To pay or not to pay: how to fight ransomware in 2021

Peter Yapp, our regular contributor on cybersecurity, with some suggestions on how best to tackle the growing menace that is ransomware.

History

Contrary to popular belief, ransomware is not a recent invention. It’s been around for over thirty years – but has never been so damaging to business and society as it is today. The first known ransomware was the AIDS Trojan (also known as PC Cyborg) released in 1989 and written by Dr Joseph L. Popp, a biologist with a PhD from Harvard. 

This first ransomware virus predates e-mail and the public World Wide Web (6 August 1991) and was distributed on floppy disk by post. 20,000 disks were dispatched to 90 countries masquerading as AIDS education software. His motive may have been that he had recently been turned down for a job at the World Health Organisation. 

Popp was eventually arrested by the FBI, extradited to the UK on ten counts of blackmail and criminal damage (no offence under the Computer Misuse Act) and sent for trial under Judge Geoffrey Rivlin in 1991. Popp exhibited very strange behaviour in the run up to the trial, wearing condoms on his nose and a cardboard box on his head. The Judge concluded that Popp was unfit to stand trial. Not an early success.

Today

Unfortunately, there have been far too few successes since and now the use of ransomware is out of control. It is not a victimless crime. You just have to be on the other end of the phone to a CEO who is sobbing uncontrollably because they have lost everything, their data, their business, their livelihood. And no, not everyone has appropriate insurance cover.

In January this year, my former boss, who used to be the CEO of the UK’s National Cyber Security Centre, called for cyber-insurance policies that cover ransom payments to be banned, arguing that such payments fund criminal organisations and only make ransomware attacks more likely. He was trying to prompt serious discussion in an area that has spun out of control. However, I know from the crisis management work we do in the kidnap, ransom and extortion arena, that when people rather than data are involved, this does not work in practice. Total bans and non-concession policies have not worked in the past and have not attracted countries to sign up. 

Back to data ransoms and the British Association of Insurers has publicly defended the practice, arguing that paying the ransom was the cheapest and most effective option for companies. 

Make no mistake, ransomware is a highly lucrative form of cybercrime, second only to Business Email Compromise (BEC). Cybercriminals hack into systems, often exploring the system for weeks before encrypting the data and demanding a ransom to provide the decryption code that will return those systems and data to you. If you don’t pay, they will probably threaten to leak your data or inform the local data protection regulator as well. So apart from the cost of rebuilding your IT systems (and databases) from scratch, you also have the costs of reputational damage.

It’s therefore not surprising that many companies quietly pay the ransom without ever reporting the breach to the authorities.

While nobody is immune to attack, an IBM Security X-Force 2020 survey showed marked trends in the industries most likely to be targeted.  The top target for ransomware attacks is manufacturing companies at nearly 25% with the professional services sector next with 17%. In third place is government organizations with 13% of attacks.  So what can companies do to protect themselves?

Prevention

As ever, the best defence is prevention. We should all concentrate on trying to prevent such attacks from occurring in the first place.

There are a whole range of ways that Ransomware can get into your network, the most common being:

  • Spam / phishing emails (accounting for over 60%)
  • Weak passwords
  • Remote Desktop attacks 
  • Malicious websites or web advertisements
  • Exploiting vulnerabilities on your Network.

Failing to adequately protect against these vulnerabilities is described as poor cyber hygiene. You need to do the fundamentals of cyber security to keep attackers out. Do this by good awareness training so that your users can spot (most) phishing attempts. Ensure strong passwords are used and audit regularly to check this is the case. Scan for vulnerabilities on your network and make sure all software is patched up to date. Use a top 10 rated anti-virus solution.

Although ransomware has evolved into a double level of extortion – once to deny availability and secondly to leak data - a good tested backup regime is essential. Have a recovery system in place so a ransomware infection can’t destroy your data permanently. It is good practice to create three back-up copies (using at least two different backup methods): one to be stored in the cloud (but not in the same area as your data) and the other two offline (or at a different location).

Other good prevention techniques include email scanning, use of firewalls, and following the principle of least privilege (only granting access to data or administrative tools to those who really need them). Also use multifactor authentication on all remote access points into your network and secure or disable remote desktop protocol (RDP) access. Many ransomware attacks have been known to exploit weak RDP access to gain that initial entry point into a network.

Use penetration testing to identify the weak points in your network and vulnerabilities that should be prioritized for patching.

Once you have all the above in place, consider using data encryption in transit and at rest, and cloud-based software which is automatically kept up to date. Implement a strategy to prevent unauthorized data theft, e.g. by flagging the uploading of large amounts of data. At the more sophisticated end of cyber security, consider employing user behaviour analytics to identify potential security incidents. 

What if?

If you discover a rogue or unknown process on your machine, disconnect it immediately from the internet or other network connections (such as Wi-Fi) — to help prevent the infection from spreading (although there may be times when this advice does not apply – such as in the WananCry attack of 2017).

If you are unfortunate enough to be attacked, the following are things you need to consider:

  • Are you covered by insurance?
  • Who can you call in for help with legal and incident response advice?
  • Who are you required to notify?
  • How do you get your data/services back?
  • How do you get the attacker out of your system?
  • What else did the attacker do besides encrypt your data?
  • How do you prevent this from happening again?
  • How do you deal with potential reputational damage?

Prosecution

Why can’t we just equip and train our law enforcement bodies to deal with this cyber epidemic? Unfortunately, we have unintentionally created a monster. The Internet (and computing in general) was not designed with security in mind. Cybercriminals are extorting millions of pounds a year from companies and worldwide have an astonishingly low risk of arrest.

In 2019, the successful prosecution of a single cybercriminal in Nigeria was such a standout that the US Department of Justice issued a triumphant press release. In February 2021, French and Ukrainian prosecutors arrested some low-level associates of a ransomware gang based in the Ukraine who rented the ransomware (as opposed to the more lucrative creation or distribution).

Because of anonymity that the internet provides, it is incredibly difficult to trace and track down the criminals involved. The powerful tools that are so important for privacy and security also act as a barrier to law enforcement efforts. 

The future?

The formation of the UK’s National Cyber Force (NCF) announced in November 2020 provides an opportunity to fight back against these criminals in a different way. I believe that this would be a legitimate use of their resources. In the same way that the army was called into Northern Ireland when the Police forces became overwhelmed, the NCF could be used against the ransomware extorters to disrupt and degrade their efforts. 

A similar proposal was made by Chris Krebs, the former head of the US Cybersecurity and Infrastructure Security Agency, advocating the use of the US Cyber Command and the intelligence services.

The type of operation I envisage has already been undertaken by the US government and Microsoft in 2020, who targeted the “Trickbot botnet” malware infrastructure (used by Russian ransomware gangs), to prevent disruption of the recent US election. The UK and Australia have both publicly admitted to using offensive cyber capabilities. The UK’s GCHQ pioneered the use and development of offensive cyber operations. In 2016 the then Defence Secretary confirmed the UK conducted cyber operations against Daesh and in 2018, Director GCHQ revealed how it had degraded ISIS propaganda networks through cyber operations. The UK was also the first country to offer these cyber capabilities to NATO. The equivalent Australian agency destroyed foreign cybercriminals’ infrastructure as part of a criminal investigation.

Ongoing operations of this type will have an effect on cybercriminals’ ability to operate, especially if directed against the criminals’ servers and the infrastructure they need to turn their cryptocurrency into cash. 

Why just paying up is bad

Faced with the choice of losing your business or paying a ransom, aside from the potential legal problems from the US Treasury*, business owners will often choose to pay up. 

Unfortunately, this has a number of negative consequences. Firstly, it encourages complacency in cybersecurity. This led to one company who were hacked, paid a ransom, but did not even consider investigating how the criminals had got into their system, being hit two weeks later by the same gang using the same entry point. Secondly, it encourages more criminals to jump on this lucrative bandwagon. Thirdly it encourages gangs to invest in the research and development of better cyber-attack tools. 

While using the NCF may disrupt, ultimately there needs to be a sustained effort to build a more robust cybersecurity culture that stands a better chance of keeping ransomware gangs out altogether. 

In October 2020 the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory to alert companies that engage with victims of ransomware attacks of the potential sanctions risks for facilitating ransomware payments.

profile picture of Peter Yapp

Peter Yapp, Cyber Partner at Schillings Peter started his career in investigation and has been involved in computer forensics for nearly three decades. He was a deputy director at the UK’s National Cyber Security Centre and now provides pre and post cyber security incident advice to a range of individuals, companies, boards and operators of essential services. 

Published: 2021-03-30T09:00:00

    Please wait...