Can Organizations Still Pay Ransomware Demands?
Can Organizations Still Pay Ransomware Demands?
The Russian conflict against Ukraine brought devastating impacts for both nations. Beyond the initial tragedy, as fighting continues and sanctions sink in, government and industry can expect cascading implications of a global magnitude. Those implications include greater cyber risk.
One early issue that has surfaced is how closely are threat actors aligned to the Russian government, and what will that mean for the payment of ransomware demand? If criminal gangs are taking direction from the Russian government, they risk being identified as a national security risk. Even where such alignment is not clear, Executive Order (E.O.) 14024, which President Biden signed in April 2021 in response to Russian interference with US elections, banned transactions with entities found to be “responsible for or complicit in, or to have directly or indirectly engaged or attempted to engage in, [malicious cyber-enabled activities] for or on behalf of, or for the benefit of, directly or indirectly, the Government of the Russian Federation.” Cybersecurity consultants, cryptocurrency and breach coaches must now consider, in the context of the Ukraine conflict, at what point does a threat actor cross the line for engaging in malicious cyber activities for the benefit of the enemy?
Several criminal ransomware groups, like Conti and Stormous, leapt to the forefront of this debate when they issued public statements on the Ukraine conflict. By far, Conti was the most prominent because of its prior success in extracting ransomware payments. On February 25th, Conti issued a declaration of support for the Russian government and threatened to retaliate against Western cyber operations with strikes “against critical infrastructure of an enemy.” In response, pro-Ukraine hackers leaked troves of Conti’s inner communications that offered deep insight into the Conti gang. The next day, Conti rephrased its statement by disavowing any relationship with the Russian government, stating its opposition to the war, but promising to strike back against “American aggression” that threatens Russian citizens.
Did Conti cross the line? How should other Russian actors be viewed? The issue is complicated, the situation is fluid, and without a formal sanctioning of the threat actor, the decision is a judgment call based on the totality of the circumstances.
Organizations facing ransomware events, including Conti sponsored attacks, should make sure they:
Act to prevent it.
Every conversation on ransomware must include reminders on prevention and how an organization can harden its security posture. DHS’s Cybersecurity and Infrastructure Security Agency recently released a comprehensive advisory for combatting Conti ransomware. The cyber insurance industry has also been providing helpful guidance on cybersecurity controls for preventing ransomware. Perform a gap assessment, build cyber hygiene, patch your software, back up your data, and prepare for the worst.
Go deep on threat intelligence.
The materials disclosed by ContiLeaks provided valuable insight into the threat actor and largely confirmed that Conti is an autonomous and highly successful criminal organization. Conti is a collection of affiliates that vary in skill, experience, and appetites for risk, both commercial and personal. However, Conti is only one of dozens of threat actors, each of whom could have unique tactics, appetites, and loyalties. Before responding to a demand, organizations should have access to a comprehensive threat actor profile, developed with expertise gained from negotiation experience, forensic investigations, and strong threat intelligence. With better data, organizations can make better decisions.
Consider the totality of the circumstances.
Conti’s statements are a formidable warning. Rather than address the risk, some incident response vendors have already tapped out and refuse to deal with Conti engagements. At the same time, Conti’s declarations are self-serving. Ransomware actors cannot exist without the safe-harbor of the countries that protect them from Western law enforcement, and that dynamic existed since before the declaration of EO 14024. Currently, we do not know if Conti intends to take action or was simply currying favor with its nation-state protectors. Organizations facing a ransomware payment must consider all available facts. Does the attack appear to be motivated by profit or political reasons? Also, determine whether the attacker is acting consistently with its usual criminal motive of profit or for a political reason. Is the victim in critical infrastructure? Do the outcomes of the attack support the goals of a foreign government? Is the threat actor behaving in a normal, commercial manner and looking for quick payment in return for decryption keys? Notably, these considerations not only guide the decision on making a payment but also will figure heavily into whether the cost is insurable or triggers terms like a war exclusion.
Keep in touch with law enforcement and regulators.
Industry is not alone in this fight. With an all-of-government approach, regulators and law enforcement have made resources and consultation available to organizations. The U.S. Department of the Treasury has recommended early, full, and ongoing cooperation as a key aspect of mitigating risks for sanctions violations. Where possible, organizations should build relationships with the FBI, CISA, and Treasury in advance of the event. Victims should provide early notice – prior to payment – when they succumb to a ransomware event, and they should candidly communicate with government agencies on the evolution of the attack.
Paying a ransomware demand has always been a complicated issue. The FBI recommends that victims do not pay, because ransomware is the classic tragedy of the masses. Every victim forced to pay a demand increases the risk for everyone else.
Some organizations, however, run out of options and must pay to survive the incident. Even where payment is the last remaining option, victims must still take caution not to violate laws and regulations by paying a sanctioned entity. By working with expert advisers, gaining insight on the attack, and closely cooperating with law enforcement and regulators, organizations can still navigate the incidents successfully.