Some say 'yes', others say 'no' - should you pay the ransom? Law enforcement does not encourage, endorse, nor condone the payment of ransom demands. Why? Because they say that, if you do pay the ransom:

• There is no guarantee you will get access to your data or computer
• Your computer will still be infected
• You will be paying criminal groups
• You're more likely to be targeted in the future.

How true is this? Doesn't paying up and having your data access reinstated give the hackers a better image? Or are there so many 'pickings' put there, they don't really care one way or the other?

Then there are all the other issues around what has become a massive enterprise in itself. Since there's no way to completely protect your organisation against malware infection, what should you do to keep ransomware at bay? Is a 'defence-in-depth' approach the right one, using layers of protection, with several mitigations at each layer? You'll have more opportunities to detect malware by adopting that approach and then stop it before it causes real harm to your organisation. That said, should you assume anyway that some malware will infiltrate your organisation, at some point, whatever strategies you put in place? For every possible plus point there appears to be a minus, so what is the best way to limit the impact a ransomware attack would cause and speed up your response?

IN THE TEETH OF A GALE
Brooks Wallace, VP EMEA at Deep Instinct, says that the argument as to whether or not an organisation should pay a ransom is "causing quite a dilemma" in the corporate boardroom. "While it may be easy to say that an organisation shouldn't pay ransom, there are many factors to consider. Imagine you are the family of someone in the intensive care unit of a hospital taken offline by ransomware attack. Think of critical infrastructure providers or banks. At that significant point in time, when hours count, you don't care about principles or policies. You just want the situation to be fixed."

There appears to be increasing discussions among board members about what to do in the case of a ransomware attack, how to overcome it should one occur and whether their insurance policies will help. "Trying to make decisions during an attack itself only adds to the pressure and could worsen the crisis, so it is best to make these decisions beforehand and plan in case of an attack. This should include the decision of whether to pay for the attack or not."

Condemning those organisations that are unfortunate enough to have been hit be a ransomware attack doesn't help anyone or change behaviours, he adds. "Having best practice guidelines and the rationale behind these would be more valuable. There should be a strong encouragement not to pay ransoms, but, in parallel, investment needs to be made in stopping the attack in the first place. Prevention is far better than cure."

PREVENTION FIRST APPROACH
Any intelligence that can be gathered post-breach helps understanding for the future. "But what's even better is a 'prevention first' approach that features a multi-layered defence system, with more than one swing at the ball to stop an attack. We need to spend more time on stopping these attacks pre-execution before the damage is done. Many technologies need an attack to execute and run before they are picked up and checked to see if they are malicious, sometimes taking as long as 60 seconds or more. When dealing with an unknown threat, 60 seconds is too long to wait for an analysis."

In order to ensure business continuity, organisations need to invest in solutions that use technology such as deep learning, "which can deliver a sub-20 millisecond response time in stopping a ransomware attack, pre-execution, before it can take hold, actually predicting the ransomware attack and therefore protecting the organisation," Wallace states. "Using this type of technology means organisations no longer need to worry about whether or not to pay a ransom, as there is a solution that prevents the attack altogether.

"Furthermore, investing in a solution that offers a 'ransomware warranty', whereby the organisation receives a certain amount, if they experience a ransomware attack, using that provider's technology is beneficial. Warranties ensure an extra level of protection, should a ransomware attack occur, and allow for some alleviation, in terms of how much it will cost the organisation to recover after the attack."

BACKED INTO A CORNER
Callum Roxan, head of Threat Intelligence at F-Secure, accepts that the payment of ransoms to cyber criminals is not a "socially optimum outcome, but in the moment, faced with the loss of income, data and reputation, many organisations will feel backed into a corner where they will 'have to' pay. "Ever-evolving extortion models and technological advances ensure organisations need to continually invest to keep up to speed with the latest threats posed by the sprawling ransomware ecosystem. In purely financial terms, the judgment is often made that accepting the risk of ransomware is more palatable than investing heavily into cybersecurity to mitigate the risk."

Bogdan Botezatu, Bitdefender: collaboration between major cyber-security solution providers and law enforcement agencies allows us to combat the devastating effects of ransomware.
The continued payment of ransom demands funds additional advancements, continued operation and acts as an incentive to attract new actors to conduct ransomware attacks. "Breaking this cycle is something governments and the cyber security industry need to fix, shifting the balance of incentives to not paying ransoms and making securing your organisation against these threats less costly and more effective."

WHERE DID IT ALL GO WRONG?
All too often, organisations put too much focus on the detection and response of a ransomware attack, instead of looking at the steps that has allowed an attacker to get to the point of demanding ransom, argues Mike Fleck, VP marketing at Cyren. "The ransom of an attack is so far along the attack chain that, by the time the 'ransomware' attack has already been deployed, it's too little, too late."

He divides ransomware attacks into two categories: a 'drive-by attack', which tricks users into installing malware onto their devices, whether that be a PC at home or a healthcare kiosk in an emergency room. While these attacks directly affect those users, they are random as to whom they affect. "The more serious attacks are the ones that target a specific organisation. The attackers look for the most impactful way to infect an organisation through the vulnerabilities they find and then launch a ransomware attack.

In order to get to that point, the attackers would have had to identify the organisation, find the vulnerabilities within that organisation, launch the malware and then deploy the ransomware attack."

Brooks Wallace, Deep Instinct: the argument about whether or not an organisation should pay a ransom is causing quite a dilemma in the corporate boardroom.
Often the cause of a ransomware attack and the attacker's access point into an organisation, adds Fleck, is through a phishing email where an unsuspecting user has clicked on a link, which then deploys a backdoor on the device, allowing the attacker to gain access into the organisation's network and find its vulnerabilities. "Organisations need to look at the precursors to ransomware attacks and the steps that get the attacker to where they need to be before they launch the malware itself."

Phishing attacks will always enter your network and breach your organisation, he points out. "Therefore, the focus needs to be on the antecedents to the attack and understanding what they are, in order for the organisation to deal with the attack better. Only then will organisations be able to remediate properly, rather than focus on detection of, and response to, the final step in the attacker's plan. At present, email security is overly focused on prevention, which demonstrates diminishing returns for each new layer of detection. By adding a real-time detection and automated remediation capability to identify and eliminate phishing threats rapidly, we can minimise the impact of when a phishing email makes it through our defences."

At Bitdefender, while the company expects to see ransomware operators continuing to offer new and more dangerous versions of ransomware, the company's director of Threat Research and Reporting, Bogdan Botezatu, states that it will maintain its commitment to helping users regain control of their digital lives and denying profits to attackers. "Collaboration between major cyber-security solution providers and law enforcement agencies allows us to combat the devastating effects of ransomware and help victims whose data would otherwise either be lost forever or generate large amounts of money for the cyber-crime underground."

INCREASING DEVASTATION
Computing Security also wanted to get some 'historical' perspective on ransomware, such as instances of who has paid up, where attacks have been state-sponsored and the emergence of ransomware-as-a-service. Well versed in such matters is LogPoint CTO Christian Have and he provided a detailed inside view on all those issues.

Callum Roxan, FSecure: ever-evolving extortion models and technological advances ensure organisations need to continually invest to keep up to speed with the latest threats.
"Ransomware attacks are becoming increasingly devastating to companies. Not only do they inflict massive disruptions to operations, but criminals are also asking for ever-larger ransoms to unlock the encrypted files and machines hit by the attacks. Throughout the last months, state-sponsored ransomware attacks inflicting damage on critical infrastructure have dominated the headlines. JBS recently paid 11 million dollars following an attack that shut down all the companies' US beef plants. Just before that, an attack paralysed Ireland's health services for weeks in the middle of a pandemic. The attack happened in the wake of the Colonial Pipeline attack that caused fear of gas shortages.

"CNA Financial, one of the largest insurance companies in the US, reportedly paid 40 million dollars to get access to its files and to restore its operations, making it the largest reported ransom paid to date. In comparison, 40 million dollars is more than most companies spend on their cybersecurity budget - it is even more than what many companies spend on their entire IT budget.

"Due to the surges in state-sponsored ransomware attacks in the US and Europe, many government institutions, including the White House, have urged companies to bolster their defences to help stop the ransomware groups. The G7 group has called on Russia, in particular, to identify, disrupt and hold to account those within its borders who conduct ransomware attacks and other cybercrimes. One of the few outcomes of the Biden-Putin summit is an agreement to consult on cybersecurity. However, the agreement is ambiguous without any specific actions."

A RANSOM PAYOUT ISN'T ALWAYS THE END GOAL
"Stopping ransomware groups is no small task. The scale of the economy behind these groups is significant. Many active groups have corporate structures, with roles and responsibilities that mirror regular software development organisations," Have points out. "These criminal organisations are well funded and highly motivated to develop their attacks - but their revenue streams do not begin or end with victims paying up a ransom.

Christian Have, LogPoint: many active groups have corporate structures, with roles and responsibilities that mirror regular software development organisations.
There is an entire ransomware ecosystem, capitalising on successfully executing attacks."

This includes:

• Groups selling access to platforms that deliver end-to-end ransomware-as-a-service for other groups to use.
• Brokers that deliver teams of highly specialised developers that can build and deploy malware. Think of this as malware recruiting.
• Certain groups only gain access to corporate networks. They will not actively disrupt the operations or demand ransom; instead, they sell access to victims for other groups to capitalise on.
• The increasing sophistication of ransomware groups has led many organisations to implement a multitude of tools to help detect and prevent attacks. But what really works?

BASIC SECURITY ESSENTIAL TO PREVENT ATTACKS
For the last 15 years, CISOs, security operations teams and security vendors have put a significant focus on complex attacks and staying on top of the cutting edge of what adversaries can do, he continues. "For example, the malicious computer worm Stuxnet launches extremely advanced campaigns. The result is that a lot of organisations have a relatively extensive portfolio of advanced technologies. These technologies are expensive, complex to use and even more complex to integrate with each other and the surrounding security ecosystem.

"The Colonial Pipeline breach happened because a remote access platform failed to enforce or require multi-factor authentication. Combined with a shared password used among several users, attackers found a way into the infrastructure. Advanced detection tools are not meant to detect such basic mistakes.

"Failing to cover the basics - patching, secure configurations or following best practices - is a pattern repeating itself in many of the recent attacks. It is not without reason that every authority on cybersecurity has patching and baselining configurations as some of the first recommendations for companies to strengthen their cybersecurity efforts."

So why are companies not just patching everything, implementing the Zero Trust model and forcing multi-factor authentication everywhere? Especially when the most considerable material risk to the operations and existence of the organisation is a ransomware attack? "IT operations is hard," he responds. "The security operations team, IT operations team and enterprise risk management team often have siloed thinking, with different objectives and incentives. Aligning activities and goals across various departments is, without a doubt, part of the problem.

"One of the things we hear from our customers is that they need a unified overview of the technical risk aspects. Implementing a unified solution such as Zero Trust orchestration or XDR is complex and, in many cases, expensive. Some of our customers are turning to fewer vendors and relying on open standards - for example, MITRE for a taxonomy of attacks, MISP to share threat observations and YARA to identify malware indicators to offload some of the headaches of aligning different departments' ways of working."

THE WAY FORWARD
When critical infrastructure is under attack through large and small companies, it is obvious that more technology will not solve the issue alone, Have insists. "Outsourcing IT operations or security operations alone is not solving the problem either. With that in mind, I see three paths forward."

Law enforcement agencies must cooperate across borders to target ransomware groups, track payments and ultimately change the operational risk for these groups, so that it is more expensive to do illicit business.

Breaking down silos within organisations, getting the cybersecurity, IT operations and risk management teams to speak the same language and align expectations. Who owns the backup - IT? Who is responsible for the disaster recovery - Security? Who owns the business continuity planning - Enterprise risk management?

More laws and regulations on the matter. GDPR has done a lot to bring focus and awareness about reporting breaches to infrastructure. "But more is needed," Have insists. "GPDR works for personal data, but disruptions to critical infrastructure following a ransomware attack are not necessarily under the umbrella of GDPR and, as such, can go under the radar. With more sharing, increased focus and potentially fines levied against organisations that fail to prevent or protect their infrastructure adequately, boardrooms will begin to take the threat seriously."