Ransomware is a worldwide threat. The increasing attacks on ever larger targets has given wings to a new tech sector.
With ransomware-based attacks hitting organizations, businesses and government agencies once every eight minutes at an average payout of $300,000, companies touting ransomware assistance have opened shop on both sides of the law to help victims and perpetrators alike.
Ransomware gangs have offered affiliate programs, technical support for their victims, and rigorous vetting and training of developers for quite some time now. But a growing number of cybersecurity firms have started offering services to mitigate, and even negotiate, on the behalf of victims.
Incident response services for companies targeted by cybercriminals are evolving from their more traditional role of attempting to recover data and remove malware to playing the dual roles of hostage negotiator and bagman. Several cybersecurity firms now include ransom negotiation, payment settlement, and assistance with transferring cryptocurrency in their service offerings, although not without controversy.
While paying ransom to hackers is currently not illegal, doing so occupies something of an ethical gray area for many. If the target is a hospital there may be no time to do the right thing. Ransoms are being paid. And while many say it’s not good to negotiate with the bad guys, others point to the reality that some targets simply do not have a choice.
Both the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI strongly discourage paying ransoms to cybercriminals on the grounds that it “may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities.”
Other cybersecurity vendors agree.
“Agreements with cybercriminals are never written in stone – there’s no contract that’s signed. Even if there were, since when have you heard of criminals ever being respectful of legal niceties?” wrote Eugene Kaspersky, CEO of Kaspersky Lab. “The only way out is to not pay up at all – not even once. If you do, you might get a second, third, then fourth demand, because the baddies will come to see you as an easy, steady source of income.”
The anti-payment side argues that organizations should be prepared for attack; that the only solution to the threat of ransomware–or even an actual attack–is to have your data and operating systems backed up and ready to be re-launched with only a few hours of downtime. In a perfect world, that would be sound advice.
Ethical considerations aside, engaging with ransomware gangs either directly or through a proxy company isn’t always effective.
“In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key,” states the FBI on its Internet Crime Complaint Center website.
Many victims of ransomware attacks and incident response specialists take a more pragmatic approach and view enlisting outside agencies for the negotiation and payment ransom as more of a business decision than an ethical one.
“Although companies should generally seek to avoid paying a ransom, it’s a valid recovery path and should be explored in parallel with other recovery efforts to ensure you’re making the best decision for your organization,” states the Forrester’s Guide to Paying Ransomware, which recommends enlisting the aid of ransomware negotiation specialists.
“[A] good reason for using a specialized ransomware negotiator… is that they’re emotionally disconnected from the attack, which lets them maintain a necessary level of professional decorum when interacting with these attackers,” states the guide.
Incident response vendors will also point out that the process of negotiating with ransomware gangs isn’t necessarily a guarantee that a victim will actually need to pay, but is more often a stalling tactic while specialists investigate the full scope of the damage.
“We’ll kick off negotiation, knowing that a very likely outcome is that we actually don’t end up paying,” said Bill Siegel, CEO of Coveware, in an interview with NPR.
Having incident response teams offer payment and negotiation services also helps to consolidate the response to a ransomware attack during a time when victims are often scrambling to restore services.
“Seeking out, vetting and engaging with these professionals during a ransomware incident places additional burden on an already strained enterprise, and is ineffective and inefficient when every second counts and every decision is critical,” states Aon, a professional services firm.
Ultimately, for most organizations, enlisting the aid of a third party to assist with ransomware demands is more of a matter of due diligence being conducted before making a decision to pay. When considering the many uncertainties of a ransomware attack, including non-functioning decryptors, the risk of double or triple extortion, etc., incident response services can help prove that when all other avenues have failed, they’ve at least done everything that could be done.
Update: Booz Allen, a $12 billion government contractor, has begun to offer ransomware facilitation as one of its services.