Products +

Services +

Customers +

Partners +

Resources +

Ransomware — To Pay Or Not To Pay (Ask A CISO Ep. 07)

In this podcast, Horangi CTO and Co-Founder Lee Sult joins Yang Teo to talk about recent ransomware attacks and ransomware strains, evaluating how organizations hit by ransomware ought to respond to attackers.

About Lee Sult

Lee is a repeat entrepreneur and a veteran of the cybersecurity field who is driven to find hard problems, solve them, and explore different cultures and their points of view. He has a need to solve new problems and find better ways to solve old ones. Most days he spends his time investigating cyber crime, mentoring new security professionals, and coaching executives in security best practices. He was previously a Senior Security consultant at Nuix and Trustwave. He was also a Forward Deployed Security Engineer at Palantir. Lee holds a B.S. in Information Assurance from Capella University.

I understand that you spend quite a bit of time investigating publicly reported cyber attacks, and you’ve even helped write a blog post recently on Leak & Shame ransomware on the Horangi blog. It just so happens that over the last few weeks, there has been a streak of ransomware attacks. This has hit all kinds of organizations. From tech and medical, to research universities. The question that I have is should this trend be shocking and should other organizations be worried?

Should it be shocking? I don’t really think so. As we’ve discussed a few times previously, new ransomware is going to come out. Especially with the realities that we’re facing in COVID-19 that changes the landscape for attackers. We stay fairly plugged into the trends and tactics that adversaries are using against folks in the region but there is definitely cause for concern and customers in the region should be worried. Many folks don’t have any type of backup or data recovery capabilities. It makes them particularly vulnerable to ransomware and it makes the impact of ransomware extremely negative to their business. Not to mention, a lot of new ransomware campaigns are deploying leak and shame tactics. In the past, you may have gotten ransomware that affected a non-critical portion of your environment, which can be almost ignored from a business or executive perspective. Those could have caused some disruption but they weren’t critical. However, with the public leak and shame tactics that we’re seeing deployed through numerous campaigns, even if it’s not a critical portion of your infrastructure that’s affected, it becomes public and they shame you so you have to take action against that.

It appears that in these recent attacks, NetWalker, WastedLocker, Defray are some of the ransomware strains that have been deployed. Is there a reason why attackers will prefer one over the other? 

Yeah. In my experience, especially in Southeast Asia, or in the most recent campaigns we’ve seen in the past several months, adversaries select ransomware or other malware strains based on two factors. 

One is the technology that the victim uses. Will this ransomware actually deploy on their critical systems? And second, the payment methods that the victims can actually use. There are several examples out there where ransomers will demand in USD but not everybody can pay in USD. There are several examples out there of ransomware folks looking to use cryptocurrency but not everyone can pay in cryptocurrency. I think the payment plays a very far second seat and the technology that they can use is the primary factor which the attackers use to determine which malware strain that they’re going to employ.

Does the way I defend my organization change based on the types of ransomware that emerge?

It comes back to backups. Ransomware generally targets stored data. Sometimes it locks down critical systems that you have so that you can’t process or use them but generally speaking, ransomware will target stored data of some variety. So it’s really all about those backups. The faster you can get your critical data back online, the less impact ransomware of any kind is going to have on your organization. Now, I would say that there are some ransomware that target servers and those critical systems specifically and there are other ransomware that targets workstations. In my experience — and this is kind of a controversial opinion — there are various opinions on this based on personal experience. I think that server-based ransomware or ransomware that destroys critical data is much more impactful in the long term. Maybe not in the short term. 

I think that ransomware that targets workstations is less impactful in the long term but causes a lot more operational friction. For Horangi’s current footing in this COVID-19 environment, most of our employees are working from home. So it increases the impact that a workstation ransomware would have in the short term because it’s much more difficult to deliver new laptops or to go and reinstall an operating system on a laptop right now. It’s not something that we can bang out in 2 or 3 days. However, if somebody destroyed the past 5 year’s worth of Horangi data, that might not be something that we will ever recover from. However, it’s just the nature of the beast in this case. It doesn’t matter what the ransomware strain is, it doesn’t really inform how I’m going to defend my organization. What really informs how I’m going to defend my organization is the technologies that I’m going to use. The number one thing that you have to have are backups for your critical data stores and you’ve got to have a robust way to restore workstations in your environment. If you have  those two things, you’d be in pretty good shape if you get hit with ransomware. 

Yeah, that’s a great answer. Having the foundations of cybersecurity, no matter how technology changes, sets you in a good place. We have written a few articles on how organizations can get themselves into better shape to defend themselves against ransomware attacks. We do always hear about ransomware attacks on large corporations with household names and the payouts for these ransoms could be from 500k to tens of millions. To your knowledge, what is the proportion of that compared to unreported cases? And as a follow up to that, for these smaller companies, what is the kind of ransom amount that they can expect? 

I would say that if we’re talking about the known and reported crime versus what has been called the dark figure of crime, the dark figure of crime has been something that the world has dealt with since written history. So I can’t even hazard a guess as to what the unreported sums might be. I don’t think anybody knows except for maybe the attackers themselves. As far as what the payouts are, it’s going to vary from case to case and organization to organization. And while I do stay abreast of current trends, I don’t dedicate a majority of my time to researching payouts, the specific strains of malware, and the specific attackers responsible for those so I don’t know what the payouts look like or what their tactics and techniques are. Some of them might charge different companies different ransoms. Some of them might charge the same ransom across multiple organizations.. But what I can say is since I’ve been in Singapore, I’ve seen numerous smaller companies go out of business both in Singapore and other places in Southeast Asia because they didn’t have any backups and they didn’t have any ability to pay their ransom. 

With this I think it also brings us to an interesting point of contention or discussion in the security field because there are ransoms of big amounts and sometimes it could be too big for you to pay. Sometimes it could seem reasonable to pay but the question that a lot of people debate about is whether you should pay the ransom. I'd like to ask about your point of view on this matter.

I guess I have two questions or two answers to these questions. As a cybersecurity expert and someone who has worked with numerous government agencies and numerous countries to apprehend these types of folks, the answer that I would have to give is: NO, don’t pay the ransom because it provides positive reinforcement to these adversaries because it makes their efforts fruitful. It makes it a profitable line of business for this criminal organization so they will just keep doing it. 

On the other side of that coin though, now I’m a founder, I’m an entrepreneur and a business owner of a fairly large business and I can say that if Horangi got hit with ransomware that was certainly fatal to our company, we would be insane not to pay. If we got hit with ransomware and there was no doubt that we would go out of business for not paying, what other alternative do you have to keep your company afloat? And kind of the other analogy there is would you pay a ransom for your child if there was no other chance of recovery? Of course you would. It’s the only sane option out there. 

It’s a case-by-case type of situation. What is the actual impact to your business? Are you looking to pay that ransom because it is actually critical or life-threatening to that organization? Or is there just a really aggressive response because this is the first real crisis that the business has had to respond to? There’s not a blanket answer that I’m going to provide for anybody as a whole.

Sometimes we believe that businesses have the luxury of having many options but oftentimes, you either pay or go out of business. Is there a ransomware case that you’ve worked on where they’ve ended up paying and what was the thought process behind all of that? 

Sure. I’ve worked several cases where companies have paid the ransom. Some of them I didn’t really provide any advice on whether they should or shouldn’t pay but other times I’ve indicated that I didn’t think that it would be beneficial for that organization to pay and they paid anyway. 

There are generally two outcomes. If you’re going to pay a ransom, you have to make sure that you secure yourself against the initial infection vector before you pay the ransom or they’re just going to reinfect you and you’re going to get another ransomware attack. That’s really the biggest danger of paying the ransom. 

Now the other side of that is if you could just pay the ransom and pull down a backup fast enough, I don’t advise that. If you’re going to pay, make sure that you identify how the attackers got in and how they infected you in the first place. Remediate that issue and make sure that there isn’t a second stage malware and a third stage malware in there that allows the attacker persistent access. At that point, it’s less of a bad idea to pay. There are numerous examples out there. I would say it’s 50-50 whether payment actually led to a successful outcome for the business. There just isn't a clear answer. Ransomware is really nasty stuff. The tactics that these guys are using these days are just purely diabolical. It’s all around a bad day if you get hit with this. 

Yeah basically if you’re not properly prepared for it, it’s just going to be nasty. 

Exactly. Backups, backups, backups. 

We cannot emphasize that enough. Have backups. If you don’t know what to do, ask someone who has experience and they can guide you through all of that. This leads us to what I was going to ask you about next. At Horangi, we have written quite a few articles about responding to ransomware so your top advice for them is to have backups but if you had to give a crash course now to businesses who have a significant proportion of their workforce working remotely, what would your top advice be for these people? What kind of common mistakes can they try to avoid in the defense against ransomware attacks?

The first one is that when you receive an email (a lot of malware is delivered via email),, don’t click on any links that you’re not expecting especially if you don’t know who that person is. Generally speaking, I don’t click on any links from outside the organization. I don’t even care if I am expecting it. And also, don’t open any attachments that you’re not expecting. The same rules apply. Especially if you’re getting an attachment from someone you don’t know, don’t open it. If it’s an attachment from outside the organization, don’t open it. There’s going to be times where you can’t avoid that especially if you’re an auditor or a consultant or you’re a salesperson or part of the legal team who is expecting to get signed documents back from somebody. Every time you look at those documents and those links that you’re getting, make sure that it’s actually that person and actually their legitimate email address and not some obfuscated email address or spook email address that just appears the same but it’s not. 

The last thing like I said, backups, backups, backups. Backup your critical systems. Every 24 hours is my own personal rule of thumb. I think the industry standard is about a week. Our systems at Horangi are backed up numerous times a day for our critical infrastructure and we also maintain images of our workstations so if we do have something that’s on our workstations, it doesn’t take us a crazy amount of time to restore those either. 

Vada Lim
Vada Lim

Vada Lim is the Creative Designer at Horangi.

Subscribe to the Horangi Newsletter.

Be the first to hear about Horangi's upcoming webinars and events, up-and-coming cyber threats, new solutions, and the future of cybersecurity from our tech experts.