By David Harley
Sometimes, the easy way out is the road to ruin.
After WeLiveSecurity published the article Ransomware: To pay
or not to pay?, SC Computing’s Bradley Barth picked up on a point I
made there, where I said that we hear of instances where organizations pay
ransomware even though they have backups because it’s cheaper.
No defence versus insufficient defence
Just to be clear, I didn’t say that they
don’t implement defences at all. I can’t say that never happens, but it’s far
more common for companies to implement inadequate defences because they aren’t
security-savvy enough to plug all the holes, than it is for them to ignore
security altogether.
No policy, no consistency
Bradley Barth was particularly interested in
specific research, examples, data, or anecdotal evidence. I wasn’t prepared to
give specific examples, because I couldn’t do so without tripping over
confidentiality issues. However, my friend and colleague Stephen Cobb provided
a generic but appropriate example:
I spoke on a panel at a conference recently where
several members of the audience – about 300 Managed Service Providers, each of
whom works with multiple client firms – said they knew of specific instances
where system administrators had paid ransoms even though recovery from backups
would have been possible. The risks of doing this extend beyond not getting the
data back despite paying. They include, and again, there was actual knowledge
of this: getting hit again because you are seen as a soft target.
In none of those cases were there any
rules/policies in place to guide to limit the sysadmin response to a ransom
demand. Also recent: I helped conduct a table top exercise for about 60
disaster recovery professionals and it was clear that most organizations had not
yet addressed the handling of ransom demands in their policy manuals or
incident response playbooks.
Human firewalls
Regrettably, defending against ransomware is not
simply a matter of plugging in some sort of anti-malware package using the
default settings and relying on it to defend you. Mainstream security programs
are good at detecting known ransomware, and much better than you might think at
detecting unknown ransomware by monitoring its behavior (behavior analysis).
However, there’s no such thing as 100% detection, even with security software
set at its most paranoid, and it’s not unknown for staff members (not necessarily
deliberately) to give an attacker a way in by some incautious action. Education
and policy are often effective ways of making the end-user part of the
defensive masonry rather than a flaw in the brickwork.
Porosity and Perimeters
Regrettably, defending against ransomware is not
simply a matter of plugging in some sort of anti-malware package If ransomware
gets the chance to execute, the amount of damage it can do is limited by access
restrictions in the environment in which it is executed. Unfortunately, if
backup systems are set for convenience rather than ransomware-specific
security, backups may also be compromised by the malware, even if they’re outside
the organization’s perimeter.
Paying your way out of trouble?
If there are organizations that are missing out
steps that would help them survive such circumstances, in the expectation that
they can always pay the ransom, they could be in more trouble than they
realize. Paying the ransom doesn’t always guarantee the recovery of the data. I
was taken to task in a comment to that previous article by someone who asserted
that ransomware gangs:
“WILL decrypt your files because:
A) It’s their business money, AKA, it’s how they
make money. If they didn’t decrypt the files after the payment, no one would pay
the ransom.
B) Ironically, their support is amazing, way better
than most corporations.”
Well, he’s not completely wrong, though those are
pretty sweeping statements. In fact, it’s not unusual for criminal
organizations to have fairly effective ‘customer support’ for victims of
ransomware and other kinds of malware. ‘Better than most corporations’ is, I
think, a bit of an exaggeration, though in nearly 7 decades I’ve met with some
pretty atrocious support from legitimate companies over the years. I’ll save those
war stories for another blog, though. Going back to his more convincing
argument, I’ll agree that as far as I can see, most gangs will provide a
decryption key to victims who pay up, because (of course) if they never did,
there would be no point in anyone paying up.
Trust me, I’m a criminal
However, some gangs (or individuals) have no
intention or means of getting the data back for companies or individuals that
pay. Consider, for instance, the appalling Hitler ransomware, which
demands a ransom of 25 Euros but can’t help you decrypt your files, because
they were never encrypted, but simply deleted. Lawrence Abrams, for Bleeping
Computer, asserted in his description of
this particular malware that ‘It looks like file deletion is
becoming a standard tactic in new ransomware applications created by less
skilled ransomware developers.’ Similarly, it’s far from clear at the time of
writing whether the ‘FairWare’
attackers are actually keeping copies of the data they remove from
compromised servers, or are simply deleting them. Since the attackers state
that ‘Questions such as: “can i see files first?” will be ignored’, I’m not
inclined to be optimistic.
Honey, I shrunk the decryptor
Some of those developers towards the script-kiddie
end of the market may intend to get the data back but have screwed up
with the decryption mechanism. Even the more professional gangs can make that
sort of mistake. Yet another report from
Bleeping Computer indicated that CryptXXX version 3.0 not only
prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their
files for free, but also had the (presumably unintended) effect of breaking the
criminals’ own decryption key, so that paying the ransom didn’t, at that time
of writing, guarantee that the victim would get a working decryptor. As I
remarked at the time, when a ransomware gang screws up, it doesn’t always work
to the benefit of the victim. And sometimes security measures may actually kick
in and interfere with the recovery process. If your files are already
encrypted, then removing the malware doesn’t usually reverse the encryption.
Data recovery is not all about ransomware
I don’t say these scenarios are common, but they do
raise the stakes. And, of course, the risk of ransomware is not the only issue
that needs to be addressed by a sound backup strategy. What if your data are
lost or corrupted because of issues that have nothing to do with ransomware?
You can’t just cough up a few bitcoins in that case, and even expensive data
recovery specialists may not be able to come up with a fix.
Paying for protection and paying for
protection rackets
The scenarios Stephen describes, where
organizations are insufficiently prepared for attacks they probably don’t fully
understand, are much more typical.
As it happens, I heard recently of an academic
institution that was asked for $100 to get its data back. Presumably this was
an instance of a bottom-feeder aiming to profit from individuals rather than a
gang deliberated targeting a large organization. In a case like that, I can see
that there might have been a temptation to pay up. Of course, that might depend
on how difficult it might be perceived as being to recover all the compromised
data, which in turn would depend on how much data had become inaccessible and
how fast and easily they could be recovered from backups. However, in this case
the institution concerned chose not to take that route, happily. But, as
Stephen suggests, sometimes an organization does take the easy way out.
Furthermore, many individuals also pay up (and who can blame them?) And that’s
what is keeping the gangs in business. Do I expect every victim to take the
moral high ground? Of course not. But in a protection racket, everyone who pays
up is keeping the racket alive.
The commenter quoted above also said:
Regarding backup strategies and specialized IT
security personnel that everyone keeps talking about, it’s obvious you’re out
of touch of the real world…
Well, what is obvious is not always true. Before I
was assimilated into the security industry, I spent decades working (mostly) in
security as a support engineer, systems administrator, security analyst, and as
a security manager. And sure, I could cite examples of misconceived
short-termism and cost-cutting that actually multiplied long-term costs to the
organizations concerned. But to dismiss all ‘CEOs and their respective bean
counters’ as idiots who only commit resources to security after the fact, and
then only by applying sticking plaster, is just crass. The security decisions
made at C-level are all-too-often wrong. But it’s not often that the people at
the head of an organization pay for security practitioners with the express
intention of ignoring them.
You can find Bradley Barth’s article here: Ransomware locks
experts in debate over ethics of paying.