Ideas Made to Matter
How to respond to a ransomware attack: Advice from a federal agent
Ransomware attacks can cripple critical infrastructure and supply chains, create crises for companies, and enrich the bad actors.
They continue to be on the rise, with several notable incidents in 2021. In March, insurance company CNA Financial paid $40 million to regain access to its data. Colonial Pipeline, one of the major oil suppliers for the East Coast, paid $4.4 million in ransom after being attacked in May. The same month, one of the world’s largest meat providers, JBS Meats, paid $11 million after a ransomware attack threatened to disrupt the global food supply.
Even smaller companies are increasingly at risk, according to Stephen Nix, assistant to the special agent in charge at the U.S. Secret Service. Lower-level cyber actors are starting to ask for smaller payments of $500 or $1,000 with attacks on smaller “mom and pop” businesses, said Nix, who is detailed with the National Cyber Investigative Joint Task Force. More companies are faced with how to respond to ransomware attacks and whether to pay a ransom.
The first piece of advice from federal agencies is simple: Don’t pay ransomware hackers, Nix said at the recent EmTech CyberSecure conference hosted by MIT Technology Review. “I want to say point blank, you're going to hear every single federal law enforcement [agency] say, ‘Do not pay the ransom,’” Nix said. (Experts advise that there are other ways to retrieve data.)
But Nix acknowledged that paying ransom is a fraught business decision for private companies, and many decide to pay the ransom.
In either case, he outlined five things that companies should think about when making that decision:
Nix urged companies to reach out to federal agencies after they’ve been attacked and as they consider whether to pay ransom. Authorities may be able to provide valuable information such as:
About 46% of the time companies don’t regain full access to information after paying ransom, according to a 2021 survey of 1,263 security professionals by Cybereason, a provider of cyber technology.
Decryption tools. Federal agencies might be able to trace a ransomware attack to a type of ransomware that can be decrypted. This means getting information back without having to pay anything. (In addition, the website nomoreransom.org, aims to help victims of ransomware who don’t pay, with decryption tools and other information.)
Insight about different scenarios. Nonencryption extortion schemes have become more common, Nix said. In these situations, hackers send mass emails telling companies that while they haven’t encrypted their data yet, the hackers are in their systems, so they should pay. Many companies decide to pay and then move on. But there are other things to consider and questions that authorities might raise, like whether hackers even have access to data, and if they do, if it can be replicated or backed up through other means. “I’m not saying don't pay the ransom,” he said, but “think of these questions before you do that.”
Nix advises companies experiencing ransomware attacks to visit stopransomware.gov, a website that has a host of information from federal entities and information about how to be in touch with them. “[Even] if you don't call the Secret Service or the FBI,” he said. “If you go to there, there is significant information for you to battle through this issue.”
The Cybersecurity and Infrastructure Security Agency (CISA) website also has valuable information.
If you ‘pay something, say something’
“Once you do pay, we’d like to hear about it,” Nix said, noting his agency has adopted the saying “Pay something, say something.”
Potential recovery of money. Federal agencies are sometimes able to track and even seize payments, which are typically made through cryptocurrency, Nix said — one reason why agencies would like to hear from companies. “How can we make attribution back to a specific victim if we didn't even know you made the payment to begin with?” he said. For example, the Department of Justice seized a majority of the bitcoin that Colonial Pipeline had paid to ransomware attackers.
Insight about the actors. Nix and other experts have learned from scores of attacks, and even have psychological profiles of ransom negotiators. “Don’t forget, this is just a business model,” he said. “These high-level cyber actors have farmed out negotiations. Multiple variants use the exact same ransom note.” Nix said he can advise companies about things like what percentage of ransom demand attackers have accepted, and whether they’re likely to ask for more money later.
Know what can happen after payment
Ransomware attacks don’t necessarily end with payment. According to Nix, about 46% of the time when ransoms are paid, the decryption tool doesn’t work completely, and companies don’t regain full access to their information.
Additionally, companies are more likely to be revictimized after paying a ransom — some firms face double and triple extortions in which people come back after a company again and again. Nix said that today, about 70% of ransomware negotiations are a case of double extortion. “The fact that you're susceptible, that you pay, they are coming back after you,” he said.
Understand the consequences of paying
Ransoms allow cyber actors to spend money on research and development and hire better, more qualified people, Nix said. He estimates that over the last few years, about 40% of ransom payments have been going toward analysis of how to operate in the future. Sometimes hackers ask for cyber tools — codes or software — instead of money. “It's very smart on their part to ask for, but it is very foolish on any business to actually purchase any of these cyber tools or software and send those codes overseas,” Nix said.
Paying ransoms also give actors incentives to continue attacking companies. “If we continue making the ransom payments, this will not end. This will just keep propagating and get worse,” he added.
Remember to focus on prevention
Ideally, though, companies will never face these scenarios. Phishing is still a number one cause of cyberattacks, he said. “So doing backups, doing your patching, and just basic cyber hygiene, you would never even have to speak to us.”
Read next: 8 nontechnical ways to improve your company's cybersecurity