Deciding not to pay a ransomware demand is a tough choice for many organizations victimized by the malware, but now they’re faced with another challenge: Being publicly named by criminals.
According to security reporter Brian Krebs, the gang behind the Maze ransomware has opened a website on the public internet listing the names of at least eight organizations that haven’t caved to its blackmail. In addition to being publicly named, the gang promises to publicly release stolen data.
“Represented here companies don’t wish to cooperate with us, and trying to hide our successful attack on their resources,” the site explains in broken English. “Wait for their databases and private papers here. Follow the news!”
Krebs says the information disclosed for each Maze victim includes the initial date of infection, several stolen Microsoft Office, text and PDF files, the total volume of files allegedly exfiltrated from victims (measured in Gigabytes), as well as the IP addresses and machine names of the servers infected by Maze.
The threat is made real because certain strains of ransomware have added data-stealing capability in addition to the standard feature of data encryption, and the pressure is only increased once an organization knows not only might it not ever have access to its data because it has been encrypted but sensitive data may be exposed.
Paying or not paying a ransom to get decryption keys has always been a delicate balance of factors: Is the infection contained or is it spreading? Is all valuable data backed up? How long will it take to scrub devices to make sure all signs of the infection are gone? Can the organization afford to be largely offline that long? Is there insurance to cover restoration and remediation costs? Will the total value of those costs be more than the ransom? Can criminals be trusted to turn over the decryption keys? If we cave once will we be hit again? And there’s a moral question: Will paying only reward criminals?
With the risk of stolen data being released and being publicly named, there are other questions: Is not paying worth the reputational risk to the organization of the data breach being made public? And will not paying only increase the organization as a target?
Ed Dubrovsky, managing director of cyber breach response at Toronto-based incident response consulting firm Cytelligence, knows first hand about the threat by the Maze group. He has been advising firms on their negotiating strategy with it “almost on a daily basis.” A few days ago he learned about the new website.
“We’re starting to see a shift where threat actors are becoming sick and tired of clients that have enough controls to recover from ransomware events on their own,” he said. “They need to evolve their tactics to pressure them to pay up for silence.
“So what’s happening with Maze is that from a ransom perspective they are very expensive — typically in the millions of dollars [in bitcoin], doesn’t matter the size of the client. For some clients, the demands are impossible to fill, whether they want to or want. And their process is before they encrypt systems is to take data away.”
On the other hand, Dubrovsky added, Maze’s claims that it has taken hundreds of gigabytes of data may not be true. In his firm’s experience typically only a small number of documents are taken along with screenshots of directories to prove the threat is real. That’s because exfiltrating a huge amount of data takes time and risk detection.
Still, that allows the gang to “take enough damning information” before encrypting the rest, he explained.
Deciding to pay a ransom still has to be a business decision, Dubrovsky said, and that includes knowing whether the victim is a public or private organization. Government-affiliated organizations may have to follow a policy, he added.
“If you don’t have backup and all your data is encrypted and your only option is to close your door or start from scratch, you’re left with little option but to pay and hope for the best. And in many cases we see victims pay.” One bright spot: Ransomware gangs are usually willing to negotiate the payment if they believe they will get paid.
So how can an organization avoid being victimized by ransomware?
“This is a complicated question because we’re dealing with sophisticated adversaries that are very motivated and know very well they can hold a company for ransom if they completely shut it down. So make sure you have backups, but also make sure you have a strategy of how to communicate this [attack] to the outside world. It’s becoming a lot more difficult to hide a ransomware event in any organization unless you’re very small. A large organization needs to stand in front of the media and explain what has transpired, how you recovered and whether you paid. Because if you don’t pay they may publish the event to the media anyway, and if you pay there’s no guarantee they won’t go public.”
Organizations of all sizes have to face ransomware, he said.
“It’s becoming a very serious epidemic.”
Imran Ahmad, a partner in the cybersecurity group at the Toront0-based law firm Blakes, Cassel & Graydon and a member of the cyber advisory group of the Canadian Advanced Technology Alliance (CATA), said in an interview that organizations that don’t pay ransoms may indeed feel squeezed if their names are published — and not just from consumers. Partners and suppliers to firms hit by cyber incidents may also be on the phone, he said.
However, he added, firms may have legitimate reasons for refusing to pay, including having the ability to recover from backups. The Maze gang “may be overestimating the impact of that website … because a company may say, ‘Yes we had an attack, but we had viable backups and a great response. We didn’t pay, and we didn’t have to pay.”
Generally organizations in Canada are getting better at protecting themselves from ransomware, Ahmad said, including getting cyber insurance. But in some cases backups are infected or don’t fully recover sensitive data, or it may take more time to rebuild systems than the organization can take.
Ultimately it’s up to each organization to decide if it will pay, he said. “We still don’t recommend it as a starting point, but sometimes business considerations are a key factor.”