making shipments, chemical plants, threatening catastrophic accidents, etc.,” Laliberte says.
Cybercriminals will “look for ways to monetize their attacks [given that] credit report monitoring and credit card tokenization [is making] identity theft and credit card fraud less profitable. Consequently, I believe [cyberthieves] will be upping the stakes. We need to start preparing now for these types of attacks and expanding our view of risk assessment beyond loss of confidential data.” Laliberte says he expects IoT and mobile will be ransomware’s new focus in the near term.