Paying Ransom

Posted by Mark Greisiger

RansomwareA Q&A with Luke Emrich of RSM

Recently, a lawyer contacted us, inquiring about how to find and obtain bitcoins for a client’s data that was being held ransom. As ransomware becomes more common, more organizations will need to ask hard questions about how and when to pay off criminals to protect their data. I spoke with Luke Emrich, security and privacy supervisor at RSM US about this growing phenomenon and what organizations need to know.

How much of a problem is ransomware at this point?
We are definitely seeing a lot of it in our world, whether it’s ransomware that encrypts files or restricts access to the whole system or website. In all cases, we’re seeing attackers requesting client payment in exchange for the data or as a bribe in the hopes that information that was stolen by the attackers will not be released to the public. We have recently seen a strain of credential harvesting/keylogging malware that now has ransomware capabilities. Essentially, after the malware has harvested user credentials from the system it will then encrypt the data stored on the system. For this reason we suggest reviewing websites, applications and systems a given user visited from the infected system for suspicious or unauthorized activity and immediately change passwords to all accounts that hold sensitive information.

If an organization gets hit with a data breach and is ordered to pay the ransom in bitcoins how should they proceed from a logistical standpoint?
There are a number of ways to obtain bitcoins. One of the better known and more legitimate ways to get them is through Coinbase.com. In order to create an account, you need to provide personal information like your name, phone number, address and a copy of a bill—much like you would in setting up a regular bank account. However, there’s a verification time before you can get the bitcoins and in a ransom situation you might be under a deadline to move more quickly. Another, possibly quicker way to go would be LocalBitcoins.com, which is structured a bit like Craig’s List. You connect with someone who posts that they have bitcoins and you agree to meet face to face or possibly exchange them online. We tell clients that they need to take this approach with a grain of salt and exercise some caution because you have no guarantee you won’t be scammed or ripped off. Another way to get bitcoins is through a bitcoin ATM. They are not widely available but I have seen them. [Editor’s note: The website CoinDesk.com publishes a map of ATMs around the country.] Finally, one of my clients managed to source bitcoins through their Bank of America branch so that might be a possibility as well. To pay for most of the ransomware, the user is prompted with a file (examples below) that directs them to a website where they can pay the ransom and then download the decryption tool and key.

Example 1
Example 2
Example 3

you have to acknowledge that you are funding a malicious group…Clients really have to weigh the value of the data against their ethical concerns

What are some of the ethical questions raised by ransom payment?
Bitcoins are designed to be anonymous and untraceable so if you’re paying off the ransom with them you won’t know where the money is going unless you get the proper authorities involved with enough time. Essentially, you have to acknowledge that you are funding a malicious group—even if they’re not political terrorists, and some of them are, they’re targeting others with ransomware attacks. Every time this situation happens, it’s a judgment call. Clients really have to weigh the value of the data against their ethical concerns. Do they have backups? Can they just let the data go? I’ve had it go every possible way with clients. Some just walk away. Some feel they have no choice because the data is so valuable and it’s their only way to access it.

Should organizations be concerned about the data leaking if they don’t pay the ransom? Can they be sure they’ll actually get the data back if they do pay?
Typically, the ransomware attackers have a reputation they want to uphold. They want to be known as reliable or otherwise their other victims won’t pay the ransom. In most cases we get back about 99 percent of the data once the ransom is paid. Occasionally, a file gets corrupted because the decryption process is not 100 percent effective, but we usually get back everything we need.

How much is the typical payment?
It gets more expensive over time. It might start at one bitcoin, which is $450 to $500, and it could go up to $50,000 if you don’t react in a timely way. That can also create problems with the amount of bitcoins you can access. Sometimes you can only get $10,000 worth of bitcoins at a time from a legitimate source and then you’re forced to go to the black market and pay even more.

Are there any other concerns organizations should be aware of?
We’re also seeing bitcoins being used with stolen data in cases where an attacker takes intellectual property, unencrypted, and holds it for ransom. In those cases, the ransom could be much higher, up to $100,000. In these cases, you don’t really know for sure what the outcome will be so that is a growing concern.

In summary…
We want to thank Luke for his insights into this concerning risk issue. Our own Breach Coach® lawyers are seeing similar ransomware events now on a weekly basis as they assist our carrier partners and their cyber liability insurance clients. The right solution is not always simple and “just paying the ransom” to an unknown guy in Eastern Europe who has encrypted your business data is easier than it sounds. Indeed, there’s a somewhat complex and logistical process to contend with, which Luke outlines here. (On a side note, I spoke at a seminar recently held by the Philadelphia Federal Reserve Bank and met FBI and Secret Service Agents who seem very knowledgeable about the bitcoin/ransom process and how to help clients navigate them.)