For every high-profile ransom incident, many more appear in the headlines that have never been reported. For small and medium-sized enterprises in particular, often with small IT and cyber security units, a ransom call can be an existential problem.
To understand how companies must respond when faced with a ransom threat, we spoke with Kurtis Minder, CEO and co-founder of GroupSense, who helps companies deal with these attacks to get their business back online.
BN: What else should companies know about ransom attacks?
KM: The first thing they need to understand is a ransom attack – the wrong name. It covers only some of the methods used by the threatening actors to blackmail companies. Yeah, infecting companies with ransom money is part of their business. However, almost all of the attacks we see today are linked to threat actors who have long been in the victims’ network and have stolen their data. They then issue a ransom programme to attract the victim’s attention and set the terms of payment. But now they hit their victims with two levers: first the ransom software itself and the need for the victim to get his or her operation back on track. Then there is a data breach and the threat of disclosure if the victim does not pay. So even if you can fend off a ransom attack, you still have to deal with the part of the equation that violates data security. This situation is evolving into a difficult situation that most companies cannot cope with.
BN: What are the biggest mistakes companies make when buying for free?
KM: The biggest mistake was that the CEOs should have removed the issue from the list of cyber security issues and left it to the CISO. The ransom raid is a business crisis and should be treated as such. This means that a crisis response plan and crisis teams must be in place before an attack takes place. As in other crisis situations, each member of the board of directors and each CEO, from financial and legal services to corporate communication and public relations, must be synchronised with the appropriate response. Even a basic question: Are we going to pay the ransom or not? This decision is taken at the level of the CEO, taking into account all business implications of one of the options.
BN: Given the demand for your services to respond to ransom demands, do most companies choose to pay ransom?
KM: I don’t know the statistics on this, but I can say that companies are under enormous pressure and often receive different advice when they are taken over. The pressure from the company is clear – the company needs to get back online as soon as possible. Then there’s a question: Can we do it in a reasonable amount of time without paying the ransom? It’s a fairly simple calculation. Advice to the contrary is more problematic – the U.S. government and the FBI advise companies never to pay the ransom, but their insurance companies can tell them to pay it because it would be cheaper for everyone than expensive rehabilitation. And now the government is threatening to impose fines if companies pay the threatening actor who is subject to economic sanctions. This is a simplistic approach to a complex situation – we all want to take a high moral road, but when the well-being of your business is at stake, a high road can also be a way out.
BN: What are the first steps companies have to take when they are bought out?
KM: First, they mustn’t panic – there’s a solution. And that starts with verifying the threat actors’ claims – did they really steal your data? There are sites of shame on the Black Web used by ransom syndicates to inform companies about the imminent publication of their data. If a threat agent claims that your data has been stolen, in addition to setting up a ransom, there is a chance that he will post it on one of these embarrassing websites. Moreover, good intelligence services can confirm the reputation of the threat actor and even involve him in the search for evidence that he possesses the data. Therefore, monitoring the black network and searching for threats is an integral part of the solution process.
BN: These are probably not the skills that most companies would have at home?
KM: That’s right, I’m not… These are specialized skills. If you are involved in major litigation, use a specialist law firm to represent you. The same dynamic is evident here – companies need the help of people who have already seen this film and can press all the right buttons to confirm the threat. Once this has happened, the victim can make an informed decision to pay the ransom or to be treated. It all depends on a willingness to take risks – perhaps a company can even afford to resolve a ransom situation within a reasonable period of time, and disclosure of data will not do much harm. But for an effective assessment of the overall risk, it is important to know who you are dealing with. You’re gonna need threat information there.
BN: And if the company decides to pay the ransom, how would they hire a threatening actor?
KM: This is an area where a lot of companies go bankrupt because of what I mentioned earlier, because they think it’s just a matter of cybersecurity. This is a business crisis, so it takes a good crisis negotiator to involve a threatening player. This person is probably not your CISO, CIO, CFO or any other manager. If you’re being held hostage in a bank by a hardened criminal, do you want the first agent to negotiate on the spot? Or would you prefer the FBI negotiator to take responsibility? This is clearly the last one. Nothing has changed with the ransom – there are a million ways ransom negotiations can get out of hand. Apart from the fact that you have too many worries that everyone has, you can upset the ransom player, which will cause even more damage to your business. These situations need to be properly addressed by experienced professionals who not only negotiate with the threatening actors but can also confirm that they are threatening them and that they are fulfilling their part of the agreement (do they actually destroy the data stolen under the agreement or are they lying? Can you really decipher your data or not?) Most companies have no experience negotiating in crisis situations, let alone with the black web and the general risks to which the company is exposed. This level of knowledge is usually only available from external specialists.
BN: Finally, what else should companies think about when the ransom falls on them?
KM: Ransom attacks don’t end so quickly because it’s easy money for those involved in the threat. It is therefore essential that companies, regardless of their size, take this threat as seriously as other major business risks. It is not enough to solve an incident with or without a ransom; companies also need to communicate with all parties involved to avoid problems such as regulatory violations, legal consequences and damage to customer relationships. The best thing a company can do is to identify its outsourced ransom expert so it knows who to call in case of an attack. And this expert should also be able to help them include ransom attacks in their companies’ crisis response plans. Companies that prepare themselves in this way in advance can significantly increase the chances of success.
A loan for a painting: Yuri Vlasenko / depositphotos.com
what to do if you get a ransomware email,ransomware file extensions list 2020,can ransomware spread through wifi,how can ransomware be prevented,how does ransomware spread,does ransomware steal data,multiple choice questions on ransomware,questions on ransomware attack,examples of malware spreads,ftc quiz,can ransomware encrypt an encrypted drive?,what is the approach used by spear phishing?,no more ransom file decryptor,how to destroy ransomware,report ransom,nomoreransom decryption,crypto ransom,avaddon general decryptor,is ransomware real,how to use ransomware,ransomware essay,effects of ransomware,how to identify ransomware,how is ransomware installed,crypto ransomware,ransomware help