adimas - Fotolia
Ransomware attacks: How to get the upper hand
Ransomware attacks are on the rise. Can organizations play like Radiohead and refuse to pay? The answer from security experts is a qualified yes.
The rock group Radiohead is celebrated for its unconventional approach to recording and releasing music. Lately, the band is also turning heads for how it handled a hacker trying to sell a stolen trove of its unreleased work.
In early June, an anonymous poster on a subreddit thread claimed to possess almost a day's worth of music that Radiohead had tucked away on digital audio tapes. When the presumed hacker sought $500 for individual songs and $150,000 for the entire batch of music, Radiohead turned the tables on the ransomware attack by streaming the music free and selling the files for roughly $23, with the proceeds benefitting a political environmental group. "You can find out if we should have paid that ransom," guitarist Jonny Greenwood joked to fans on the band's social media accounts.
Joking aside, Greenwood voiced the defining question for victims of ransomware. Should they pay the ransom? Or should they flout the conventional response to ransomware attacks, as Radiohead did so successfully?
According to security experts, CIOs and CISOs can follow Radiohead's lead -- to an extent. It is possible to recover from a ransomware attack and ignore demands from cybercriminals, they said, provided you take preventative steps that include backing up desktop and server files. Your organization shouldn't, however, make a retaliatory gesture similar to Radiohead's and release proprietary files to spite the hackers. But, with due diligence, you can put your organization in a position of strength and have the freedom to ignore ransomware attacks.
Preparation is a strong defense against ransomware attacks
Radiohead's strategy for dealing with the ransomware threat fell outside the confidentiality-integrity-availability triad that defines information security, but its success did not stem from flouting the rules, said Josh Zelonis, a senior analyst at Forrester Research. It was because the rock group had the artistic license to thumb its nose at the hacker.
"When you're protecting something that requires confidentiality, you can't give it away. That's the difference," Zelonis said. Moreover, in 2007, Radiohead gave fans the option to pay for a digital download of an album, so releasing the stolen archives squared with the band's outlook on cyber ethics and commerce, he said.
Still, CIOs and CISOs can learn from Radiohead by recognizing hackers don't always have the upper hand, security experts said. An organization that is aware of the status of its digital assets, including how extensively they are protected in recovery files, can confidently thwart a hacker, according to cybersecurity consultant Greg Scott.
"It's no different than a tornado or flood. Something happened. You assess the damage and if your recovery plan is solid, you're in good shape," he said, adding that the reverse is also true. If you haven't prepared and can't recover from ransomware, "you're screwed."
Not only should an organization back up its files, but it should also place a layer between the server and its backup files so that a hacker won't see there are more assets to steal or freeze, Scott advised. Some ransomware attacks are sophisticated and can destroy metadata and passwords, he said, so it's best to preserve digital assets with a corresponding level of complexity. For instance, organizations could take the necessary disaster recovery steps now to perform a bare-metal restore -- essentially, a reinstall of operating systems and applications -- so that, later, all is not lost if ransomware locks out users.
But even simple disaster recovery preparedness works as a defense against ransomware attacks. Scott had a client, a home health agency, victimized by ransomware after an employee opened a dubious email attachment, but the IT staff had backed up files on a USB drive that was connected to a workstation devoted to disaster recovery. It was out of the sight of hackers. It took only a day to restore the affected file directories and the company didn't have to pay ransomware. "They didn't even have to talk to the clown," Scott said of the perpetrator.
Attacks are on the rise
Preparation matters because an organization will almost inevitably be held hostage by ransomware. A Forrester Research report published last month found that ransomware attacks were up more than 500% from the same time a year ago. While roughly only 10% of ransomware attacks are successful, according to a Gartner report published in 2018, they come at a cost. The Gartner report found that payment demands for ransomware in its client group were about $550 per attack, but some demands had risen to hundreds of thousands of dollars. In addition, the sheer number of types of ransomware attacks posed a considerable challenge. More than 34,000 ransomware variants have been identified on 12,000 dark web marketplaces, the report said.
Avivah Litan, the Gartner vice president analyst who wrote the report, said in an email exchange that there are several steps a CIO or CISO can take when facing ransomware attacks. One of them is to seek the help of No More Ransom, a collaborative of the Netherlands police, Europol's European Cybercrime Centre and McAfee that aims to retrieve victims' encrypted data without them having to pay ransomware. Another step is to have a forensics expert sweep through files to detect and remove dormant traces of ransomware.
Similarly, Forrester's Zelonis preaches the virtues of preparedness. This includes testing your ability to restore systems and applications at scale so that you can gauge how effectively you'll be able to recover and potentially ignore the demands of the attacker. He also recommends keeping handy the phone number of a ransomware specialist who understands the slippery nuances of negotiating with cybercriminals.
A business negotiation, discounted ransoms
Indeed, there will be times when the attacker has the upper hand and organizations have to negotiate, Zelonis said. When communicating with the attacker, it's critical to keep a clear head and not let emotions get in the way.
"These cybercriminals view themselves as businesspeople," he said. "What they're doing is harmful to your interests, so it's easy to go into negotiations with an antagonistic attitude." But that makes it difficult to achieve your objective. In a sure sign that attackers consider themselves businesspeople, some of them have established "help desks" that offer victims technical assistance on how to pay ransom and restore files, he said.
Zelonis, who co-wrote "Forrester's Guide To Paying Ransomware," published in June, suggested asking the attacker for a discounted ransom if you don't need to decrypt every system. Also, validate the attacker's decryption key by having him send a decrypted file as proof he has what he promises. If it's clear you can't ignore the demand, have the ransomware specialist handle what will likely be a transfer of funds via cryptocurrency, cybercriminals' preferred method of payment.
"This is a negotiation, and neither party will trust one another," Zelonis said. "You need to find a way to process what is essentially a business transaction. Always have a goal and know what you can and can't accomplish. Engage with them only on specific issues. Never overstep your level of comfort, but keep things moving forward."
Yungi Chu, owner of the online retailer HeadsetPlus.com, doesn't regret that he ignored demands for payment from the emails of "Pryce23," who claimed to have hacked his email account, infected his operating system with a virus and been secretly monitoring him. But Chu said he has learned that one shouldn't go it alone when threatened by a cybercriminal.
The hacker had revealed Chu's email password and demanded $1,000 in bitcoin. Chu changed his password and moved on, thinking he had dodged a bullet. A month later, his webhost alerted him to 15,000 spam email messages being sent out under his address. Some of his customers, including Cisco, blocked his address and he has felt a slight pinch of lost business. "Pryce23" had an advantage after all.
"I wish I had done things differently," Chu said. "I changed my password and thought that would be adequate, but they had a backdoor." His lesson learned: Chu will tell anyone listening to hire an expert as soon as there is a sign of trouble. He did that, but only after the email spam attack under his account. He hopes the expert has cleared the attacker's traces out of his system.
"It is stressful," he said. "But (even in hindsight) I don't think I would pay them. I don't believe in paying ransoms."