Preparation for ransomware requires a conversation on business ethics

Business leaders must accept that ransomware attacks are a foreseeable risk. 

Conclusion: Ransomware has proven such a successful cash cow for criminals that it is unlikely they will voluntarily stop their attacks. This means that business leaders must accept that further ransomware attacks are a foreseeable risk. While there are important conversations around the level of appropriate technical controls that an organisation may wish to implement, this conversation can only occur after business leaders have decided whether they want their organisation to help fund organised crime, or not. For organisations with a strong corporate social responsibility ethos, this is a very easy decision to make, but it is imperative that business leaders understand why they are committing to better technical hygiene and accepting tighter technical controls.

Observations: Ransomware is an attack against computer systems that encrypts the drive and potentially prevents the user from accessing the data unless a ransom is paid. Australia is being seen as a popular target for criminals using ransomware to make money, and the Australian Cyber Security Centre (ACSC) notes in its 2015 Threat Report that one variant of ransomware (TorrentLocker) was first used in Australia before being released on the rest of the world. The ACSC also notes in its 2015 “Cyber Security Survey: Major Australian Businesses” that 72% of respondents stated that their organisation had been attacked by ransomware in 2015.

IBRS advisors have facilitated many roundtables (sponsored variously by Symantec, McAfee, Telstra, Forcepoint, Palo Alto and VMware) over the past three years. These roundtables have been attended by over 100 CIOs and information security executives. At each event, IBRS has asked the attendees about ransomware, and at each event all the attendees agreed that their organisations had been impacted by it.

The explosion of ransomware in Australia has resulted in two important outcomes that are worth considering and then taking action on.

    1. Executive level attention: The range of ransomware attacks have been against workstations, laptops and servers. In many instances, executive laptops have been compromised, resulting in immediate executive level attention. Typically, when an organisation has had an executive’s laptop attacked by ransomware, the IT team is given mandate and budget to implement controls that will minimise recurrence of the attack. As with all information security, the level of control must be directed by the criticality of the data to the organisation. (SANS has published a paper, “Enterprise Survival Guide for Ransomware Attacks”, which talks through the most common controls.)
    2. Lucrative for attackers: While most security vendors and law enforcement agencies have stated publicly that they advise organisations against paying the ransom, in private it is widely recognised that a ransomware attack can cripple an organisation, and that paying the ransom may be the only option to continue operations. This has resulted in an extremely lucrative business model for criminals. Naturally, success encourages repetition, which means continuing attacks are entirely foreseeable.

Ransomware future directions:
 In a private briefing held under the Chatham House Rule of 19 Chief Information Security Officers from some of Australia’s largest organisations, a world recognised cyber security expert (and former Pentagon security officer) said that ransomware criminals had learnt from their successes and were:

          • Building up their attacks against organisations,
          • Targeting roles within an organisation (e. g. Chief Legal, CFO, etc) that were likely to have highly valuable data on their laptop,
          • Asking for much larger sums of money (including instances of nearly $1million),
          • Creating more aggressive ransomware that would propagate across a network, seeking additional targets,
          • Ensuring that people that paid the ransom were given the decryption key. The reasoning for this is that the criminals need to protect their reputation in the market and have their victims assured of the criminals’ trustworthiness. While there are instances of victims paying ransomware and not being given the decryption keys, these appear to be the exception.

Expect more and prepare accordingly: The time to be having a discussion about whether an organisation is prepared to pay ransom, or not, is not in the middle of a successful attack.

Note that the decision to pay, or not, should not be based on the equation of, “which is cheaper, the ransom or the cost of security?” Management’s decision should be driven by the question, “are we prepared to hand money to organised crime?” Ransomware is not some minor annoyance that can be dismissed as a cost of doing business; it is directly funding organised crime. When executives consider that their choice to pay a ransom may directly help fund the illegal drugs trade and sex trafficking, the only morally defensible option is to not pay, and prepare accordingly. For organisations that are keen to maintain a brand of trustworthiness and corporate social responsibility, it should be a simple decision to make.

It is vital that business leaders understand that all organisations must raise their technical hygiene and resilience practices to help prevent ransomware.

Next Steps:

Ransomware attacks are foreseeable, so organisations must have a plan. This means raising technical hygiene, and having a clear understanding of what information is valuable and what is not:

          • If information is not valuable, then the device holding this data can be wiped with little to no impact.
          • If the information is valuable, then a business impact assessment will help determine the appropriate level of technical controls to prevent, or minimise the impact of, an attack.

Most importantly, executives must make a decision on whether they are prepared to pay money to organised crime, and this decision must happen before an attack. It is only with the clarity of this executive decision, ideally made at board level, that an organisation will have the will to commit to maintenance of technical hygiene and implementation of appropriate controls.