Ransomware: What Can Go Wrong, Might

Posted by Mark Greisiger

Q&A with Chris Novak of Verizon

Even as public awareness around ransomware grows, many companies find they are still unprepared for this malicious exploit when it hits. Often, organizations find that despite their best intentions to cooperate with the perpetrators, they still may not get their data back. I talked to Chris Novak, global director of the RISK Team at Verizon Enterprise Solutions, about some of the pitfalls associated with this increasingly common crime.

When it comes to ransomware it’s almost like the early days of data breaches where people just assume this will happen to other companies and never their own.

Are organizations typically prepared for dealing with a ransomware incident?
No. Many still don’t have incident response plans and playbooks that include ransomware. When it comes to ransomware it’s almost like the early days of data breaches where people just assume this will happen to other companies and never their own. That may be because the nature of this data breach seems much more targeted and personal, but the truth is that it’s not. And many organizations that do have incident response plans assume that what’s in there will cover it but when it comes to ransomware everything is on a much shorter timeline—it could be a couple days to a week to turn over the ransom. If the leadership is philosophically opposed to paying a ransom that can also create a challenge when it comes down to the wire and everyone realizes that this might be the only choice to get their data back.

What are some other hurdles companies face in meeting those deadlines?
With medium to large size entities it may take a week or more to get the executive consensus on the issue, and at that point the data might be gone. Another concern is that most organizations don’t have a Bitcoin wallet setup and funded, which presents logistical challenges. It’s not as simple as wiring money to an account, and it often takes time to secure a large amount from a regulated exchanger.

Where can a ransomware situation go really wrong?
When an organization tries to handle everything themselves. They might start trying to play around with their systems to try to prevent the ransomware from spreading before getting professional help. Some modifications or controls implemented to the system could handicap or destroy the ransomware such that it also can no longer restore your data. When you get the decryption key in that situation, it’s like having a key but the lock has been so badly damaged that the correct key will no longer open it, and there’s no way to recover the data. Another thing we’ve seen is where the criminals are captured before the organization has paid the ransom, unbeknownst to them, and the money gets wired to an account that no one is checking, with no way to get the data back. Let’s look at the recent Petya ransomware outbreak that Verizon was investigating this week as an example of where a takedown had muddied the waters for some victims. In the Petya case, the ransomware instructed victims to send their funding information and decryption request to a specific email address. However, the email provider quickly shut down the threat actor’s email account. If you were a victim that was planning to pay the ransom and get your data back, you’re out of luck. And to make matters worse, the Petya ransomware is likely to continue floating around the internet for months or years infecting more victims.

What can companies do to better prepare for ransomware incidents?
First of all, understand that it can and likely will happen to your organization. These attacks are opportunistic and not personal. The attackers want the ransom and not the data, and they cast as wide a net as possible—they don’t care who you are as long as they get paid. Have good backups and create a contingency plan if you choose not to or can’t pay the ransom. Create a system for buying Bitcoin and keep some on hand ahead of time.

In summary…
We want to thank Mr. Novak for his insights here into ransomware attacks. This peril is one of the more active cyber threats of the moment, with the ability to significantly impact even the most prepared and forward-leaning companies—largely because it’s facilitated by phishing emails sent to unsuspecting employees. This threat also is responsible for the growing number of cyber liability insurance claims that we’re seeing paid out on a weekly basis by many of our insurance partners that cover ransomware events. Having an actionable data breach response plan is vital (to learn more about our Breach Plan Connect service visit us here).