The question for businesses as to whether or not they should pay ransoms demanded by cybercriminals is certainly not one that can be answered in simple terms. On the one hand, the paying of ransoms as a result of ransomware attacks is clearly funding the very actors that propagated the malicious attack in the first place. On the other hand, recent ransomware attacks have become sophisticated to the point that an affected company may lose critical business data along with backups and be in real danger of going out of business if data is not restored.
This question has now been further complicated by recent news that companies victimized by cybercriminals could face steep fines from the U.S. federal government if the recipients of the ransom payments are already under economic sanctions.
In a recent advisory, the US Treasury’s Office of Foreign Assets Control (OFAC) said: “Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
As enterprise ransomware has become big business for criminals gangs and more and more of a risk for businesses, the US Treasury Department has been seen to impose economic sanctions on some of the cybercriminal gangs that are well known to those of us working in the security industry. These include the Lazarus Group (closely tied to the 2017 WannaCry attacks) and Evil Corp, a Russian cybercriminal syndicate that has used malware to extract more than $100 million from victim businesses in the past few years.
So, by deciding to pay the ransom demanded of you, you could be breaking the law and risking fines, reputational damage and impact in the perceived integrity of the very business that you are attempting to protect. This dynamic may lead to affected businesses, in many cases, avoiding paying ransoms altogether which, on one level is good, right? Well, kind of… but it does beg the question, “what should they do instead?”
If we work on the assumption that no part of a security strategy should include the payment of ransoms, we are left pondering the techniques that should be deployed in order to ensure that the business can withstand and survive aggressive and advanced ransomware attacks.
Here are my “magic 7” initiatives to help a business survive ransomware. The list is certainly not exhaustive but doing all of these things well will improve a business’ chance of survival considerably:
- Deploy secure email gateway technologies
- Deploy world-class endpoint protection products to servers and other endpoint devices
- Run regular user awareness training sessions focused on phishing, malware and ransomware
- Block or protect Remote Desktop Protocol (RDP) network ports
- Ensure that a Business Continuity Plan (BCP) is in place, is known to all stakeholders and is rehearsed regularly
- Ensure backups are performed regularly and are stored both offline and remote from production environments
- Rehearse system lockdown, backup and restoration processes.
Taking ransom payment out of the equation comes at a price. In a world where ransom payments are off of the cards (because they are illegal), investment must be made in technologies and techniques that give a company the best possible chance of survival subsequent to an attack. Businesses should be proactively researching, designing and implementing these and cyber insurers should be asking questions of their clients concerning maturity in these disciplines.
