Mullen Coughlin, Cybersecurity & Data Privacy

Consider these factors before deciding to pay a ransom after a ransomware attack. Better yet, know where you stand before one hits you.

Until the last few years, conventional wisdom said never to pay the ransom that ransomware criminals demanded, because it only encourages them. Despite those warnings it was rumored that somewhere around 40% of all ransomware victims paid the ransom.

Now it seems, many impacted companies have been paying the ransom and the very few who didn’t probably wish they did. There is evidence that ransomware recovery companies who claim to help recover environments without paying the ransom are often paying the ransom and getting the decryption key in secret.

Who’s paying the ransoms?

I spoke with John Mullen, of Mullen Coughlin, who has been involved with thousands of cybersecurity incident responses in his career. His firm handled over 1,200 privacy matters last year and will handle over 1,500 in 2019.

I asked Mullen if he’s seen that 40% figure go up recently. “It was never 40% or 50%. I don’t know where that number came from. It was always higher. Most companies pay the ransom when faced with the decision to pay or close down. They typically make the payment because they don’t have another valid continuing business option. Pay or it or be out of business for days, weeks or longer.” Mullen adds that no one knows the actual percentage of companies that pay the ransoms, but he has “little doubt” it is rising.

I mentioned that law enforcement presentations frequently recommend not paying the ransom no matter what. “When you speak with individual experienced law enforcement off the record, that is rarely what they say,” says Mullen. Most will admit that its often better for the victim to pay the ransom. The reality is that people are paying because they don’t have another good option.”

One reason people pay, according to Mullen, is that attackers are getting better at maximizing the damage ransomware causes. “Today, the attackers are accessing systems, running reconnaissance, and identifying critical pain points in order to maximize the impact of their attacks,” he says. “These types of attacks make it harder than ever to repair or recover. The percentage of people who pay the ransom is higher now because the bad guys are better.”

Recent studies back up John’s claims. All are showing that most companies spend far more time, money, and resources (one report says that the average company spends 23 times more) recovering from ransomware without the key than if they just paid the ransom from the start.

You might think that the decision on whether to pay the ransom comes down to whether you have a good tested backup, but it’s more than that.

How to determine if you should pay a ransomware demand

Here’s what you should think about before deciding whether to begin ransomware recovery without paying the ransom:

1. Does your company have a ransomware policy?

What is your organization’s policy on paying ransom? If your company has a written, unshakable policy against paying the ransom, then you have your answer. If you know that despite a written policy that senior management is not going to tolerate 23 times more money and resources than paying the ransom and are likely to create an exception if put on the spot, then consider that, too. Many companies have stuck to their non-ransom-paying commitment and had to endure weeks of downtime. It’s one thing to say it and another to live it when operations are down.

2. How bad is the damage?

Did they just get a few critical machines or did they pull the heart out of your operation? Can you prevent further damage? Can you stop the bad guy from getting back in? Do you need to shut down your ingress points, change all passwords, and do a network scrub for malware and malicious network connections? How confident are you that you know the extent of the damage and the reach?

3. How good are your restore capabilities?

Even if you have an awesome backup, have you ever truly done a complete test restore of all the impacted critical assets? How long will it take to restore? How can you be assured the restores don’t contain backdoors that led the bad guys back in? How long will it take you to do the restores and the necessary unit testing? Are all your most recent backups online and also reachable by the criminal?

These days ransomware criminals are whacking all your online tape restores, from the most recent online copies to the supposedly “trusted” offline copies. I’ve heard of ransomware criminals changing the legitimate encryption key that the company is using to encrypt their data during the backup process.
Every company should be encrypting all data backups (again, it’s a compliance requirement of every regulation). The attackers are changing the encryption keys to those backups without the victim’s noticing. The victims go about their normal data backup routines not noticing that the encryption keys have been modified. All the data backups for days to months get encryptedwith the wrong encryption key. Then right before the ransomware attack is kicked off, they change them again. This way, even the long ago, stored offline data backups are unrecoverable.
So, when I ask do you have a good data restore ready to go, I mean you have to check everything.

4. Do you have a business continuity plan in place?

Will your business continuity plan (BCP) handle the ransomware event in case you don’t pay the ransom? If not, that means more downtime and more alternative data processes. How much downtime can your BCP handle or cover? If the estimated downtime exceeds the BCP’s ability to handle it, do you pay the ransom right from the start?

5. Do you have senior management support?

If you do or don’t pay the ransom, do you have senior management and board support for the action? I’ve seen a lot of CISO heads roll because of ransomware attacks. They might love you while everything is running fine, but if you have to tell them that your supposed excellent data backup and restores aren’t that viable and they could be down for days to weeks, will they still have confidence in you? I’ve seen CISO’s fired during the recovery event.

6. Do you have the necessary staff?

Whether you pay the ransom or not, you will need all hands on board to help recover. If you don’t pay the ransom, you wll need just that much more help. Companies like Mullen Coughlin can help provide the needed adjunct staff and expertise, but do you have the money and time?

7. Will paying the ransom do any good?

When you pay the ransom, the ransomware gangs usually give you the keys that unlock your systems and do so consistently. Otherwise, no one would pay the ransom. They are forced to be gentleman criminals.
But there are edge cases where paying the ransom doesn’t work. I have herd of some cases where the payer got the decryption key, but the recovery process did not work or required far more additional recovery actions that it made paying the ransom almost worthless.
If you can, speak to a ransomware expert to find out how the recoveries went of other people who paid the ransom to the same criminal groups. he most knowledgeable ransomware fighters are clued into when paying the ransom works and when it doesn’t. Get an expert opinion on the exact malware program you are dealing with first.

8. Do you have cybersecurity insurance that covers paying the ransom?

If your cybersecurity insurance carrier does cover paying the ransom, who decides? As I’ve covered previously, some cybersecurity insurance policies don’t cover acts caused by social engineering (the most popular type) or offer a very reduced damage payment.
Don’t publicly announce that you’ve got cybersecurity insurance and especially how much you have, like when Baltimore announced it is getting $20 million in cybersecurity insurance. Pubic disclosure is often required for such things – welcome to government life – but if yo can hide that facet, do it. Criminals will only use that as a floor negotiation point. If your cybersecurity insurance policy is online, move t to safe, quickly accessible offline storage. No need to let the bad guys find it before they launch their attack.

Whether to pay a ransom demand is most often a simple business decision. Far too many companies aren’t prepared, and paying the ransom seems to be the easiest and quickest way out for most. Pick your best path.

Tens of thousands of companies, organizations and cities are being savagely taken offline by ransomware. Some targeted entities handle it relatively fine and are down a day or three. Others are down for weeks, and sometimes they are hit again. The difference between a quick recovery and a chronic problem often depends on who you call for help.

I talked to one of the best in the game recently. John F. Mullen, partner with Mullen Coughlin, LLC, has been involved with thousands of cybersecurity incident responses in his career. His firm was involved in 1200 just last year.

You probably never heard of Mullen Coughlin. I didn’t before I spoke with a city CISO friend of mine. When he called the phone number his cyber insurance company gave him to pre-establish a relationship for security responses, he ended up speaking with John.

If you have a cybersecurity incident and have purchased cyber insurance, your insurance company doesn’t have the professional folks to handle your technical cybersecurity incident response, no more than the insurance company would patch the fiberglass of a boat after a hurricane claim. Insurance companies do insurance and underwriting. When a claim is made and the damage has to be fixed, they sub it out.

Why use a specialized incident response firm

John sees three reasons why an organization should use a firm like Mullen Coughlin after an attack. First, they have experience. Entities calling Mullen are often already working the incident response but using local IT firms they know. That’s OK, but those local firms usually don’t have equivalent experience of the forensic teams available to Mullen Coughlin. As John put it, “It’s all we do.” Plus, sometimes the reason the customer was compromised was because of something the local IT service did, like a missed patch or bad configuration setting.

Second, John’s team are all lawyers. Anything they discuss and do on behalf of the customer is privileged. That’s legalese for “anything we discuss will likely not be shared with anyone else.” Everybody John hires comes under the privileged communication umbrella. Local IT firms can’t give you that.

Third, and most important, firms like John’s and the insurance carriers have already vetted all the necessary forensic, PR and mass mailing/ID protection service providers needed to cover a customer’s situation.

Call ahead and do annual security reviews

John recommends that that if you have the opportunity, call the incident response firm your cyber insurance works with before an attack occurs. He said that maybe 1% of his customers call ahead of time to meet his team and find out how the process is going to work. He welcomes these customer calls because they allow him to establish trust and share how the process will work. This saves precious minutes when that emergency call happens. So, call ahead of time.

John also recommends that every organization purchase cyber insurance and have an outside security review performed at least annually. He also suggests using an IT firm to conduct the review that is not the same as the one currently providing regular services. Make sure to change which outside firm you use every year. Different firms find different things, he says, and you want a unique, independent perspective each time you do it.

How ransomware is changing

John says ransomware attacks have changed over the years. Just a couple of years ago, ransomware typically activated as soon as it entered an organization and encrypted the desktop it was on. Now the attacker is far more likely to be inside of an organization for multiple days or weeks, figuring out how to maximize their access to the penetrated system. He says you can’t automatically trust your offline backups, because the ransomware guys are working to block even that avenue of safety.

I asked if social engineering was involved in the majority of cases of ransomware. John says that social engineering was likely involved in half or over half of the cases, especially if you include third-party service providers that are compromised to reach the ultimate victim. Misconfiguration and unpatched software also frequently played a role.

Some research claims that paying a ransom demand does not result in getting a working decryptor key up to 40% of the time. John says his experience is different. “Ninety-five percent of the time, when the customer pays the ransom it results in less recovery work and downtime than if they didn’t pay it.”

If you ever need to call a firm like John’s, he offers one piece of advice to make things go smoother: “Make sure the people calling my firm have the necessary authority to make decisions. You can’t imagine how many times we come up with a plan of action only to have to wait again while the right decision makers are contacted, and I have to say everything again to get a decision.” Making sure the person calling has the necessary authority can only make everything happen faster.

“Cyber Claims”, Cyber Security Tabletop Presentation, Live Presenter, Pittsfield, MA, April 6, 2019