The worst-case scenario: A ransomware can successfully spread in a company and encrypt data on PCs and drives. After that, a ransom demand is displayed on the screen. How should a company make decisions after a ransomware attack? Security experts give advice. Comments from Kaspersky, G Data, Sophos, Trend Micro, Bitdefender, AV-TEST, Bitglass, Digital Guardian, Fore Nova, Radar Cyber Security, Barracuda Networks.
It usually takes only seconds: a file is opened, sometimes a script is executed, the ransomware executes and immediately starts spreading in the corporate network. In many companies there is now often an emergency protocol for this worst-case scenario, which initiates the appropriate steps and limits the damage. These logs also do not provide for the payment of a ransom, which is a good thing.
However, many companies believe they are well prepared for a ransomware attack; but in reality it is not. Because existing security systems are often overestimated or cannot be properly evaluated by internal know-how. This problem affects not only small and medium-sized companies, but also larger companies. Popular ransomware attacks in recent years show that this is the case. In May 2017, the whole country was able to witness such an attack, when the WannaCry ransomware payment request was displayed on almost every newer Deutsche Bahn display. We list the most well-known attacks later in this article.
Most attacks, of course, go under a smaller audience. But thanks to the GDPR and the obligation to report an attack where data has probably leaked, reports are almost a daily occurrence.
Ransomware: Zero Hour
Whether well or poorly prepared: every company is the target of ransomware attacks and can be a victim. After a successful attack, companies keep asking themselves the same questions: What can we do now? Shall we pay now? At the latest when managers and financial experts sit at the table alongside the security experts, the question of paying the ransom becomes an economic decision. This is what happened, for example, in the attack on the US pipeline operator Colonial in May of this year. Many of the pipeline's control systems were encrypted and had to be shut down. The official statement: one cannot assess the system damage caused. Therefore, it cannot be said with certainty when the pipeline can be connected to the grid again. With this reasoning, Colonial Pipeline paid the ransom of $4,4 million in Bitcoins. The next shock, however, came immediately: the decryption tools provided by the blackmailers only partially repaired the damage. As a result, the company could only restart the pipeline in emergency mode and reduced performance. Further costs for repairing the control systems were still pending.
To pay or not to pay?
As in the case of Colonial Pipeline, behind-the-scenes ransomware-hit companies choose to pay the ransom, believing it to be the lesser of two evils. Particularly daring calculators in companies often calculate with a sharp pencil the damage that occurs when certain data is lost, has to be re-entered or parts of the current business cannot be processed. The sum of the ransom is then set against this. Some – unnamed – companies have already had to painfully experience that such calculations are mostly nonsense. Because in their bill they forgot that they paid to patch a compromised system, only to find out shortly afterwards that the attackers still had full access to the systems. A conversion and a new structure of the entire corporate network was unavoidable.
Those responsible for the Irish health service HSE showed that there is another way. After the severe hacker attack in May of this year, important data was encrypted, so that the country's hospitals had to cancel numerous treatment appointments. Even an electronic prescription system for pharmacies was also affected. Those responsible at HSE shut down the systems and immediately set about restoring the systems and the data. It was immediately made public that HSE will not pay any ransom to the ransomware extortionists, but will use the money to restore and rebuild the system. Experts also say that this decision makes another ransomware attack much less likely. Attackers primarily choose targets for which one knows or suspects that a ransom will also be paid.
Political call for a zero-ransom strategy
In the meantime, the problem of ransomware has also arrived in politics. It has been understood that every dollar, euro or bitcoin paid finances new attacks. One increases the attacks with ransomware and finds oneself in an ever increasing spiral. That is why politicians are demanding that this must end. US President Biden recently took the first step towards a zero-ransom strategy. It was determined that a reported ransomware attack would be equated with a terrorist attack. This increase in the importance of the crime allows greater access to national security resources within the United States. In the case of Colonial Pipeline, for example, the FBI and other US institutions intervened and tracked the Bitcoin payments to the blackmailers. It then managed to recover 2,7 of the $4,4 million ransom from the Darkside group and smash the infrastructure of their payment systems.
Furthermore, the APT groups Darkside and REvil/Sodinokibi tried to distance themselves from the effects of the Colonial Pipeline and JBS attacks (American meat processors) with unprecedented statements. According to security specialist Avast, the US government's action has even caused ads for ransomware to disappear from large underground forums. And: the so-called business partners are said to have dragged Darkside before the hacker court to complain about their losses - wherever this court of the underworld meets.
In Great Britain, too, voices are being heard advising a zero-ransom strategy. Spokespersons for the cybersecurity center of the secret service GCHQ are even calling for a legal ban on ransom payments to hackers. This is the only way to destroy the business model of the APT groups, since organized crime is financed with the ransom.
In Germany there are political talks on the subject of cyber defense and ransomware, but no steps like those carried out by the USA or planned in part by Great Britain. It would be necessary, as this year's article in Zeit Online shows: at least 100 German offices, government agencies, state-owned clinics, city administrations and courts have been attacked by ransomware gangs in the past six years.
What experts advise companies
We asked a large group of security experts how companies should best react in the event of a ransomware attack. Some so-called evangelists from security manufacturers responded, as well as experts from the test laboratory AV-TEST. In addition, we gathered comments from manufacturers who offer special detection and response solutions or classic network protection. The exciting thing about it: some experts rigorously refuse to pay in the event of a ransomware attack. Others stand by the fact that profitability can be the decisive factor, for example when the company's existence is at risk. Below are the comments.
Kaspersky-Christian Funk
Christian Funk, head of the research and analysis team in the DACH region at Kaspersky (Image: Kaspersky).
A comment by Christian Funk, head of the research and analysis team at Kaspersky. “According to Bitkom, the damage caused by ransomware has more than quadrupled in the past two years. Our analyzes show that around 20 cybercriminal actors target high-ranking organizations in particular and have been threatening to publish data as an additional means of pressure since 2019 if the ransom demands are not met. This is now understood as "Big Game Hunting". Such targeted attacks increased by 767 percent from 2019 to 2020. The pandemic pushed many companies to quickly set up and expand adequate access for home offices. This often resulted in weakly secured or incorrectly configured systems that attackers can exploit as gateways and are a driver for the significant increase in this ransomware offensive.
“High-level organizations are attacking more and more in a targeted manner”
Those affected should not pay a ransom. There is no guarantee that the encrypted data will be restored - however, cyber criminals are confirmed in their criminal activities. To prevent potential data loss, regular security updates should be carried out to eliminate vulnerabilities as quickly as possible. Effective security software for all end devices also protects computers and servers from ransomware and malware, prevents the use of exploits and is ideally compatible with security solutions that are already installed. In addition, backups should always be made at reasonable intervals.” Kaspersky.de
G Data - Tim Berghoff
Tim Berghoff, Security Evangelist at G DATA CyberDefense (Image: G Data).
A comment by Tim Berghoff, Security Evangelist at G DATA CyberDefense: "There are clear ideas about how companies should deal with ransomware: restore backups, report the case to the data protection authority if necessary, file a complaint and above all: never pay a ransom. And indeed, without exception, making a payment is the worst possible option.
"Making a payment is, without exception, the worst possible option"
However, there are also reasons that may speak in favor of a payment in individual cases. One of those reasons is purely economic. When the cost of lost production, potential fines, and data recovery significantly exceeds the ransom, the decision is made quickly. If the meltdown has occurred and no backup is available, the idea of a payment is obvious. Especially when the company is threatened with financial collapse. This is despite the fact that ransom demands increased by up to 2020 percent on average between 2021 and 500 alone. At the same time, the number of payments actually made has also increased drastically. In addition, many victims are blackmailed several times, with perpetrators both encrypting data and threatening to publish it - and doing so despite paying. Greater resilience is the order of the day – especially when mission-critical programs like Microsoft Exchange or management software used by MSPs like Kaseya’s become the target of attacks, as has been the case in recent months.” GData.de
Sophos-Michael Veit
Michael Veit, security expert at Sophos (Image: Sophos).
A comment by Michael Veit, security expert at Sophos “The crucial question after a ransomware attack: to pay or not to pay. Time and again, companies are inclined to pay large sums of ransom to ransomware attackers in an emergency situation. There are many examples where managers have been forced to comply because the supposedly rescue backups were encrypted or corrupted. They want to get their IT infrastructure back up and running as quickly as possible, or choose to pay because it seems cheaper than the cost of restoring it. Another common reason is to prevent stolen data from being sold or made publicly available. Colonial Pipeline also cited one of these reasons as justification for the payment.
"Whoever pays should be aware of the fact that it does not provide any guarantee of data recovery"
However, the payment of ransoms should not only be viewed critically from a legal point of view. One should be aware of the fact that it does not provide any guarantee of data recovery. In the State of Ransomware Report 2021 report, Sophos found that companies were only able to recover an average of 65 percent of their data after paying ransoms. Only 8 percent of the companies got all their data back and 29 percent were able to save less than half through payment. In addition to the ransom, the high accompanying and consequential damage must be taken into account. The average cost of just recovering from a ransomware attack has more than doubled in just one year, from around €390.000 in Germany to €970.000 in 2021.
The increasing criminal intensity, creativity and intelligence of the attackers will not be contained, the developments of the last few years describe the opposite. However, there are many and often not used options to reduce the potential risk.
It shouldn't take an attack first for a company or organization to take a stronger position in cybersecurity. You should now take the time and resources to assess the security situation in order to then immediately and with the highest level of competence - both internally and with external specialists - establish better and early defense wherever possible. Sophos.com
Trend Micro – Udo Schneider,
Udo Schneider, IoT Security Evangelist Europe at Trend Micro (Image: Trend Micro).
A comment by Udo Schneider, IoT Security Evangelist Europe at Trend Micro: "Effective ransomware protection should start both at the network level and at the endpoint and fulfill three basic functions: preventive protection against attacks, quick detection of suspicious incidents and persistent operation.
In addition to IT, the Internet of Things is also becoming a victim of blackmail software. A study by Trend Micro shows that variants of the Ryuk, Nefilim, and Sodinokibi malware families were responsible for nearly half of industrial control system ransomware infections in 2020. Therefore, it is critical that IT security and OT teams work more closely together to identify key systems and dependencies such as operating system compatibility and runtime requirements in order to develop more effective security strategies.
“ In addition to IT, the Internet of Things is also increasingly becoming the victim of blackmail software.”
Immediate patching of the vulnerabilities is the top priority. If this option does not exist, companies should use network segmentation and virtual patching. In addition, network shares must be restricted and strong username and password combinations must be enforced. This prevents unauthorized access by brute forcing credentials. In addition, companies should rely on the principle of least privilege for network administrators and operators. Unfortunately, there is no panacea for ransomware attacks. That is why a security concept that encompasses several levels is crucial.” TrendMicro.com
Bitdefender - Daniel Clayton
Daniel Clayton, Vice President of Global Security Operations and Support at Bitdefender (Image: Bitdefender).
A comment from Daniel Clayton, Vice President of Global Security Operations and Support at Bitdefender: “Looking at the headlines, it seems that ransomware attacks are commonplace. The analyzed Bitdefender telemetry data in our Consumer Threat Report from mid-April 2021 proves this: In 2020, the number of attacks with extortion malware increased by 2019 percent compared to 715. Criminals are increasingly threatening not only to encrypt the data, but also to sell and disclose it. The latter is an effective threat simply because of the obligation to report based on the GDPR and other regulations. IT managers should therefore be aware of the fact that sooner or later their company can fall victim to an extortion attack. Ransomware attacks can be fairly simple in nature, but are often complex. In the latter case, there is a high risk that the hackers have already embedded themselves in the network after paying a ransom and are effectively preparing for the next attack.
"Paying a ransom makes an attack successful and new attacks more likely"
Should you pay the ransom? The clear answer is: no. Because the payment of a ransom makes such an attack successful and new attacks more likely. As long as companies keep paying ransoms, the hackers will start new extortions. That's why prevention, MDR, and minimizing potential damage through backup and recovery are key. Also, hackers remember companies that have paid once as good targets for the future. The likelihood of a repeat offense is significantly lower for a non-paying victim. Bitdefender.com
AV TEST – Maik Morgenstern
Maik Morgenstern, CTO AV-TEST GmbH (Image: AV-TEST).
A comment from Maik Morgenstern, CTO AV-TEST GmbH: AV-TEST registers more than 400.000 new malware samples every day and every company knows it from their own experience: they are constantly being attacked. Ransomware has been one of the “most successful” business models for criminals for several years. For one thing, the attacks are comparatively easy to carry out. Attackers buy the finished ransomware as a service, use spam service providers and attack many companies in one fell swoop without any effort.
"The need for prevention cannot be overstated"
Added to this is the high level of suffering suffered by the victims and the direct conversion of a successful infection into face value. Even if advice is repeatedly given not to pay, some companies have no choice. Therefore, the need for prevention cannot be overemphasized here. In addition to common measures such as regular and complete backups and always up-to-date protection products on the client and gateway, the social engineering factor must also be considered. All users should be prepared in regular training courses about the type of attacks and the correct reaction to potential spam and malware mails. AV-TEST.org
Bitglass—Anurag Kahol
Anurag Kahol, CTO Bitglass (Image: Bitglass).
A comment by Anurag Kahol, CTO Bitglass: “In their defenses against ransomware, organizations primarily focus on shutting down any attack vectors. To do this, they use intelligent security solutions that flag and block suspicious emails, protect malware at endpoints and in the cloud, and secure unauthorized access to company resources. For a comprehensive strategy against ransomware, however, preventing an infestation is only one side of the coin. A plan of action for the next escalation level - a successful attack - rarely exists.
"There is rarely a plan of action for the next escalation level - a successful attack"
The priorities for this are obvious: First of all, it is about maintaining business operations or resuming them as quickly as possible. In order to prepare for this, companies must assess the relevance of individual components of their IT systems for business operations, run through various failure scenarios and take appropriate precautions for emergency operations. The protection of sensitive company data is also important, because there is a risk that cyber criminals will steal it and misuse it for their own purposes. Companies can prevent this scenario by continuously encrypting sensitive data. When all layers of measures work together – defending against ransomware infections, safeguarding business continuity and constantly protecting the most valuable company data – companies can significantly increase their resilience against ransomware attacks.” Bitglass.com
Digital Guardian—Tim Bandos
Tim Bandos, Chief Information Security Officer at Digital Guardian (Image: Digital Guardian).
A comment from Tim Bandos, Chief Information Security Officer at Digital Guardian: "Each year, ransomware operators and developers evolve their craft and technology. The DarkSide group behind the Colonial Pipeline hack has a professional business model that makes this clear: the criminals provide tech support to their victims, take an 'ethical' approach to their target selection, steal data for extortion purposes, and much more .
"There are a variety of solutions that can help prevent ransomware infections"
There are a variety of solutions that can help prevent ransomware infections. Antivirus software and firewalls can at least help block known, prevalent strains of malware. For added protection, organizations should consider Advanced Threat Protection (ATP) and Endpoint Detection and Response (EDR) solutions to streamline ransomware detection and blocking. Managed Detection and Response (MDR) can also be a good alternative for companies that find it difficult to implement EDR themselves due to limited internal resources.
Application whitelisting solutions should also be used to prevent malicious code from running. You should also pay attention to the correct tracking of permissions. Any employee gaining access to systems creates a potential vulnerability for ransomware. With a multi-layered security approach consisting of employee education, continuous update and backup practices, and security technologies, the risk of a ransomware attack can be significantly reduced.” DigitalGuardian.com
ForeNova—Paul Smit
Paul Smit, Director of Professional Services at ForeNova (Image: ForeNova).
A comment from Paul Smit, director of professional services at ForeNova: “It's no longer about stopping individual attacks, it's about fighting organized gangs. The ransomware has become organized crime. That requires a corresponding defense. In the face of ransomware threats, prevention is essential.
"It's no longer about fending off individual attacks, but about fighting organized gangs"
Backups secure data and can prevent data loss, but not the disclosure and sale of information. For the defense it is crucial to recognize an attack as early as possible. To do this, however, the entire data traffic within the network and from the inside as well as to the outside must be observed. AI-supported behavior patterns such as suspicious lateral movements, attacks on security gaps or malware installations as well as malicious intrusion, a conspicuous data leak or the immediate preparation of encryption can be noticed. Affected systems can be blocked and attacks quickly contained before they cause damage.
Should you pay for ransomware attacks? Nothing speaks for paying a ransom. Because nobody has a guarantee that the data will be decrypted again. In any case, the damage caused by downtime until the systems are up and running again remains. Information that has leaked out can still be sold or misappropriated for a profit. And the back door for the next attack may already be a crack open again. ForeNova.com
Radar Cyber Security – Ali Carl Gülerman
Ali Carl Gülerman, CEO and General Manager at Radar Cyber Security (Image: Radar Cyber Security).
A comment from Ali Carl Gülerman, CEO and General Manager at Radar Cyber Security: “Enterprises today are in a constant battle against infiltration. Cyber security must therefore step out of the shadow of IT and become a strategic decision-making template for the board of directors - similar to human resources or research & development. Cybersecurity has long since become part of the value chain.
“Companies today are in a constant battle against infiltration”
For comprehensive prevention against cyber attacks, including ransomware, companies should consider their own Cyber Defense Center or CDC as a Service, as this can massively strengthen their cyber resilience. It helps organizations analyze the huge number of alerts, new threats and anomalies that technical security infrastructure identifies.
A Cyber Defense Center - also known as a Security Operations Center (SOC) - connects IT security experts, processes and technologies. At the CDC, trained professionals continuously examine Internet traffic, networks, desktops, servers, end devices, databases, applications and other IT systems for signs of a security incident. As the security command center of a company, the CDC is responsible for continuously monitoring the security situation in order to prevent attacks and to initiate appropriate countermeasures in the event of a security breach." RadarCS.com
Barracuda Networks—Klaus Gheri
Klaus Gheri, General Manager Network Security at Barracuda Networks (Image: Barracuda).
A comment from Klaus Gheri, General Manager Network Security at Barracuda Networks: “To pay the ransom or not to pay? The politically correct answer is don't pay, because that reduces your desirability as a future repeat target. In practice, of course, the case is different. When essential data is no longer accessible or recoverable with reasonable effort, a company is left with few options. This is therefore less a moral than a commercial decision. Of course, the payment does not release you from the need for a forensic investigation and clean-up afterwards in addition to new protective measures to be taken to protect against recurrence. It is all the more advisable to invest in prevention while you still can.
"Once a ransomware attack is successful, only a radical cure usually helps"
If a ransomware attack is successful, the only thing that can usually help is a radical cure: switch off systems, reinstall them and import a backup - always with the hope that the ransomware package was not already part of a backup. But before the backup can be imported again, the gateway must be known and the network must have been cleaned with digital steam jets. The easiest and fastest way to do this is with a ready-made emergency plan. Unfortunately, the crux of the matter is that such contingency plans often do not exist because the need for and the risk to one's own systems was not recognized or underestimated. Often one problem is solved in a hurry and two new ones arise. The strategy can only be: quick but coordinated action. Even if an organization decides to pay, the cleanup still has to be done, or you'll be back in the same spot a short time later.” Barracuda.com