According to a 2019 study from Cybersecurity Ventures and Cisco, US businesses succumb to a ransomware attack on average every 11 seconds, meaning that thousands of small and medium-sized businesses all over the country will have a run-in with this debilitating and potentially devastating form of cybercrime.
If your company is attacked, you likely won't have to shell out $4.4 million like the Colonial Pipeline's owner — or will you?
How will things go down if, despite all your preparations, your company ends up being one of the businesses that Homeland Security Secretary Alexander Mayorkas stated compose 50% to 75% of all the victims of ransomware?
For an insider's look at exactly how you should proceed once you determine you're under attack, as well as tips on how to get out of the situation with the least amount of damage possible, Insider turned to Kurtis Minder, founder and CEO of GroupSense, a cybersecurity firm based in Arlington, VA.
It starts with a shutdown and a note
At GroupSense, there's such a demand for ransomware remediation services they've added a hotline that's featured prominently on the frontpage of their website. No one escapes this form of cyberthreat, Minder told Insider.
"We do a fair number of these and the companies vary in size from very large, well-known, NASDAQ-traded firms down to local dry cleaners," Minder said. "There are so many of them that are so small, we just do the work pro bono."
One firm Minder worked with recently, a 70-employee company in the imaging industry, retained GroupSense to help with the full cycle of the remediation process (while GroupSense has the capacity to help its clients with the full cycle of recovery, it maintains extensive knowledge of the dark web and sometimes only negotiates for the decryption of the files).
Independently owned, the company has two offices, one in California and one in South America. Because of its work in the imaging space, it managed a robust dataset — "probably terabytes," Minder said.
To start, there was the overall shutdown that's frequently shown when ransomware attacks are depicted in the media. "The staff came in on a Monday and they could not get into any of the systems. Everything was throwing back errors, and that included not only their desktops but also their file servers — everything was locked down," Minder said.
As the morning went on, the most technically capable person in the headquarters office — the one who did all of their networking — took a closer look. "That person was able to get into one of their file servers in safe mode, where he found that all the files were locked, but he found a ransom text on the desktop," Minder said.
Minder told Insider that most of the ransom notes that he sees are quite similar between the different ransomware groups, the "gangs" who perpetrate these crimes.
He said that they generally first provide a set of warnings about what the victim is not to do, including try to repair or decrypt the files. Then, according to Minder, the attackers will generally run down the situation, advising the company that their backups are also affected, that it should make contact with the attackers usually within 24 hours, and offering a discount for payment within that window. The note will conclude with a dark web site (a dot-onion address) where interactions with the threat actor will take place.
As with most cases, the threat actors had also locked down the company's backups, even though this company's backups were generated by an automated service and resided in the cloud.
"The 'bad guy' could see that and they went and encrypted those backups as well," Minder said. "They've gotten pretty good at looking for evidence of those different kinds of backups before getting out of the system and basically disrupting that, too." Minder added that if the threat actors are unable to encrypt a target's backup files, they'll often just delete them, achieving the same purpose — cutting off the company's access.
Minder said there's usually one more thing in the ransom text when it's first discovered: They won't tell you how much they're asking for, but the ransomware group that you're dealing with will give you their name. "For some reason, they're really big on their brand," Minder said.
Back in the California office, with his whole computer network on lockdown, the victim did some research and got in contact with GroupSense. Minder said the most important thing to do at this point is to resist going to the dark web address yourself.
To pay or not to pay the ransom
When Minder began working the case with his team, his first step was to have a conversation with the business owner about his intentions regarding the ransom. Minder said there are several things to keep in mind when making this assessment.
"It's not just how much business are you losing," he said. "Most threat actors are not only encrypting the files but they're also threatening to leak those files, and that's another driver. Can you successfully recover by rebuilding your servers and restoring them in some way so that you don't have to pay a ransom? And are you okay with, if you go down that path, the threat actors dumping that data and potentially exposing your clients? Those are the things you sign up for if you're not going to engage."
Minder said that this particular owner decided he didn't want to take the chance on the security of his clients' data and also wanted his servers back up ASAP.
It was at that point that Minder's team went to the site on the dark web on their behalf. What they find when they get there varies depending on the group involved, he said, but in the case of this company that was under attack — which was relatively small — the ransom was set to approximately $15,000.
Minder said there's also generally a timer on the site, which begins counting down at the moment of the first log on. In this case, the timer was set to six days. "There's a threat — it says if you do not pay by this time, we double the price and we start leaking your data. That's designed to create a false sense of urgency in the victim," he added.
While his team is on the dark web, getting the threat actor's initial information via a chat link that's usually made available on the page, there are some determinations that can be made about the ransomware group. The fact that they generally come out of a handful of countries — Russia, Belarus, Moldova, Turkey, Bulgaria, Ukraine, and a few others — is no secret. But there's more to learn.
The majority of these deals are transacted in cybercurrency, generally Bitcoin or Etherium, and sometimes Monero, Minder said. In order to accept a payment, the threat actor must provide a cybercash wallet ID corresponding to his preferred method of payment. Once Minder's team has that wallet ID, they check its origins in a program called (Kaspersky) CyberTrace, which can not only provide additional background about the attackers but also potential negotiating ammunition.
"We check to see if it's on the (US Treasury) OFAC (Office of Foreign Assets Control) banned list and to make sure that it has not transacted with other wallets that are on that list," Minder said. "Sometimes we can see the amounts of transactions, which gives us an idea of how many transactions they're doing for how much, and that gives us an idea of how much they might accept for a settlement amount."
The negotiation begins
While the negotiations are going on, it's important to leave the affected computers alone.
"In this case, there was no reason for their employees to go to the office because literally nothing worked. They were shut down," Minder said. "My recommendation in every case is that they engage a proper, local incident-response firm and that incident-response firm is likely going to tell you immediately, 'Do not touch anything.' They need the forensic evidence to figure out what happened and the extent of the damage."
The key factors in successfully working with the ransomware group are the amount of time a company can live without the files in question and the professional negotiator's clear and consistent conversations with the threat actor.
"In any negotiation, intentional delay — stretching out the timeframe — almost always helps," Minder said. He said that while his team can generally bring a ransomware event to a conclusion within two weeks, in this case, the company under attack was not experiencing undue financial pressure, so they were able to work at a more leisurely pace.
Minder said his team always approaches conversations with the threat actor like a business transaction. In this case, they let the attacker know that they were present in the negotiation and listening and that they intended to transact a deal, but that the timeframe laid out was not realistic and explained why. "When it's a professional firm that they're familiar with negotiating the deal, most of the threat actors have no problem with that," he said.
With that, the two sides were able to reach an agreement on a price. While Minder's team transferred the client's money into cryptocurrency, Minder asked for what's called "proof of life."
"We'll send them a couple of encrypted files and the 'bad guys' will send them back unencrypted to prove that they have the ability to do this," Minder said. "Then, we will agree that we're going to transfer the funds, and we will put it into an agreement that's almost legal in its language — in return for this amount of money, we ask for a bunch of things, including that they're going to decrypt the files, tell us how they got into the network, and other things."
The next step in the process was sending a test transfer of a small, random amount of money to the ransomware group's wallet — "What you don't want to do is transfer the money and then have them claim that they didn't get it," Minder said. Then Minder asked the group what amount was sent, and when it matched, they transferred the money.
The group then sent the decryptors, and Minder's team immediately made sure those decryptors weren't weaponized in any way, meaning that they weren't carrying additional malware. The decryptors were then passed on to the customer.
Minder said that generally, GroupSense can reduce the ransomware group's initial asking price by 40% or more. In this case, however, the company paid considerably less.
"The original ask in this case was in the range of $15,000, and the company actually paid about $2,500 to get their data back," Minder said.
As for how the ransomware group had gotten into the company's system in the first place, Minder said that someone at the company had opened up a remote desktop port so that one of the company's owners could get into the network remotely and didn't secure that port properly. Minder said that this has been the scenario that has led to many, if not most, of the small-business ransomware hacks that GroupSense has seen, especially since the onset of the pandemic when so many people have been working from home.
Expert strategies for coping when you're under attack
It's instinct to turn to Google for help in an emergency, but Minder said that can lead to problems. "There are a lot of scams out there. Some of the scams, they appear to be legitimate, they claim to be able to decrypt files, but they actually can't, and they end up just defrauding you for more money," he said. He added that you should definitely take a pass on any companies offering hard-and-fast decryption guarantees.
Minder also said he's seen non-professionals make mistakes like antagonizing the ransomware operators, lying about their business or financial situation, or being just generally dishonest. Playing games, pushing the buttons of the threat actors, and intensifying the false timeline sets the negotiations on a path that's very difficult to reverse.
Minder stressed that the omnipresent countdown clocks are designed to get people to act quickly, but that there's typically no benefit from paying quickly. "As long as we are negotiating in good faith with the threat actor, we can typically reduce it by more than the discount, easily, and sometimes by much, much more," he said.
On the other hand, speed can work in your favor when the threat actor has a buildup of customers, Minder said. "They're probably managing 30, 40, 50 of these victims at a time, so they're also very transactional in nature — they want to move fast, they want to get it over with. Sometimes that can also work to your advantage," he said.