$40 Million Ransom: Do You Pay?

Part 1 of Ransomware Focus Series

What is Ransomware? 

More and more companies are hit by cyber-attacks. Is it real or just fake news? Let us delve into the facts of ransomware and its modus operandi.

Do not be lulled into a false sense of safety; an analysis of data leaks and information on the Dark Web, including notification of breaches on password management tools, reveals that organizations are definitely falling victim to these attacks but trying to hide them from the public. Furthermore, it is common for affected companies to pay millions of dollars to cybercriminals to regain data access. To be clear: the fact that other companies choose to pay the ransom is no indication that it is a recommended course of action.

A ransomware or a ransom-malware is a type of malicious software commonly known as malware. The most common one encrypts systems or files and requests ransom payments to recover access. Recently, cybercriminals are also multiplying the pressure by threatening to leak confidential data. They can do that through their initial attack vector.

Therefore, a ransomware attack nowadays might not only be simply a business interruption cybersecurity incident but also be associated with a data breach or theft.

Traditionally, a ransomware attack begins with spam or phishing emails sent to a target organization’s employees, or a popular vulnerability through an open Remote Desktop Protocol (RDP) port . In the case of the phishing emails, they contain a file embedded with malware. When an employee opens the file, the malware gets installed and downloaded. It then scans the system, deliberately bypassing certain folders and files to prevent the system from booting up while encrypting other files and creating files with strange extensions.

Ransomware has been around since the 2000s, originally targeting individuals. Varieties have since evolved for spreading, evading detection, encrypting files, and pressuring users into paying ransoms.

You could also become a double victim. Some "file recovery" companies actually negotiate a lower ransom with criminals, pay that lower ransom, and charge the affected organization the ransom and a margin that can be significantly higher than the ransom value.

Expectedly, nothing is guaranteed when it comes to cybercriminals: some of them have destroyed the data while asking for a ransom!

Why Does it Succeed?

A common misconception about ransomware is that it only happens to others. Current advanced evasion techniques allow cybercriminals to build customized attacks circumventing security controls.

Cybercriminals are not only using various techniques to avoid detection, they are also targeting specific individuals to increase their chances of infection.

Thus, anti-viruses, firewalls, or other security tools might not be enough to detect and block ransomware attacks. Evasion is not a new phenomenon. There is literature starting in the 1990s about simple evasion techniques and attackers using them to bypass network security devices. Cybercriminals can also penetrate devices, resources or networks weeks or months before the main attack.

Simply put, cybercriminals have a plethora of methods to ensure their attacks’ success.

Hit by Ransomware: What's Next?

For affected organizations, it is not uncommon to be caught off guard and experience a “paralysis” that lessens the effectiveness of their response. The proliferation in attacks  — involving higher ransom payments and increased downtime — has significant financial and operational impacts.

In a case of ransomware attack, an organization might have three basic approaches to recovery:

  1. Restore from a backup. One of the basic remedies should be well-made backups, but it is not that simple. Few companies have survived the nightmare of recovering everything. Furthermore, the cybercriminal may have already attacked the backup. Even if an organization manages to do it, it will not be cheap. Companies attacked by ransomware pay criminals ransom and buy out their data because either they do not have backups or they conclude that restoring everything from backups will be more expensive than paying the ransom.
  2. Attempt to break the encryption. However, cybercriminals often use the latest encryption and ensure that their decryption keys have not been published somewhere on the internet. For example, if the attackers use the 256-bit AES encryption, it will take millions of years for a company to crack it.
  3. Pay the ransom and follow the attacker’s instructions. This might be very expensive, requiring professional guidance.

In all cases, the approaches are labour- and time-intensive, and do not guarantee data recovery.

Ransom: So, Do You Pay?

Despite the harrowing cases mentioned, it is important to clarify that, sometimes, files are recoverable and some companies offer honest file recovery services. Those, however, are rare and do not guarantee recovery.

In general, paying ransom is not recommended as it is considered financing criminals. However, as per the latest findings, the majority of companies falling victims to ransomware attacks do pay the ransom. In many cases, paying the ransom will be cheaper than recovering resources otherwise.

Ransom payment is under regulatory scrutiny in many jurisdictions. Thus, it is critical to obtain a documented position or perspective from external cyber counsel on the potential legal implications of paying a ransom demand to a cyber threat actor.  For example, the following two legal frameworks related to international funds transfer may be relevant:

  • Foreign Corrupt Practices Act (FCPA): FCPA prohibits US citizens from bribing foreign government officials to benefit their business interests. In most cases, paying a ransom would not violate FCPA, but individual circumstances may warrant close examination of potential FCPA liability.
  • Department of Treasury Office of Foreign Assets Control (OFAC): On Oct. 1, 2020, OFAC published an advisory reiterating the prohibition against US businesses and persons conducting business or paying funds to any person on the “Specially Designated Nationals and Blocked Persons” (SDN) list.  OFAC regulations are relevant in a ransomware event because the attacker demanding the ransom may be on the SDN list. US companies can be sanctioned for violation of OFAC’s rule even if they do not personally execute a transaction or know that a payment is being made to a prohibited organization or person.

How Do You Recover Access to Resilience?

When dealing with cyber criminals, an organization is never sure of the outcome. However, if a particular criminal group became known for deleting the data, they would not have more “customers”.

Ransom might be quite expensive reaching $40 million or more. This definitely requires full attention, and a clear decision from the company’s decision makers.

The greatest danger of cyber attacks is damage to brand reputation and customer trust, hence the need to prioritize defenses and rethink strategies to manage the fall-out of successful attacks. Look out for our next article detailing different attack scenarios and the effective measures against this ever-evolving threat to you and your organization’s data.

Image placeholder

Magda Chelly

Cyber Risk Consulting Leader, Marsh Asia

  • Singapore

Please note that Marsh PB Co., Ltd and Marsh McLennan are not engaged by nor involved in any manner with Bonus Ranch and its promotion, and has not placed any insurance for nor insured any of its businesses or operations. Marsh as a licensed insurance broker will not request customers to make payment via non-standard methods, such as the transfer of money to any individual’s bank account.