Why resilience is key to defying cyber extortion

We can’t judge those companies that pay ransoms— we don’t bear their risks— but we can fight for industry-wide resilience.
9 October 2019

The common currency demanded by ransomware. Source: Shutterstock

We’ve all seen the movie: the steely-eyed police chief or the resolute politician looks at the camera and says, “we don’t negotiate with terrorists.” It makes for great drama when the stakes are high.

However, around ransomware, as with most real-life circumstances, the subject is more nuanced than a steely glance; there is a legal grey area that needs to be filled in. With a slew of high profile ransomware successful attacks against cities such as Atlanta, Baltimore, Akron, even the Georgia Court System, a collection of 225 US mayors agreed that they wouldn’t pay ransoms.

While that’s a great thing, there is a massive responsibility that goes with it. You must become more resilient to ransomware ahead of attacks if this is going to be your policy.

Paying the ransom

What does paying a ransom mean? It means that data will be returned, following the large assumption that criminals will honor a deal. This doesn’t guarantee that operations can resume, but it does mean that healing can begin. If you’re a hospital that has patients on the table with surgeons unable to continue surgery, or if you’re a logistics company moving trucks across the country with perishable goods, recovery is a big deal.

What do you do after you have re-established critical operations? Do you report the incident and, if so, to whom? Do you engage in rebuilding operations as they were before, or do you seek to learn from the incident and start a new, painful journey? After all, as George Horne translated from the original Spanish, “fool me once, shame on you; fool me twice, shame on me.”

It also means that the dark side gets an influx of cash. This is not insignificant, because it proves the business model of the ransomware writers and the criminal networks that they are tied into. It lets them hire more people, make new deals and ramp up operations.

There have been rumblings in policy circles about making paying ransoms illegal, but that’s a massive step that could backfire horribly. In the private sector, ransomware infections trigger a crisis and immediate risk-based decisions. Those organizations prepared for an eventual attack will do better than those caught flat-footed.

The actual job of the officers of a company is to protect shareholders, to protect the data of customers, to do right by the employees, and to follow the company’s mission.

Resilience and policy

Let’s take an extreme example of a hospital that gets hit with ransomware and can’t get to patient data. The executives of that hospital have a decision to make, and their triage starts with saving lives and ends with preventing brand and financial damage. It’s the middle priorities that are more confusing. Which is more important: not enabling a criminal organization or getting fewer life-and-death operations up and running?

This begs a dialog at all levels: in government, by industry, in corporations, and in IT departments. This dialog must happen ahead of incidents because this is not what anyone should be figuring out in the heat of the moment of a crisis. Moreover, we’re seeing a lot of ransoms being paid, which drives the ecosystem of cyber extortionists.

The goal for defenders must be maintaining resilience and removing fragility. We must make sure that we can survive an attack and continue critical operations. The key capabilities should be to identify ransomware early, to know if a breach has occurred or not— you can have one without the other— to limit its spread, to recover data from backups, to resume operation, and to prevent re-infection. If we can reduce the recovery time to zero, we won’t need to pay ransoms; we will be able to ignore them.

We aren’t there yet. But we can work on getting closer. We can practice. We can seek to improve all these capabilities incrementally.

Collectively, we can start the debate on public policy and develop private policies and positions at the corporate and local government levels to become more resilient to ransomware. And then we create contingencies, policies, and processes to assess risk and determine whether to pay ransoms while we pursue that resiliency.

Some organizations like the US mayors’ solidarity will take the strong stance of saying “we do not negotiate with cyber extortionists,” and that’s wonderful.

However, we can’t judge those that don’t make this decision because we don’t sit in their seats and bear their risks. To judge them is arrogant at best and bullying at worst.

We can, however, freely judge them if they make this strong statement and don’t prepare for the day when ransomware blazes through their networks. We can also judge those who ignore the risk, develop no policy, and decide not to be resilient; and this is where public policy can help because ransomware can hit anyone but doesn’t have to hurt anyone.

Best of all, if we do this, the ransomware writers will have no funds and will have to move on to other, hopefully, more legitimate, pursuits.

This article was contributed by Sam Curry, Chief Security Officer at Cybereason.