Ransom Demands: What Happens If Victims Pay or Don't Pay?In Either Ransomware Scenario, Focus on Practicalities, Says Kroll's Alan Brill
If your organization gets hit by ransomware, what should happen next?
Some victims may have working backups that attackers didn't touch and can wipe and restore their systems. Others may explore the possibility of paying attackers a ransom in exchange for the promise of a decryption tool.
However organizations respond, if they don't have incident response expertise in-house, they need to get it, says Alan Brill, senior managing director in the cyber risk practice at the consultancy Kroll.
"What you want to shoot for is the best solution that you can come up with, and that's going to require some experienced hands," he says in an interview with Information Security Media Group. "There really is a need for practicality. ... It's all about knowing, as opposed to guessing. You want to deal with the facts before you make the decision."
To help make that happen, he notes that more companies are now carrying cyber insurance, which gives them immediate access to incident response tools and specialists that can help them identify the best way forward.
In this interview (see audio link below photo), Brill also discusses:
- Best practices for responding to ransomware and data exfiltration incidents;
- The importance of using intelligence on ransomware strains and gangs;
- How to work with insurers;
- Dealing with criminals: What are the risks?
Brill is a senior managing director with Kroll's cyber risk practice. As the founder of Kroll's global high-tech investigations practice, he has led engagements that range from large-scale reviews of information security and cyber incidents for multibillion-dollar corporations to criminal investigations of computer intrusions.
Mathew Schwartz: When organizations get hit by ransomware, some will pay their attackers in return for the promise of a decryption key. But what happens when they don't pay?
Hi, I'm Mathew Schwartz with Information Security Media Group, and to help me answer that question,
I'm joined by Alan Brill, senior managing director in Kroll's cyber risk practice. Alan, thanks for being here.
Alan Brill: Good to see you, Mat.
Schwartz: We talk about when these organizations pay ransoms but what happens if they don't pay a ransom, what goes into that? I guess in the ideal scenario you would just wipe and restore but a lot of organizations, they don't know if it was a smash and grab or if it was something a little bit more sophisticated and maybe the ransomware was just the final stage.
Brill: The reality is that ransomware has become a very convenient cover because many organizations discover that something that they would have thought about years ago like back up, is something that didn't get really thought about in a long time. And they maybe said, well, we have backup, it's on the cloud and so we don't have to worry about it.
But what do you do when you get the ransomware demand and you discover either that you didn't have backup at all effectively or that you had backup but it's also been encrypted?
And you can look to some examples. Baltimore, as I recall, was hit with ransomware - the government. And the original ransom demand was something like between $50,000 and $60,000.
Schwartz: Yes, Baltimore was a 13 bitcoin demand worth at the time about $75,000 and then there was Atlanta of course which was the $51,000 demand also in bitcoins. But for Baltimore, yes, it was just a little bit higher than that, but the important thing is, the notable thing is they didn't pay.
Brill: They didn't pay. They've since spent tens of millions of dollars trying to recover but basically starting from zero.
And then when you do pay, you have to recognize that this is not like paying a corporate bill. You're dealing with criminals, and you might get a fully functional key. You might get a nonfunctional key. You might get a key that only opens certain files, and they come back for a second payment to get the rest of the files. It might decrypt everything but what you don't realize is they already have a copy of it, so you have an actual data breach. Or you might never hear from them again, they just took the money and ran.
And I think some intelligence on how you were hit, what family of ransomware and what variant was used can help to give you something of a history of how it's gone if and when people have paid them.
And then you also have to work with your insurer because in some cases they're the ones ultimately paying.
Another aspect of this is that a company's management may see this as a call to arms - that we're going to go and find out who did this, we're going to go for attribution, we want to go in there and we want to steal our data back or we want to encrypt the data that they stole. And that a very dangerous thing because what you're doing in trying to get to your data may in itself be a crime in whatever country you're dealing with, and the insurance company is probably not going to be terribly interested in spending a lot of money for an attribution when it's not going to make a world of difference, or in fact the shred difference.
So there really is a need for practicality.
One of the things that I pointed out in the past, Mat, is that for most companies when they're dealing with either a traditional data breach or a ransomware, it's kind of a new situation for them, and this is not a place where you want to have a lot of 'learn by doing,' that you really want help that does it all the time.
And that's why the insurance companies provide these breach coaches - specialized counsel that have a lot of experience in dealing with it. They bring in people like Kroll who are on the panels of more than 50 insurers and are pre-approved to provide these services. Because it's all about knowing as opposed to guessing. You want to deal with the facts before you make the decision. And that's what we provide.
We're able to work with in-house and external counsel to give them the best knowledge of what happened, what was involved, whether a particular variant of malware is unique to a criminal group and what's the history with that group.
And you really have to be the advocate for the truth and for the facts and then let management, with the appropriate advice, make the decision and implement those decisions. But the big danger is assuming that uh, it was ransomware, thank god the data didn't get out. Well, it may already be out, and you won't know that until you get the next ransom demand which says, by the way, here's a sample of your data, we have the rest of it, we're going to release it and sell it on the dark web, and by the way the ransom is now four times as much.
It's crazy that there is this underground that we're dealing with and that we have to understand and live with, because if you don't lock it down, it's very simple: you're still vulnerable. If you lock down what you thought was the issue but you were wrong - it wasn't the issue - that they weren't just putting ransomware in your system but they've been in there for a month examining your system, exfiltrating data and lining up how to do the most damage when they launched the ransomware, you may not even know what happened.
So having someone - whether it's counsel or management - ask the hard questions and get the experienced help that turns out to be so important in getting through these situations better. Nobody's going to get through them perfectly. But what you want to shoot for is the best solution that you can come up with and that's going to require some experienced hands, not trying to just go out and do a Google search for what do you do when you get hit by ransomware, but having that knowledge base.
And we're seeing that happen more and more of particularly with those companies that have cyber insurance and thus have real access to all of the tools and specialists.
Schwartz: Well Alan, thank you very much for your time and insights today.
Brill: It's been a pleasure, Mat.
Schwartz: I've been speaking with Alan Brill, senior managing director of Kroll's cyber risk practice. I'm Mathew Schwartz with Information Security Media Group, thanks for joining us.