RANSOMWARE: DON’T RUSH TO PAYMENT
According to CrowdStrike’s Global Threat Report 2020 (released March 2020), ransomware remained the most lucrative enterprise for eCrime adversaries, reporting the following trends from the “Big Game Hunters” in the field:
Ransomware victims are not individually targeted but impacted due to widespread vulnerabilities associated with a maximum number of potential victims. With most businesses, the demands usually do not exceed five-figures and can be negotiated downwards. Most ransomware attackers want their demand to be a “nuisance cost” or “budget dust” based upon their knowledge of the impacted business. The victim is then forced to weigh the option of paying the demand versus operational disruptions and economic losses. For entities that do not back up their data, they are often forced to pay the ransom to avoid long-term shutdowns, loss of goodwill, bankruptcy, and lawsuits.
If a victim has cyber insurance, the terms of the policy will determine whether the demand is included in the policy. If ransomware demands are included, the insured gets to make the decision on whether to pay the demand – not the insurance company. If the insured declines the pay the demand, the insurance company should pay the losses caused by the ransomware attack.
The decision to pay a ransomware demand is extremely sensitive and fact-reliant. However, and without passing judgment, victims are encouraged not to jump to payment for the following reasons:
Nothing prevents the cyber criminal from demanding a second, third, or fourth ransom – there is no honor among thieves;
There is no guarantee once payment is delivered, the data will be restored or the attacker will provide you with the encryption key;
Law enforcement agencies (such as the FBI, State Police Cyber Crime Units) may have encryption keys for lower-level attackers and the Cybersecurity Information Sharing Act protects your business from post-investigation regulation if you voluntarily share cyber threat indicators with “Appropriate Entities;”
Ransomware payments fund criminal enterprises such as human trafficking, drug trafficking, and terrorism;
If your IT staff has backed-up data that is off-network, then the demand does not need to be paid and the computers/equipment simply need to be re-imaged and re-configured. This is a mere labor cost;
Because criminals require payment in crypto-currency, there is nothing to prevent the same criminal from hitting your business with ransomware multiple times or recommending your business as an easy payment target to other operators; and
Ransomware payments, collectively, are driving up cybersecurity insurance premiums. A niche insurance market that once held the largest profit margins is now at risk of being federalized due to profitability issues (Example: National Flood Insurance Program).
If your business is the target of a ransomware attack, contact your trusted IT specialist and then your attorney to determine the scope of the damage, ability to mitigate losses, review the insurance policy(ies), and determine if there are any reporting obligations under state and federal law. While the days of busted windows and cash registers will never be gone, they are definitely over-shadowed by punks with laptops looking for bitcoins.