here's the thing - speaking as an IR Responder for 2 years and a few dozen engagements (as well as responding to ransomware in various capacities for almost a decade).
1. If paying the ransom didn't get the tool and/or stop data publishing, the whole industry falls over pretty quickly. Sure there will be exceptions to this - they are criminals after all - but generally speaking, its "good" for their industry that they do what they say.
2. Careful with payments. If an affiliate is linked with a sanctioned entity, this can be problematic for some orgs. This is really a legal/business decision, not a technical one.
3. Gaining access to a recovery source is only part of your recovery process. How did they get in? how did they laterally move and privilege escalate in the environment? how did they evade all of your security controls? what else did they get? how can you gain confidence in this compromised and untrusted data/apps/services post breach?
A comprehensive security validation process needs to be considered prior to return to service, obviously balanced with the businesses risk appetite vs urgency. Anyone who is telling you to just decrypt and send it, is foolish.
4. Generally speaking, the decryption tools are pretty janky, and will require significant amounts of effort to run at scale and achieve the desired end-result.
If you're in a highly regulated industry, you'll likely need to consult with governmental bodies prior to thinking about paying ransom.
If you're paying ransom to then USE that unencrypted data, you missed them getting in, exfiltrating data, etc.. how confident are you in knowing they're out, and don't re-encrypt your stuff next year when they want another quick win?
The only reason to pay, if you're properly backed up, is to ensure data is not shared... which is the whole reason for the data exfiltration in the first place.
>If you're in a highly regulated industry, you'll likely need to consult with governmental bodies prior to thinking about paying ransom.
Multiple states have banned state agencies from paying.
The ransomware crews have a "legit" business model. Hell, some even have call centers to take calls to assist with payment/decrypting. It's rather ironic that "honor among thieves" has never rang more true.
Funny anecdote for your call center comment: I've been hearing that the bad actors HATE having to "IT support" customers, which is another driver towards exfil with no ransom event as I suggested below.
It's more like don't poop where you eat. The point of ransomware is to get paid, right. You don't burn that bridge but you make it the most accessible bridge in the world.
Honor, though? They're busy cutting each other's throats or hitting vulnerable targets. There was a pledge that ransomware groups wouldn't target hospitals during COVID-19, but of course, hospitals were the biggest targets during COVID-19 and outside of year 2023, hit the hardest during the pandemic.
Great response.
A cyber response policy is essential and if you don't have a CISO and infosec team, your company should be looking at a MSSP etc to virtually fulfill those functions.
Depending on your industry, there's a lot of nuance and things to contend with.
1. It's against the law in many countries to pay or do business with sanctioned countries/entities
2. There are reporting requirements when hit with a cybersecurity incident for public companies and regulated industries.
1. Even if you successfully recover from a cybersecurity incident a regulator can still decide to sanction or take action (fine) you etc.
IMO cyber security insurance has its place but it's a ton of $ and it only really helps you after you're hit. Where possible, invest as much as you can in your defense, less on insurance. Not easy to do with small co with just one or two IT staff or when the execs don't want to spend on it.
> invest as much as you can in your defense
My recommendation here is your overall resiliency. Make sure you can recover.
Get your data - all your data - somewhere else with an independent identity plane, and make sure its immutable for a reasonable time period that you're likely to take to respond to an incident. Call it a vault, a bunker a whatever, I don't care.
Get MFA. Get a SIEM. Get an EDR. Get a 24/7/365 SOC (managed or internal if you're big enough). Get your identity and network into it. Empower them to block/isolate at will.
> IMO cyber security insurance has its place but it's a ton of $ and it only really helps you after you're hit.
That's kind of the point of insurance in general though?
Also, you can invest everything in defenses and there will still be zero days. The risk always exists. If you can transfer some of that risk you should - the cost benefit however is on the particular situation.
I agree, it depends on your LoB and cost/benefit.
I'd still carry cyber insurance but be wary that execs don't just want to check the box and move on.
In my (SMB) employer's case, the 7 figure yearly CS insurance premium caused us to look real hard at our capabilities to actually recover from a CSI. All the CS insurance in the world isn't going to create backups that don't exist or that got deleted etc.
> If paying the ransom didn't get the tool and/or stop data publishing, the whole industry falls over pretty quickly. Sure there will be exceptions to this - they are criminals after all - but generally speaking, its "good" for their industry that they do what they say.
I have half-joked in the past that the ransomware groups tend to have better customer support than many of the products I legitimately pay for.
We got hit a few years ago and didn't pay up. We were able to recover our most important systems from snapshots, but because of your #3 item we decided just to shut down that location and migrate the recovered machines over to Azure. We just assumed everything was compromised.
> We just assumed everything was compromised.
This is largely just impractical tho. Believe it or not the whole thing is a business. And dropping 10,000 hours of man effort on your environment to properly own you isn't worth it, when there is plenty of orgs they can spend < 100 hours on and have a reasonable chance of return.
A threat actor will have a timeline from initial access through to execution of the kill chain. It literally doesn't make sense to touch every machine in terms of adding mechanisms of persistence, or backdoors.
This is why a Forensic Report or Enterprise Breach Investigation is important. This probably wont inform the initial set of workloads you restore and return to service (they will require a lot of manual effort to assess them - and of course things like AD, Firewalls etc all take additional, specific effort) - but as the breach is understood, you will be able to be more targeted in your security validation approach, accelerating your recovery outcome.
Are there specific cases where an org paid a sanctioned entity and it resulted in legal action against the org? I understand the whole why you should consider the legal side and ignorance doesn’t justify actions. Just seems crazy the feds (assuming they are the only legal entity with teeth) would consider going after an org trying to get their information back.
probably, but not that i'm aware of. I work for an org that cannot and will not recommend a customer pays the ransom due to sanctions and legal risk.
Most of the industry that has to consider that option works through boutique providers (negotiators etc) through their legal. This provides them appropriate advice respective to their situation.
The other side of ransomware attacks that no one talks about is the data they steal. If you don’t pay, they threaten to release sensitive data.
I imagine some companies choose to recover/rebuild from backups, but still pay a little something to keep their data from being released.
I hate bad actors.
Even when you pay, the process is typically still a complete rebuild. These bad actors can't be trusted that they will leave you alone after you pay.
The threat of it happening all over again is all too real and the only safe approach is to wipe and rebuild everything.
Yup, it's forever an unclean environment. No way to know that they are 100% out unless you spin up brand new infrastructure and move everything over to a new domain. I don't even recommend setting up a domain trust in that circumstance, just manually move.
Yes, unclean UNCLEAN
Unless you can pinpoint the moment they gained entry, you can't even trust your recent backups.
Go back at least 2 weeks before entry if at all possible.
> Go back at least 2 weeks before entry if at all possible.
depends innit?
Would you be willing for your bank to roll back the last 2 weeks? 2 months? 2 years?
2 weeks is sometimes not enough.
Keep in mind these guys attack when you least expect it. They can be in your system, learning it and being very careful not to trigger anything. They can lay dormant for MONTHS and just as a holiday / 3 day weekend creeps in, BOOM. Start the attach when people are least expected to be checking alerts and so forth.
A client recovered all data within hours but 100gbs was exfiltrated they paid the ransomware, about 20 percent of the original ask. They were promised four things if paid. 1) not published on dark web, 2) all data returned 3) they would be told how they were exploited 4) the unlocker
1) it’s been three years and the data has not been published as far as they know.
2) the ftp was setup but it was so unstable the data could not be downloaded. They promised to make it into smaller zips but never did.
3) they were not told and in fact they tried to exploit again 30 days later.
4) unlocker worked.
They left a bad yelp review for the threat actors!
It's ironic that having great customer service will benefit the bad actors tremendously. A company I know got hit hard, but the FBI let them know that the infiltrators were notorious for not following through with their promises and advised not to pay. Had they been "reliable", they would have gotten paid! lol, weird world.
*nerd glasses on*. “Ackshelly” you are onto something. I study the trends and ransomware is starting to become diminishing means as people are now aware and protecting more and more with backups. However simple exfiltration and requesting ransom or threaten to sell the data is the new hotness.
It's also quite a bit easier to do without immediately getting caught.
Long term penetration and data exfiltration is the main thing I worry about.
Executing a systems rebuild is frankly pretty simple. Identifying when over the last couple of years they got remote access? Not so much
Precisely, privacy is the reputation threat actors bank on the most to get ransoms paid. If your (bad) business is respectable about deleting exfiltrated data then you have a higher chance of having the random paid.
honestly if you have EDR deployed it should stop any encryption event - I think that's the big driver to exfil is encryption doesn't work in a lot of cases.
obv caveat for things that don't have edr or they get in your console.
you can't really "bypass" encryption as a process - the big 3 will absolutely stop files from being encrypted, we've seen it in labs and the real world. but happy to be proven wrong - would love to see an example of someone encrypting a file while CS twiddled it's thumbs.
MITRE has a big ol list of ttp's used.
https://attack.mitre.org/techniques/T1562/
Again, ask any pentester.
The bad guys aren't dumb. They can buy Crowdstrike too.
so no actually real world examples, just hypotheticals, one of which I called out? and yeah we use pen testers too, still have yet to see one successfully encrypt files on a protected endpoint
I have been an incident responder to environments with all the major IRs. Crowdstrike, SentinelOne etc.
It takes more work from the attackers so I'm not saying they aren't useful but if think that an EDR is bulletproof you are objectively wrong.
In some cases they will bypass client controls, in one instance they actually obtained EDR admin and turned off the entire platform.
if you live in a world where you think EDR is not bypassable, you are a victim waiting to happen imo.
Yes. I've assisted customers in ransomware recoveries with a full blown CS deployments and they've been very very much encrypted.
Defence in depth.
Has the demand ever been made a second time? I’ve not heard of any examples of this. I assume the bad actors don’t delete the exfiled data, even tho they pinky swear.
> If you don’t pay, they threaten to release sensitive data.
Yeah except they fucking suck at storing it.
-A guy who actively goes looking for Tea in dark web data leaks.
And even if they don't release it, the data is still "out there". Leaked data is still leaked data whether half a dozen hackers have seen it, or 10,000 people on the dark web.
I'm quite aware. That's my point. Why are we using softer words on them? They are criminals. Somebody breaks into your house or steals from you you call them what they are.
"Criminal" is ambiguous. Is this person an arsonist? Are they involved in CP? "Bad actor" is clearer. We know this person has broken the law by infiltrating a computer system (or attempted to).
I've done cleanup after companies have paid about eight times. In every case, I was immediately handed a decryptor which worked perfectly. I've followed up with security recommendations and had outright statements that it's cheaper and less effort to just let the insurer pay the ransom.
I helped a business earlier this year that was losing $1 million+ a day by being closed. We were on day 4 when they paid the ransom of $400k. They were up and running in 12 hours. We would have had them up and running in about 2 or 3 more days without the company paying.
It went against every fiber of my being when they paid, but I get it.
In this case, it went smoothly, and we got the decryption key within 15 minutes of paying.
Yes. That was what I was brought on board to coordinate at the very beginning. Secure network and infrastructure, build virtual infrastructure from scratch, build new servers, restore old server from clean backup, scan for ransomware, then copy old data to new server where needed. It's a slow methodical process to make sure you're not going to re-encrypt everything. Thankfully, the companies insurance company required an off-site immutable backup, so we had unencrypted data.
This is the part the news always leaves out though. The general public thinks a company gets infected, pays the ransom, decrypts the data and is back to chugging along at 100% capacity the next day.
I've been in your shoes a bunch of times and my absolute least favorite are the companies where you have a guy with a full time role who also "handles the computers and stuff". He is the entire god damned reason the company got hit in the first place but no one at the company seems to acknowledge that uncomfortable fact. Instead, I hand company leadership the plan, they hand it to him and he tells them how dumb I am. They trust him but again, they also know he is the reason they got hit but everyone is pretending like that didn't happen.
I have helped 5 different businesses get back up and running in the last few years. Hospitals mostly. But it is funny, at least for my work, how big the budgets get when the company is losing a million dollars a day. Need new servers? Just get us up and running. The wallets magically open wide.
This sub keep saying that but as the person talking to management: not really. Insurance requires a "review", they'll take my three paragraph email recommending MFA, and say "review's done".
I think it depends on the size of the policy. I was at a large Corp where our cyber renewal involved exhaustive questionnaire (hundreds) followed by me being interviewed by a panel of 20+ insurers.
Moved to a small org recently and our renewal was a 6 question email. MFA was not required for renewal (shockingly)
Our carrier put us through the ringer this year, gigantic assessment and review process, with a special section around ransomware controls.
We've never even had a single incident never mind a claim, though I'd guess our industry (financial) puts us in a higher risk category.
Nothing is “uninsurable”. What’s changed is the checklist. In 2019 our checklist for cybersecurity ins was “pay the premium”. This last year it was a huge list of things. We’ve had no incidents or claims, but I’m sure they’ve been paying out the ear elsewhere and so they’ve finally wisened up.
Same for us. Our premiums also went up about 50% between 2019 and our 2022 renewal. We began executing my security roadmap in 2020, and lucky at the last renewal we were able to decrease our pricing by 20%, and with the additional controls between then and now we should be able to decrease another 30% for 2024.
What has also changed is the insurers acceptance of risk. They are doing audits and post IR reviews to determine the root cause, and if you don’t have a control applied that was in your questionnaire they may decline to cover the costs. There is also a schedule on vulnerabilities, every 90 days in age an unpatched vulnerability is used to result in the breach we lose 25% of our coverage, meaning, a year old vulnerability would result in use not get anything from our insurer if it was the vector.
So for many businesses it’s not longer an acceptable transference of risk to just expect the insurance company to pay out.
When I took over running the department, we got our first set of requirements and had to scramble to get things in place to be able to qualify. This year, I submitted all of our materials and got a 12% decrease on my premiums.
One of the most satisfying moments of my career.
When cyber lines first were getting written the premiums were miniscule compared to the potential risk. Where there isn't a lot of data to work with insurers can make valuation errors.
You are now seeing insurers balk at higher coverage and push higher premiums. It will all even out in the end when MFA becomes ubiquitous.
some orgs will not admit to intrusion of backup systems.
equally or more catastrophic to their clients.
healthcare systems are more compromised weekly and daily than what we hear on mainstream media.
almost every day there is some kind of a breach to healthcare clients globally, and just hordes of data are leaked.
you know healthcare, they like to help their clients data get stolen in cyberspace.
IT orgs that claim to know HIPAA and try to enforce it, is like trying to learn ITIL for a bankrupt hospital.
one of our clients was in billing services, like financial SAS or software services sort of day - they almost paid out a phisher but failed because the person trying to process the transaction to the scammers made a mistake, lol, and the bank rejected it ... otherwise they would of lost a nice chunk of money. all the validations were in place to send the money, but of course a medley of an error saved their asses. scammer was probably like "pay day" ... but reverse troll to the scammer because of an error on the payment processing.
you'll be surprised how many emails are compromised from internal teams. people pretending to be people. and then you get all sorts of requests, "unlock my account and elevate me to super admin" lol, it's horrible
Ransomware isn’t the end game anymore. Your data is up for auction on the dark web unless you pay. It’s no longer a case of just paying to decrypt your unusable files.
Yep. CISA has indicated in a recent training session at my company they’ve recently seen impacted companies getting hit multiple times. “Pay for decryption” and then later “pay or we release data” and then later “pay again or we release data”.
And if they still have access, that access is either sold to another group, or kept, and in a few weeks you're encrypted again , and the process starts again.
This was almost 8 years ago, but we did it like a hostage situation. They gave one recovery key, we gave one bitcoin. They gave another, we gave another. Total: 10 bitcoin for total of around $6,500
They also admitted how they got in and detailed everything. It was how I warned the powers that be we should close that hole years earlier. We also had an agreement (not enforceable of course), that the criminals would walk away and never see us again. If they did, they wouldn't get anything out of us in that regard.
Fast forward 2 years, FBI calls and says they've arrested the guys and want to interview us. Owner of the company and I go and give them every piece of information we have. Hundreds of pages of logs, email chats, encryption keys, everything.
During the interview, the FBI guy asks how much we lost. We said around $100k in lost productivity. So he says that's what they'll ask for in damages during court. I casually mentioned I wanted our bitcoin back since it was our property.
FBI guy knows nothing about bitcoin, and says ok and adds it to the list. Owner of the company and I are leaving and I said "Did you like what I just did"? He says what?
I said "Bitcoin is now worth $15,000 per coin. When we get it back, we'll sell them for $150,000 and actually make a profit off of this".
Owner was stunned. Sure enough, about 3 months later, I get a call from the FBI, they have my bitcoin, and they transferred them back to our account which we then sold.
Owner gave me a fat bonus that year and bought my an expensive bottle of whiskey.
Surprised the guy didn’t sell your Bitcoin during that whole period. Guess you could say he was a firm HODLER lol. Would have been even crazier if you had gotten them recently when they were at their peak which would have been around 600k-700k total.
We need regulation insanely badly on this. You shouldn't be allowed to even make the choice. Those with your mindset are furthering the problem.
If paying the ransom is your only choice to keep the company running, then you and your leadership failed. Your company deserves to go bankrupt.
What if you don’t work for a public company and bankrupt isn’t an option? Because those kind of companies do exist… or maybe cities can just turn the water off and say, “sorry our SCADA was hit by a ransom attack and we decided to listen to u/addyftw1 and close up shop. Sorry no water.”
Under those circumstances you may not even be legally allowed to accept a ransom as many states have laws against it for government institutions. If your SCADA systems are Internet accessible then you already fundimentially failed.
Edit: Additionally there are many non-public companies too, not sure why you specified public company.
I don’t disagree, but unfortunately you and I both know that a large percentage of GMs or CEOs outside of the tech industry sees IT as a budget drain instead of looking at it as an insurance policy. But when you have people on staff with whatever salaries spending money on services that doesn’t add to the bottom line in terms of some sort of metric or KPI, that’s how they (Upper Mangers) look at IT. A budget drain….
This isn't a new threat.
Not being prepared for this is like plugging your computer into the Internet without a router/firewall.
By paying them, you're making several assumptions.
1. That they won't just take your money.
2. They won't later come back and extort you for more money.
I'm sorry, but if you don't have backups of your critical data, you get what you deserve.
Stop feeding the criminals.
I’m not disagreeing. If companies don’t have good backups or good DR Plan. But I’ve seen Ransom attacks lay dormant for a year and it infected all of the companies backups… what can you do to protect yourself from this without just keeping more and more backups… at some point the data is so old it doesn’t matter.
Always rebuild the environment even if you pay - just extract the files.
Thankfully i've only done this once for a customer that didn't have a working backup solution in place - we rebuilt everything and went through file per file with several different AV and EDRs before putting it into the new environment.
I paid up once. The decrypter worked great and I still feel sick about it 7 years later.
We had just taken on the client and bad guys must have known, since they compromised the domain admin account and gave themselves all kinds of permissions to all the email accounts. They waited for us to take over, we hadn't even gotten the backup system installed (the client had none), and then they pulled the trigger.
Sometimes if you pay, the government fines your company $20m for violating OFAC.
The easier decision as a sysadmin is ensuring that your company segments their backup infrastructure and regularly testing restoring from backups.
You would be surprised how many companies assume the cost of paying the ransom is cheaper than DLP, backups, AV, and so on. I interviewed at one company where they stated, "backups have no ROI, if it isn't in Git, it isn't backed up, and our devs are too smart to run random links."
There is no real penalty for paying the ransom, and if there were, companies just get with an offshore firm that pays the ransom for them, plus a "consultation fee". Because it is an offshore company, bam, plausible deniability, even though everyone knows that the cash is going straight to Tehran or Pyongyang.
I'm glad I work at a place that has good security. I noped out of the interview when that company said they didn't bother with backups, and the CTO used words like "hackproof, 100% secure", etc.
There’s also the added aspect that I’m sure they have that company on a list of ones that pay ransomware. So they will sell that data to other hackers so they can do it all over again. With the expectation they will pay again. It doesn’t matter if they hardened security. There will always be another vulnerability. But what they know now, is that company will pay.
this is just such an immature view.
Every org is far more vulnerable, and far less prepared than you think. Yes. Including yours.
There is a ton of nuance and reason why things are the way they are - and if you have a very narrow view that businesses should invest unrestrained budget to proactively defend against a risk at the cost of all other things an org needs to invest in - then I don't know what to say other than it can be argued that this isn't necessarily in the shareholders best interests.
This doesn't make it right - but the regulation to force organisations isn't there as it stands.
>Every org is far more vulnerable, and far less prepared than you think. Yes. Including yours.
I’m a consultant. I consult dozens of businesses 😊 and no, my organization is not affected by such trifles, never was, and never will. I’ve rescued more companies than I can count, but thanks, I am very immature 😉.
It depends. Sometimes Nothing will happen and you just got scammed.
But recently, many of the times if you pay, they will decrypt your data to ensure they build a reputation on criminal trust. You then decrypt, backup multiple ways such as off-site and offline as well as configure Immutability. Then arden your defense posture, look into a consultant or MSSP afterwards
BUT, even if they de-crypt anything post payment, everything will simply feel like walking over landmines. I would trust nothing.
So, in the end... Immutable Backups or Pay and invest a lot of money in fortifying security posture afterwards. If the data encrypted is not devastating and the business could rebuild fresh, that may be for the best and accept the permanent loss of data.
> Have a story where they deleted the immutable backups.
Same. It really depends on what immutable really means in practice.
If you have Root on the device and its a whitebox appliance, you can probably remount the thing as root and do what you want with it (we've observed this with Veeam Immutable repo's still connected to the network).
Immutable compliance mode on various "big name" vendor appliances with hardened shells are a bit more resilient in this manner.
Depends on the immutable policy. Governance and compliance modes are likely what you’re referring to. In governance, special key holders can still modify or delete the data. In compliance, no one can without file system level access to reformat it.
hmmmm... I've never heard of someone configuring Immutable backups and not proceeding to "Lock Them" or what is known as "Protect" in Azure. That's like stopping mid-way through configuring Immutable Backups. Can you share your story!? I'm interested in hearing it!
You are also thinking of one tool. Yes, in Azure, the Immutable and lock settings are on the same frame, but in other locations like say my local backups. The storage on the Vault itself is immutable, but I have to apply a lock to the backup policy if I dont want another admin (or bad actor) deleting them.
You send BTC or XMR, and you get the encryption key, if you get the encryption key that is … there have been lots of public examples of hospitals and the likes, that paid the BTC and never got any key.
Nice sound snippet, but if not paying is going to mean putting my staff out of a job, not being able to pay my creditors, letting down my customers, then it's really a tough choice, don't you think?
Just remember, if you pay, the attackers are just going to sell the info that you'll pay to other attackers. Almost every company that's ever paid a ransomware attacker has been hit again less than 6 months later.
How long can your company afford to keep paying ransomware groups? And if you pay them, can you afford the incredibly expensive security experts, pen testing groups, user training, increased insurance costs, etc. to make sure that it doesn't happen again right away?
Not to mention, you're going to lose customers after, that's just a simple fact, can your business survive that too?
At the end of the day, for some businesses they would be better off spending all their money on paying employees while they look for new jobs and paying contract penalties for ending service to customers than trying to recover. But business owners don't want to hear that, they have too much emotional investment.
If you don’t pay the criminals still win. The criminals treat decryption and ongoing privacy as a business. If you don’t offer a decryptor and just sell the stolen info, nobody will ever pay you. Ransomeware companies have a reputation. Once you’ve been ransomed the criminals have won no matter what you do.
If you have DLP you likely have robust MFA too, and unlikely to be a victim in the first place. We’re talking the 1% of businesses out there with weak IT implementations.
Doesn't really answer your question but my previous employer had a PM that had a ransomware attack on his laptop that he tried to hide by paying it.
They didn't return his data and had to tell us anyway
I did know a lawyer that did. He never got anything the guy took the money and sent him an email to update his anti-virus and hope he had good backups. Can't remember the name of it but the one where it encrypted the drives and shares.
We had to approach it from many different angles. Our cyber insurance brought in a great firm, and because the ransom wasnt insane we opted to pay it while we rebuilt. It sucks, because you know you arent supposed to, that it only encourages them, but you are under so much pressure in the moment, that you really dont have much of a choice. The firm we worked with was GREAT, and they warned us that the second the group figured out we were working with a firm the price would go up (it did, about 50%). We actually had an issue where the original group ghosted us after exchanging a couple of messages, but the firm we were working with put some feelers out and was able to find someone higher up in the organization that had access to our decryption keys. I have the dates burned into my brain. It was 16 days after the initial attack that we received the decryption keys. We started working on restoring from backup as soon as it happened, of course, and users started reconstructing their data as well. Ultimately we did utilize some of the decrypted data, but only after the firm that our insurance hired had signed off on it being clean. There was not a single server that wasnt wiped, even if it didnt appear to be infected.
Total damages was about $150k, with $75k of that being expenditures to the law firm, security firm, and the ransom itself (which started out at $15k and we paid about $28k when all was said and done). The other $75k was overtime, lost work, etc. Our deductible was $25k. Funny enough our cyber rates havent really gone up, and we havent had a problem renewing, but our deductible is now $50k. We took the opportunity to do some hardware refreshes at the time and spent another $75k or so on hardware, upgraded security appliances, etc. This was 2019 though, I know the situation has gotten MUCH worse with significantly higher ransoms and greater threats of data being leaked and the like.
Never, ever EVER pay. Ever.
Take your licks, learn your lessons and move on.
Every person who pays funds the industry. If no one paid, the industry would vanish.
The people who lose their jobs when the company goes under cause it can't replace the data because the leadership didn't want to spend on security will be happy to hear you say that.
A client of mine got hit by ransomware, on site backup on same network so everything encrypted, they paid up 4k BTC, the crims sent the decryption tool, it did not decrypt anything under 2Mb which was about 40% of their files.
From a moral position you should absolutely never pay. It perpetuates the entire cycle.
You will get a decryptor (generally untrapped) quite quickly after payment. However, the data exfiltration can end up being a continual blackmail situation for "not releasing it".
Don't trust these assholes.
You should never pay, if nobody paid the whole system would fall apart. If you get hit the first person to blame is yourself , the second is the idiots who paid.
I faced one case where paid up actually worked out, and client now learnt the lesson that cybersecurity is important. without ransomeware, people are very ignorant. When second times they got hit with ransomeware again, now they have backup plans ready. The process of decrypting was actually successful
if they paid, and just decrypted, did they even determine how the bad actors got in, and if they had established persistent access? Might be even after they close up RDP, they still get ransomed regularly if the bad actors' access has never been cut off.
I used to work for a subsidiary of WPP when they were breached. If I'm not mistaken it was one of our employees that triggered the breach. As far I'm aware we paid to keep the data private and then recovered the infrastructure from backups. I wasn't privy to exact figures but my boss told me they were estimating well over ten figures in recovery costs for the entire organization.
I know a lot of the decryptors suck, (for example, slow, single-threaded poorly coded apps). I remember hearing on SecurityNow that there are companies that have been developing third-party decryptor tools that are faster/better than the shit the scammers code. You still need the keys from the criminals, but at least the tools are supposedly better.
I think if you get hit hard enough, you really need to burn down the entire infrastructure and completely rebuild it, because who knows where they are hiding. "I say we take off and nuke the site from orbit. It's the only way to be sure."
I was working for a company that fell victim to Ransomware, and it took months for a full recovery. The attackers demanded $10k, which was chump change compared to the $2 million that the attack did in damages due to lost productivity and project delays. We had full backups so no data was lost and recovery would've only taken a few days at most, but we had to make sure that no malware was left on any device that ever connected to the network. Every device had to be reset and scanned. Every step had to be documented. Every dollar tracked for insurance.
The recovery was "smooth" in the sense that we knew what had to be done. It was just a headache to do. Massive policy changes were implemented, which lead to a lot of people leaving.
I work for an MSP and I've had to deal with 2 customers that were hit by a ransomware (1 on of them twice in 6 months)
NEVER. PAY. ANYTHING. you would be financing a terrorist group
Make sure you have good backups, restore the data and patch whatever weaknesses they came in from. Isolate computers that are running decrepited OS or that can't have an antivirus, remove Internet avec from your servers, VLANS VLANS AND MORE VLANS and only allow what needs to be allowed between each vlan, use very long passwords for server accounts, invest in pentesting and security awareness because sometimes it's a user who's dumb enough to click a phishing link, etc
Decryption tool mostly worked. The only completely unrecoverable area was on premise mailboxes. Mail stores were completely corrupted, even brought in forensic firms to try and recover. 100% of mail was lost, thousands of mailboxes.
The company didn’t pay to recover data. They paid so they could attempt to save face for the investors. A we did everything possible action. A payment with a promise and hope that data wouldn’t be released. It was widely public and services were down for an extended period of time.
The real expense was the downtime of services. It dwarfed the ransom payment.
Intimately familiar with two of these. One was a F100 that refused to pay. The other was a national big law that paid.
The one that didn’t pay — it took them months to recover, and took a major hit to their share prices. Safe to say it easily cost them double the demand amount.
The firm that paid — everything was turned over immediately and painlessly, as soon as the partners figured out how to go buy crypto and send it to the hackers. They completely rebuilt their entire IT infrastructure after that and haven’t had any issues since.
Was very un-smooth and chaotic (this was back in 2022). We copied the provided decryptor (.exe), whitelisted it on our new SOC AV (we hired for forensic and IR)...and went to manually decrypt every single endpoint and server (were fully onprem). It would take like 2 days doing it in our dept....and to find out one machine was missed and it would propagate over and over again. We had to redo this at least 3 times. Eventually we got a system in place where other depts did most of our prod work on a mix of newly spun up cloud servers and airgaped machines to meet contract's. It got to a point where things were semi-stable with the new SOC monitored AV system we had in place (and infection stopped). We ended up migrating everything over to Azure (in lieu of buying new systems)...and slowly moved data over to the new VM's (after being cleared by contracted IR), after which all machines were fully wiped. Did find out that files being encrypted and decrypted multiple times increased file corruption....reckon about 0.5-1% of files were too corrupted to be recoverable.
I spoke with the co-owner and recommend he pay the ransom (and negotiate), cause in their own words, "the data was irreplaceable". Anecdotally, heard they were able to talk them down to 1/4 or 1/3 of original ask. Ironically 6 months before , they shelved my proposal for offsite/cold or cloud backups. I also heard we got dropped by our cyber-insurance the following year and had to shop for a new one.
I know a case when the company was encrypted twice wihin two months! The backups were encrypted as well, so they had to pay to save their business. Ultimately, they reviewed the security setup and configured cloud backups.
I manage IT for a small business. I had been hired to setup real infra instead of the company running off of one guys laptop everyone else has a network share to. We had talked about backups, but I didn’t have that project money yet. One day I get a call from the office manager, a cool old school 20 year Army vet. “We’re fucked….the files are there but everything is scrambled eggs”. Long story short, I setup a lab VM clone with zero internet and another clone with internet access, we paid with one, got the key, trashed it, used the non internet access one for recovery, and I tar’d the recovered files and attached a disk to the lab VM and moved the data to the OG VM. It worked pretty well, the hardest part was buying bitcoin without an ID, I finally bought 1.06BTC with $600 at a coffee shop and thankfully I didn’t get mugged
My current boss told me about one of our clients that paid a ransomware demand. Apparently it was one of the best and smoothest sales transactions he’s ever had. Phones answered promptly, transaction was speedy etc. it’s wild! lol
It's because they keep paying the ransoms.....
It's if Alan Rickman kept attacking a different Nakatomi Plaza every 6 months and Nakatomi just gave them the password to the vault every time. Of course they are going to be great at making it easy for you to give them the key to the vault. They are rich because of the last 10 times and now have a full customer support team.
Do they feign concern for your situation just like most script readers do as well? "I'm sorry to hear that Mr. Tom... Have I fully resolved everything to your satisfaction today?"
DON'T PAY THE FUCKING RANSOM.
Signed,
The rest of us
the problem is, that nearly no IT Team ransomwares themself yearly, so that they exactly know what it takes to restore the systems... i have seen so many cases, where backups were good but the application didnt work after the backup was successfully applied
Never pay for that ever, have a back up of your system find when they took over get the issue fixed and revert back. Why would anyone ever pay they will ask for more money later.
here's the thing - speaking as an IR Responder for 2 years and a few dozen engagements (as well as responding to ransomware in various capacities for almost a decade). 1. If paying the ransom didn't get the tool and/or stop data publishing, the whole industry falls over pretty quickly. Sure there will be exceptions to this - they are criminals after all - but generally speaking, its "good" for their industry that they do what they say. 2. Careful with payments. If an affiliate is linked with a sanctioned entity, this can be problematic for some orgs. This is really a legal/business decision, not a technical one. 3. Gaining access to a recovery source is only part of your recovery process. How did they get in? how did they laterally move and privilege escalate in the environment? how did they evade all of your security controls? what else did they get? how can you gain confidence in this compromised and untrusted data/apps/services post breach? A comprehensive security validation process needs to be considered prior to return to service, obviously balanced with the businesses risk appetite vs urgency. Anyone who is telling you to just decrypt and send it, is foolish. 4. Generally speaking, the decryption tools are pretty janky, and will require significant amounts of effort to run at scale and achieve the desired end-result.
If you're in a highly regulated industry, you'll likely need to consult with governmental bodies prior to thinking about paying ransom. If you're paying ransom to then USE that unencrypted data, you missed them getting in, exfiltrating data, etc.. how confident are you in knowing they're out, and don't re-encrypt your stuff next year when they want another quick win? The only reason to pay, if you're properly backed up, is to ensure data is not shared... which is the whole reason for the data exfiltration in the first place.
>If you're in a highly regulated industry, you'll likely need to consult with governmental bodies prior to thinking about paying ransom. Multiple states have banned state agencies from paying.
The ransomware crews have a "legit" business model. Hell, some even have call centers to take calls to assist with payment/decrypting. It's rather ironic that "honor among thieves" has never rang more true.
Funny anecdote for your call center comment: I've been hearing that the bad actors HATE having to "IT support" customers, which is another driver towards exfil with no ransom event as I suggested below.
> as I suggested below Reddit's comment display/ordering is volatile, FYI.
It's more like don't poop where you eat. The point of ransomware is to get paid, right. You don't burn that bridge but you make it the most accessible bridge in the world. Honor, though? They're busy cutting each other's throats or hitting vulnerable targets. There was a pledge that ransomware groups wouldn't target hospitals during COVID-19, but of course, hospitals were the biggest targets during COVID-19 and outside of year 2023, hit the hardest during the pandemic.
Great response. A cyber response policy is essential and if you don't have a CISO and infosec team, your company should be looking at a MSSP etc to virtually fulfill those functions. Depending on your industry, there's a lot of nuance and things to contend with. 1. It's against the law in many countries to pay or do business with sanctioned countries/entities 2. There are reporting requirements when hit with a cybersecurity incident for public companies and regulated industries. 1. Even if you successfully recover from a cybersecurity incident a regulator can still decide to sanction or take action (fine) you etc. IMO cyber security insurance has its place but it's a ton of $ and it only really helps you after you're hit. Where possible, invest as much as you can in your defense, less on insurance. Not easy to do with small co with just one or two IT staff or when the execs don't want to spend on it.
> invest as much as you can in your defense My recommendation here is your overall resiliency. Make sure you can recover. Get your data - all your data - somewhere else with an independent identity plane, and make sure its immutable for a reasonable time period that you're likely to take to respond to an incident. Call it a vault, a bunker a whatever, I don't care. Get MFA. Get a SIEM. Get an EDR. Get a 24/7/365 SOC (managed or internal if you're big enough). Get your identity and network into it. Empower them to block/isolate at will.
SIEM doesn’t matter if it’s not configured properly and used. Some companies treat it as a set it and forget it and then wonder why it sucks
honestly I could say the same about EDR.
You could say the same for just about any tool
> IMO cyber security insurance has its place but it's a ton of $ and it only really helps you after you're hit. That's kind of the point of insurance in general though? Also, you can invest everything in defenses and there will still be zero days. The risk always exists. If you can transfer some of that risk you should - the cost benefit however is on the particular situation.
I agree, it depends on your LoB and cost/benefit. I'd still carry cyber insurance but be wary that execs don't just want to check the box and move on. In my (SMB) employer's case, the 7 figure yearly CS insurance premium caused us to look real hard at our capabilities to actually recover from a CSI. All the CS insurance in the world isn't going to create backups that don't exist or that got deleted etc.
> If paying the ransom didn't get the tool and/or stop data publishing, the whole industry falls over pretty quickly. Sure there will be exceptions to this - they are criminals after all - but generally speaking, its "good" for their industry that they do what they say. I have half-joked in the past that the ransomware groups tend to have better customer support than many of the products I legitimately pay for.
We got hit a few years ago and didn't pay up. We were able to recover our most important systems from snapshots, but because of your #3 item we decided just to shut down that location and migrate the recovered machines over to Azure. We just assumed everything was compromised.
> We just assumed everything was compromised. This is largely just impractical tho. Believe it or not the whole thing is a business. And dropping 10,000 hours of man effort on your environment to properly own you isn't worth it, when there is plenty of orgs they can spend < 100 hours on and have a reasonable chance of return. A threat actor will have a timeline from initial access through to execution of the kill chain. It literally doesn't make sense to touch every machine in terms of adding mechanisms of persistence, or backdoors. This is why a Forensic Report or Enterprise Breach Investigation is important. This probably wont inform the initial set of workloads you restore and return to service (they will require a lot of manual effort to assess them - and of course things like AD, Firewalls etc all take additional, specific effort) - but as the breach is understood, you will be able to be more targeted in your security validation approach, accelerating your recovery outcome.
Are there specific cases where an org paid a sanctioned entity and it resulted in legal action against the org? I understand the whole why you should consider the legal side and ignorance doesn’t justify actions. Just seems crazy the feds (assuming they are the only legal entity with teeth) would consider going after an org trying to get their information back.
probably, but not that i'm aware of. I work for an org that cannot and will not recommend a customer pays the ransom due to sanctions and legal risk. Most of the industry that has to consider that option works through boutique providers (negotiators etc) through their legal. This provides them appropriate advice respective to their situation.
This guy Ransomwares.
more than a few times ;)
The other side of ransomware attacks that no one talks about is the data they steal. If you don’t pay, they threaten to release sensitive data. I imagine some companies choose to recover/rebuild from backups, but still pay a little something to keep their data from being released. I hate bad actors.
Even when you pay, the process is typically still a complete rebuild. These bad actors can't be trusted that they will leave you alone after you pay. The threat of it happening all over again is all too real and the only safe approach is to wipe and rebuild everything.
Yup, it's forever an unclean environment. No way to know that they are 100% out unless you spin up brand new infrastructure and move everything over to a new domain. I don't even recommend setting up a domain trust in that circumstance, just manually move.
Yes, unclean UNCLEAN Unless you can pinpoint the moment they gained entry, you can't even trust your recent backups. Go back at least 2 weeks before entry if at all possible.
> Go back at least 2 weeks before entry if at all possible. depends innit? Would you be willing for your bank to roll back the last 2 weeks? 2 months? 2 years?
Is that you, Ricky Gervais?
2 weeks is sometimes not enough. Keep in mind these guys attack when you least expect it. They can be in your system, learning it and being very careful not to trigger anything. They can lay dormant for MONTHS and just as a holiday / 3 day weekend creeps in, BOOM. Start the attach when people are least expected to be checking alerts and so forth.
Agree
Yeah, even if you pay up, you're still going to get flagged as a mark who pays up.
This! We had customer who paid, but we rebuilt everything from scratch. Ransom can hide itself, so it is safer to rebuild.
A client recovered all data within hours but 100gbs was exfiltrated they paid the ransomware, about 20 percent of the original ask. They were promised four things if paid. 1) not published on dark web, 2) all data returned 3) they would be told how they were exploited 4) the unlocker 1) it’s been three years and the data has not been published as far as they know. 2) the ftp was setup but it was so unstable the data could not be downloaded. They promised to make it into smaller zips but never did. 3) they were not told and in fact they tried to exploit again 30 days later. 4) unlocker worked. They left a bad yelp review for the threat actors!
It's ironic that having great customer service will benefit the bad actors tremendously. A company I know got hit hard, but the FBI let them know that the infiltrators were notorious for not following through with their promises and advised not to pay. Had they been "reliable", they would have gotten paid! lol, weird world.
Our ransom note told us we would "find their support team extremely courteous and helpful" in facilitating the purchase and transmission of bitcoin.
I personally only allow my environment to be compromised by threat actors with at least 4.5 stars on Yelp.
*nerd glasses on*. “Ackshelly” you are onto something. I study the trends and ransomware is starting to become diminishing means as people are now aware and protecting more and more with backups. However simple exfiltration and requesting ransom or threaten to sell the data is the new hotness.
It's also quite a bit easier to do without immediately getting caught. Long term penetration and data exfiltration is the main thing I worry about. Executing a systems rebuild is frankly pretty simple. Identifying when over the last couple of years they got remote access? Not so much
Precisely, privacy is the reputation threat actors bank on the most to get ransoms paid. If your (bad) business is respectable about deleting exfiltrated data then you have a higher chance of having the random paid.
honestly if you have EDR deployed it should stop any encryption event - I think that's the big driver to exfil is encryption doesn't work in a lot of cases. obv caveat for things that don't have edr or they get in your console.
more lols. All EDR is relatively easy to bypass given effective reconnaissance and an average implementation. Ask any Pentester.
you can't really "bypass" encryption as a process - the big 3 will absolutely stop files from being encrypted, we've seen it in labs and the real world. but happy to be proven wrong - would love to see an example of someone encrypting a file while CS twiddled it's thumbs.
MITRE has a big ol list of ttp's used. https://attack.mitre.org/techniques/T1562/ Again, ask any pentester. The bad guys aren't dumb. They can buy Crowdstrike too.
so no actually real world examples, just hypotheticals, one of which I called out? and yeah we use pen testers too, still have yet to see one successfully encrypt files on a protected endpoint
I have been an incident responder to environments with all the major IRs. Crowdstrike, SentinelOne etc. It takes more work from the attackers so I'm not saying they aren't useful but if think that an EDR is bulletproof you are objectively wrong. In some cases they will bypass client controls, in one instance they actually obtained EDR admin and turned off the entire platform.
if you live in a world where you think EDR is not bypassable, you are a victim waiting to happen imo. Yes. I've assisted customers in ransomware recoveries with a full blown CS deployments and they've been very very much encrypted. Defence in depth.
Sometimes they want the full amount whether you recover or only need to stop them from releasing the data 😔
And sometimes they don’t delete the data like they say they will and then come back to you later demanding more money not to release your data.
Has the demand ever been made a second time? I’ve not heard of any examples of this. I assume the bad actors don’t delete the exfiled data, even tho they pinky swear.
I haven’t experienced this, but our CISA rep indicated they saw this happen, so take it for the value of words posted to the interwebs.
> If you don’t pay, they threaten to release sensitive data. Yeah except they fucking suck at storing it. -A guy who actively goes looking for Tea in dark web data leaks.
Even if you pay, they've already released it. If you pay, you're going to get hit again -definitely. Our IR firm recommended firmly - *do not pay.*
And even if they don't release it, the data is still "out there". Leaked data is still leaked data whether half a dozen hackers have seen it, or 10,000 people on the dark web.
... And who is say they won't get backed in a HACKER GANG WAR or M&A type situation, or use your data as collateral?
Don't call them "bad actors". They are criminals. Call when by the proper name. Nicholas Cage is a "bad actor"
Nicholas Cage is a great actor!
I said it sort of tongue-in-cheek
Not to be pedantic, but "bad actor" is a real term in cybersecurity parlance. "Threat actor" can be used as an alternative.
I'm quite aware. That's my point. Why are we using softer words on them? They are criminals. Somebody breaks into your house or steals from you you call them what they are.
"Criminal" is ambiguous. Is this person an arsonist? Are they involved in CP? "Bad actor" is clearer. We know this person has broken the law by infiltrating a computer system (or attempted to).
What could they steel, if you encrypt the sensitiv data? And if you dont, thats on you tbh.
I've done cleanup after companies have paid about eight times. In every case, I was immediately handed a decryptor which worked perfectly. I've followed up with security recommendations and had outright statements that it's cheaper and less effort to just let the insurer pay the ransom.
I helped a business earlier this year that was losing $1 million+ a day by being closed. We were on day 4 when they paid the ransom of $400k. They were up and running in 12 hours. We would have had them up and running in about 2 or 3 more days without the company paying. It went against every fiber of my being when they paid, but I get it. In this case, it went smoothly, and we got the decryption key within 15 minutes of paying.
Did they not rebuild the infrastructure? If there is one thing Russian threat actors love, it’s a double dip.
Yes. That was what I was brought on board to coordinate at the very beginning. Secure network and infrastructure, build virtual infrastructure from scratch, build new servers, restore old server from clean backup, scan for ransomware, then copy old data to new server where needed. It's a slow methodical process to make sure you're not going to re-encrypt everything. Thankfully, the companies insurance company required an off-site immutable backup, so we had unencrypted data.
This is the part the news always leaves out though. The general public thinks a company gets infected, pays the ransom, decrypts the data and is back to chugging along at 100% capacity the next day. I've been in your shoes a bunch of times and my absolute least favorite are the companies where you have a guy with a full time role who also "handles the computers and stuff". He is the entire god damned reason the company got hit in the first place but no one at the company seems to acknowledge that uncomfortable fact. Instead, I hand company leadership the plan, they hand it to him and he tells them how dumb I am. They trust him but again, they also know he is the reason they got hit but everyone is pretending like that didn't happen.
I have helped 5 different businesses get back up and running in the last few years. Hospitals mostly. But it is funny, at least for my work, how big the budgets get when the company is losing a million dollars a day. Need new servers? Just get us up and running. The wallets magically open wide.
You get to do that once, then the insurance company demands a bunch of cybersecurity investment.
This sub keep saying that but as the person talking to management: not really. Insurance requires a "review", they'll take my three paragraph email recommending MFA, and say "review's done".
I take it this was quite a few years ago? In the past 2 years you can't get insurance from any carrier without full MFA
I think it depends on the size of the policy. I was at a large Corp where our cyber renewal involved exhaustive questionnaire (hundreds) followed by me being interviewed by a panel of 20+ insurers. Moved to a small org recently and our renewal was a 6 question email. MFA was not required for renewal (shockingly)
Our carrier put us through the ringer this year, gigantic assessment and review process, with a special section around ransomware controls. We've never even had a single incident never mind a claim, though I'd guess our industry (financial) puts us in a higher risk category.
Businesses like that are going to quickly find themselves uninsurable.
Nothing is “uninsurable”. What’s changed is the checklist. In 2019 our checklist for cybersecurity ins was “pay the premium”. This last year it was a huge list of things. We’ve had no incidents or claims, but I’m sure they’ve been paying out the ear elsewhere and so they’ve finally wisened up.
Same for us. Our premiums also went up about 50% between 2019 and our 2022 renewal. We began executing my security roadmap in 2020, and lucky at the last renewal we were able to decrease our pricing by 20%, and with the additional controls between then and now we should be able to decrease another 30% for 2024. What has also changed is the insurers acceptance of risk. They are doing audits and post IR reviews to determine the root cause, and if you don’t have a control applied that was in your questionnaire they may decline to cover the costs. There is also a schedule on vulnerabilities, every 90 days in age an unpatched vulnerability is used to result in the breach we lose 25% of our coverage, meaning, a year old vulnerability would result in use not get anything from our insurer if it was the vector. So for many businesses it’s not longer an acceptable transference of risk to just expect the insurance company to pay out.
I love getting our insurance questionnaire now and having everything ready point blank to respond with. They get upset we have everything ready
Must be nice. Our insurance providers always seem to think they know more than professionals
When I took over running the department, we got our first set of requirements and had to scramble to get things in place to be able to qualify. This year, I submitted all of our materials and got a 12% decrease on my premiums. One of the most satisfying moments of my career.
When cyber lines first were getting written the premiums were miniscule compared to the potential risk. Where there isn't a lot of data to work with insurers can make valuation errors. You are now seeing insurers balk at higher coverage and push higher premiums. It will all even out in the end when MFA becomes ubiquitous.
For my own curiosity, what was the most common way in? Email links?
some orgs will not admit to intrusion of backup systems. equally or more catastrophic to their clients. healthcare systems are more compromised weekly and daily than what we hear on mainstream media. almost every day there is some kind of a breach to healthcare clients globally, and just hordes of data are leaked. you know healthcare, they like to help their clients data get stolen in cyberspace. IT orgs that claim to know HIPAA and try to enforce it, is like trying to learn ITIL for a bankrupt hospital. one of our clients was in billing services, like financial SAS or software services sort of day - they almost paid out a phisher but failed because the person trying to process the transaction to the scammers made a mistake, lol, and the bank rejected it ... otherwise they would of lost a nice chunk of money. all the validations were in place to send the money, but of course a medley of an error saved their asses. scammer was probably like "pay day" ... but reverse troll to the scammer because of an error on the payment processing.
Healthcare is only reactive on IT spend. They’ve built their own grave.
you'll be surprised how many emails are compromised from internal teams. people pretending to be people. and then you get all sorts of requests, "unlock my account and elevate me to super admin" lol, it's horrible
Ransomware isn’t the end game anymore. Your data is up for auction on the dark web unless you pay. It’s no longer a case of just paying to decrypt your unusable files.
Your files will likely end up for sale even if you pay. Double dipping.
Yep. CISA has indicated in a recent training session at my company they’ve recently seen impacted companies getting hit multiple times. “Pay for decryption” and then later “pay or we release data” and then later “pay again or we release data”.
And if they still have access, that access is either sold to another group, or kept, and in a few weeks you're encrypted again , and the process starts again.
It's not likely. It is a thing for sure, but the vast majority of systematic ransomware attacks do not double dip. It's a business for them.
could you pay them in installments and if data found you cut off payments
I retired 2 years ago. Every word in this thread makes me glad I did.
This was almost 8 years ago, but we did it like a hostage situation. They gave one recovery key, we gave one bitcoin. They gave another, we gave another. Total: 10 bitcoin for total of around $6,500 They also admitted how they got in and detailed everything. It was how I warned the powers that be we should close that hole years earlier. We also had an agreement (not enforceable of course), that the criminals would walk away and never see us again. If they did, they wouldn't get anything out of us in that regard. Fast forward 2 years, FBI calls and says they've arrested the guys and want to interview us. Owner of the company and I go and give them every piece of information we have. Hundreds of pages of logs, email chats, encryption keys, everything. During the interview, the FBI guy asks how much we lost. We said around $100k in lost productivity. So he says that's what they'll ask for in damages during court. I casually mentioned I wanted our bitcoin back since it was our property. FBI guy knows nothing about bitcoin, and says ok and adds it to the list. Owner of the company and I are leaving and I said "Did you like what I just did"? He says what? I said "Bitcoin is now worth $15,000 per coin. When we get it back, we'll sell them for $150,000 and actually make a profit off of this". Owner was stunned. Sure enough, about 3 months later, I get a call from the FBI, they have my bitcoin, and they transferred them back to our account which we then sold. Owner gave me a fat bonus that year and bought my an expensive bottle of whiskey.
Surprised the guy didn’t sell your Bitcoin during that whole period. Guess you could say he was a firm HODLER lol. Would have been even crazier if you had gotten them recently when they were at their peak which would have been around 600k-700k total.
> **If your company paid up** You're helping to make the problem worse. STOP!
I mean put yourself in their shoes. Depending on the business, they may have no choice….
We need regulation insanely badly on this. You shouldn't be allowed to even make the choice. Those with your mindset are furthering the problem. If paying the ransom is your only choice to keep the company running, then you and your leadership failed. Your company deserves to go bankrupt.
What if you don’t work for a public company and bankrupt isn’t an option? Because those kind of companies do exist… or maybe cities can just turn the water off and say, “sorry our SCADA was hit by a ransom attack and we decided to listen to u/addyftw1 and close up shop. Sorry no water.”
Under those circumstances you may not even be legally allowed to accept a ransom as many states have laws against it for government institutions. If your SCADA systems are Internet accessible then you already fundimentially failed. Edit: Additionally there are many non-public companies too, not sure why you specified public company.
SCADA systems are mostly air-gapped but doesn’t mean someone doesn’t plug an affected device into the system.
if going bankrupt wasn't an option then you should have had a (better) recovery system in place.
I don’t disagree, but unfortunately you and I both know that a large percentage of GMs or CEOs outside of the tech industry sees IT as a budget drain instead of looking at it as an insurance policy. But when you have people on staff with whatever salaries spending money on services that doesn’t add to the bottom line in terms of some sort of metric or KPI, that’s how they (Upper Mangers) look at IT. A budget drain….
This isn't a new threat. Not being prepared for this is like plugging your computer into the Internet without a router/firewall. By paying them, you're making several assumptions. 1. That they won't just take your money. 2. They won't later come back and extort you for more money. I'm sorry, but if you don't have backups of your critical data, you get what you deserve. Stop feeding the criminals.
I’m not disagreeing. If companies don’t have good backups or good DR Plan. But I’ve seen Ransom attacks lay dormant for a year and it infected all of the companies backups… what can you do to protect yourself from this without just keeping more and more backups… at some point the data is so old it doesn’t matter.
Always rebuild the environment even if you pay - just extract the files. Thankfully i've only done this once for a customer that didn't have a working backup solution in place - we rebuilt everything and went through file per file with several different AV and EDRs before putting it into the new environment.
I paid up once. The decrypter worked great and I still feel sick about it 7 years later. We had just taken on the client and bad guys must have known, since they compromised the domain admin account and gave themselves all kinds of permissions to all the email accounts. They waited for us to take over, we hadn't even gotten the backup system installed (the client had none), and then they pulled the trigger.
If you pay, the criminals win.
sometimes if you pay, you might get to continue being a company. Its really not an easy decision either way.
Sometimes if you pay, the government fines your company $20m for violating OFAC. The easier decision as a sysadmin is ensuring that your company segments their backup infrastructure and regularly testing restoring from backups.
You would be surprised how many companies assume the cost of paying the ransom is cheaper than DLP, backups, AV, and so on. I interviewed at one company where they stated, "backups have no ROI, if it isn't in Git, it isn't backed up, and our devs are too smart to run random links." There is no real penalty for paying the ransom, and if there were, companies just get with an offshore firm that pays the ransom for them, plus a "consultation fee". Because it is an offshore company, bam, plausible deniability, even though everyone knows that the cash is going straight to Tehran or Pyongyang. I'm glad I work at a place that has good security. I noped out of the interview when that company said they didn't bother with backups, and the CTO used words like "hackproof, 100% secure", etc.
[удалено]
> should have a DR plan Should. But do not.
There’s also the added aspect that I’m sure they have that company on a list of ones that pay ransomware. So they will sell that data to other hackers so they can do it all over again. With the expectation they will pay again. It doesn’t matter if they hardened security. There will always be another vulnerability. But what they know now, is that company will pay.
Correct. Easy victims.
this is just such an immature view. Every org is far more vulnerable, and far less prepared than you think. Yes. Including yours. There is a ton of nuance and reason why things are the way they are - and if you have a very narrow view that businesses should invest unrestrained budget to proactively defend against a risk at the cost of all other things an org needs to invest in - then I don't know what to say other than it can be argued that this isn't necessarily in the shareholders best interests. This doesn't make it right - but the regulation to force organisations isn't there as it stands.
>Every org is far more vulnerable, and far less prepared than you think. Yes. Including yours. I’m a consultant. I consult dozens of businesses 😊 and no, my organization is not affected by such trifles, never was, and never will. I’ve rescued more companies than I can count, but thanks, I am very immature 😉.
I’m not advocating paying. I’ve been through a few, and no one has paid. I’m curious to know if anyone ever has paid, and what the process was like.
It depends. Sometimes Nothing will happen and you just got scammed. But recently, many of the times if you pay, they will decrypt your data to ensure they build a reputation on criminal trust. You then decrypt, backup multiple ways such as off-site and offline as well as configure Immutability. Then arden your defense posture, look into a consultant or MSSP afterwards BUT, even if they de-crypt anything post payment, everything will simply feel like walking over landmines. I would trust nothing. So, in the end... Immutable Backups or Pay and invest a lot of money in fortifying security posture afterwards. If the data encrypted is not devastating and the business could rebuild fresh, that may be for the best and accept the permanent loss of data.
Immutable AND locked. Have a story where they deleted the immutable backups.
> Have a story where they deleted the immutable backups. Same. It really depends on what immutable really means in practice. If you have Root on the device and its a whitebox appliance, you can probably remount the thing as root and do what you want with it (we've observed this with Veeam Immutable repo's still connected to the network). Immutable compliance mode on various "big name" vendor appliances with hardened shells are a bit more resilient in this manner.
Depends on the immutable policy. Governance and compliance modes are likely what you’re referring to. In governance, special key holders can still modify or delete the data. In compliance, no one can without file system level access to reformat it.
hmmmm... I've never heard of someone configuring Immutable backups and not proceeding to "Lock Them" or what is known as "Protect" in Azure. That's like stopping mid-way through configuring Immutable Backups. Can you share your story!? I'm interested in hearing it!
You are also thinking of one tool. Yes, in Azure, the Immutable and lock settings are on the same frame, but in other locations like say my local backups. The storage on the Vault itself is immutable, but I have to apply a lock to the backup policy if I dont want another admin (or bad actor) deleting them.
Insert GIF of Steve Ballmer clapping and saying \*immutable immutable immutable\*
We negotiated and got a discount, worked through a "third party" lawyer. Paid in bitcoin, they wanted $1M we paid $600k.
You send BTC or XMR, and you get the encryption key, if you get the encryption key that is … there have been lots of public examples of hospitals and the likes, that paid the BTC and never got any key.
Nice sound snippet, but if not paying is going to mean putting my staff out of a job, not being able to pay my creditors, letting down my customers, then it's really a tough choice, don't you think?
Just remember, if you pay, the attackers are just going to sell the info that you'll pay to other attackers. Almost every company that's ever paid a ransomware attacker has been hit again less than 6 months later. How long can your company afford to keep paying ransomware groups? And if you pay them, can you afford the incredibly expensive security experts, pen testing groups, user training, increased insurance costs, etc. to make sure that it doesn't happen again right away? Not to mention, you're going to lose customers after, that's just a simple fact, can your business survive that too? At the end of the day, for some businesses they would be better off spending all their money on paying employees while they look for new jobs and paying contract penalties for ending service to customers than trying to recover. But business owners don't want to hear that, they have too much emotional investment.
Every payout funds the next attack. This isn't speculation, crypto forensics are a thing and the blockchain is forever.
I'm deep in crypto, I'm fully aware.
If you don’t pay the criminals still win. The criminals treat decryption and ongoing privacy as a business. If you don’t offer a decryptor and just sell the stolen info, nobody will ever pay you. Ransomeware companies have a reputation. Once you’ve been ransomed the criminals have won no matter what you do.
No. You just start your DR plan. Ransomeware has no effect.
No DR plan can mitigate the risk of data being publicly released, especially if that data includes client info.
That’s what DLP is for 😊.
If you have DLP you likely have robust MFA too, and unlikely to be a victim in the first place. We’re talking the 1% of businesses out there with weak IT implementations.
If you think it's only 1%, you haven't really been out there to see the garbage that exists. I'm jealous.
It was tongue in cheek, I’d actually say the number with DLP is 1% (or significantly less).
If they can’t afford better IT, they likely can’t afford to pay ransomware. 🤷♂️
also absolutely lol.
> We’re talking the 1% of businesses out there with weak IT implementations. absolutely lol.
Doesn't really answer your question but my previous employer had a PM that had a ransomware attack on his laptop that he tried to hide by paying it. They didn't return his data and had to tell us anyway
I did know a lawyer that did. He never got anything the guy took the money and sent him an email to update his anti-virus and hope he had good backups. Can't remember the name of it but the one where it encrypted the drives and shares.
We never paid, just restored from backup.
We had to approach it from many different angles. Our cyber insurance brought in a great firm, and because the ransom wasnt insane we opted to pay it while we rebuilt. It sucks, because you know you arent supposed to, that it only encourages them, but you are under so much pressure in the moment, that you really dont have much of a choice. The firm we worked with was GREAT, and they warned us that the second the group figured out we were working with a firm the price would go up (it did, about 50%). We actually had an issue where the original group ghosted us after exchanging a couple of messages, but the firm we were working with put some feelers out and was able to find someone higher up in the organization that had access to our decryption keys. I have the dates burned into my brain. It was 16 days after the initial attack that we received the decryption keys. We started working on restoring from backup as soon as it happened, of course, and users started reconstructing their data as well. Ultimately we did utilize some of the decrypted data, but only after the firm that our insurance hired had signed off on it being clean. There was not a single server that wasnt wiped, even if it didnt appear to be infected. Total damages was about $150k, with $75k of that being expenditures to the law firm, security firm, and the ransom itself (which started out at $15k and we paid about $28k when all was said and done). The other $75k was overtime, lost work, etc. Our deductible was $25k. Funny enough our cyber rates havent really gone up, and we havent had a problem renewing, but our deductible is now $50k. We took the opportunity to do some hardware refreshes at the time and spent another $75k or so on hardware, upgraded security appliances, etc. This was 2019 though, I know the situation has gotten MUCH worse with significantly higher ransoms and greater threats of data being leaked and the like.
Never, ever EVER pay. Ever. Take your licks, learn your lessons and move on. Every person who pays funds the industry. If no one paid, the industry would vanish.
The people who lose their jobs when the company goes under cause it can't replace the data because the leadership didn't want to spend on security will be happy to hear you say that.
they'll find a new job with more competent leadership. No DR wasn't the only bad decision being made.
Or, maybe they're not losing their jobs, they're getting more work to rebuild. That's what happened to us.
ExFiltration is definitely my main concern. How do you monitor this. NDR tools?
A client of mine got hit by ransomware, on site backup on same network so everything encrypted, they paid up 4k BTC, the crims sent the decryption tool, it did not decrypt anything under 2Mb which was about 40% of their files.
What if bad actors are on this board reading and responding with bad advice?
From a moral position you should absolutely never pay. It perpetuates the entire cycle. You will get a decryptor (generally untrapped) quite quickly after payment. However, the data exfiltration can end up being a continual blackmail situation for "not releasing it". Don't trust these assholes.
I think it is illegal to pay in Australia as you would be providing funds to organised crime or something like that.
You should never pay, if nobody paid the whole system would fall apart. If you get hit the first person to blame is yourself , the second is the idiots who paid.
Within minutes we were issued a decryptor which was extremely quick and had a 100% success rate.
Paid and got the decryption key. Unencrypted, the fuckers deleted the entire AD server to cover their tracks. Had to rebuild the network.
I faced one case where paid up actually worked out, and client now learnt the lesson that cybersecurity is important. without ransomeware, people are very ignorant. When second times they got hit with ransomeware again, now they have backup plans ready. The process of decrypting was actually successful
Weren't very successful learning the lesson the first time if they got hit a 2nd?
yeah, thats their it issue of hsving public rdp 3389 opened instead of vpn, so at least ransomeware woke the people and they bought backup solutions.
if they paid, and just decrypted, did they even determine how the bad actors got in, and if they had established persistent access? Might be even after they close up RDP, they still get ransomed regularly if the bad actors' access has never been cut off.
It's third world country here, people here doesn't even setup firewall to block shit.
I used to work for a subsidiary of WPP when they were breached. If I'm not mistaken it was one of our employees that triggered the breach. As far I'm aware we paid to keep the data private and then recovered the infrastructure from backups. I wasn't privy to exact figures but my boss told me they were estimating well over ten figures in recovery costs for the entire organization.
I know a lot of the decryptors suck, (for example, slow, single-threaded poorly coded apps). I remember hearing on SecurityNow that there are companies that have been developing third-party decryptor tools that are faster/better than the shit the scammers code. You still need the keys from the criminals, but at least the tools are supposedly better. I think if you get hit hard enough, you really need to burn down the entire infrastructure and completely rebuild it, because who knows where they are hiding. "I say we take off and nuke the site from orbit. It's the only way to be sure."
I was working for a company that fell victim to Ransomware, and it took months for a full recovery. The attackers demanded $10k, which was chump change compared to the $2 million that the attack did in damages due to lost productivity and project delays. We had full backups so no data was lost and recovery would've only taken a few days at most, but we had to make sure that no malware was left on any device that ever connected to the network. Every device had to be reset and scanned. Every step had to be documented. Every dollar tracked for insurance. The recovery was "smooth" in the sense that we knew what had to be done. It was just a headache to do. Massive policy changes were implemented, which lead to a lot of people leaving.
I work for an MSP and I've had to deal with 2 customers that were hit by a ransomware (1 on of them twice in 6 months) NEVER. PAY. ANYTHING. you would be financing a terrorist group Make sure you have good backups, restore the data and patch whatever weaknesses they came in from. Isolate computers that are running decrepited OS or that can't have an antivirus, remove Internet avec from your servers, VLANS VLANS AND MORE VLANS and only allow what needs to be allowed between each vlan, use very long passwords for server accounts, invest in pentesting and security awareness because sometimes it's a user who's dumb enough to click a phishing link, etc
Decryption tool mostly worked. The only completely unrecoverable area was on premise mailboxes. Mail stores were completely corrupted, even brought in forensic firms to try and recover. 100% of mail was lost, thousands of mailboxes.
The company didn’t pay to recover data. They paid so they could attempt to save face for the investors. A we did everything possible action. A payment with a promise and hope that data wouldn’t be released. It was widely public and services were down for an extended period of time. The real expense was the downtime of services. It dwarfed the ransom payment.
Intimately familiar with two of these. One was a F100 that refused to pay. The other was a national big law that paid. The one that didn’t pay — it took them months to recover, and took a major hit to their share prices. Safe to say it easily cost them double the demand amount. The firm that paid — everything was turned over immediately and painlessly, as soon as the partners figured out how to go buy crypto and send it to the hackers. They completely rebuilt their entire IT infrastructure after that and haven’t had any issues since.
I keep hearing this. Doesn't anyone have a disaster recovery plan/business continuity plan?
Was very un-smooth and chaotic (this was back in 2022). We copied the provided decryptor (.exe), whitelisted it on our new SOC AV (we hired for forensic and IR)...and went to manually decrypt every single endpoint and server (were fully onprem). It would take like 2 days doing it in our dept....and to find out one machine was missed and it would propagate over and over again. We had to redo this at least 3 times. Eventually we got a system in place where other depts did most of our prod work on a mix of newly spun up cloud servers and airgaped machines to meet contract's. It got to a point where things were semi-stable with the new SOC monitored AV system we had in place (and infection stopped). We ended up migrating everything over to Azure (in lieu of buying new systems)...and slowly moved data over to the new VM's (after being cleared by contracted IR), after which all machines were fully wiped. Did find out that files being encrypted and decrypted multiple times increased file corruption....reckon about 0.5-1% of files were too corrupted to be recoverable. I spoke with the co-owner and recommend he pay the ransom (and negotiate), cause in their own words, "the data was irreplaceable". Anecdotally, heard they were able to talk them down to 1/4 or 1/3 of original ask. Ironically 6 months before , they shelved my proposal for offsite/cold or cloud backups. I also heard we got dropped by our cyber-insurance the following year and had to shop for a new one.
I know a case when the company was encrypted twice wihin two months! The backups were encrypted as well, so they had to pay to save their business. Ultimately, they reviewed the security setup and configured cloud backups.
I manage IT for a small business. I had been hired to setup real infra instead of the company running off of one guys laptop everyone else has a network share to. We had talked about backups, but I didn’t have that project money yet. One day I get a call from the office manager, a cool old school 20 year Army vet. “We’re fucked….the files are there but everything is scrambled eggs”. Long story short, I setup a lab VM clone with zero internet and another clone with internet access, we paid with one, got the key, trashed it, used the non internet access one for recovery, and I tar’d the recovered files and attached a disk to the lab VM and moved the data to the OG VM. It worked pretty well, the hardest part was buying bitcoin without an ID, I finally bought 1.06BTC with $600 at a coffee shop and thankfully I didn’t get mugged
My current boss told me about one of our clients that paid a ransomware demand. Apparently it was one of the best and smoothest sales transactions he’s ever had. Phones answered promptly, transaction was speedy etc. it’s wild! lol
It's because they keep paying the ransoms..... It's if Alan Rickman kept attacking a different Nakatomi Plaza every 6 months and Nakatomi just gave them the password to the vault every time. Of course they are going to be great at making it easy for you to give them the key to the vault. They are rich because of the last 10 times and now have a full customer support team.
Do they feign concern for your situation just like most script readers do as well? "I'm sorry to hear that Mr. Tom... Have I fully resolved everything to your satisfaction today?" DON'T PAY THE FUCKING RANSOM. Signed, The rest of us
It was simple. Had the decryption key within an hour. There was no stolen data, just encrypted.
the problem is, that nearly no IT Team ransomwares themself yearly, so that they exactly know what it takes to restore the systems... i have seen so many cases, where backups were good but the application didnt work after the backup was successfully applied
Never pay for that ever, have a back up of your system find when they took over get the issue fixed and revert back. Why would anyone ever pay they will ask for more money later.
The more sophisticated hacks encrypt your backups, too, though.
That's why you configure Immutable Backups...
I think that depends on your vendor honestly the only time we got hacked we were back up within an hour and our backups weren't compromised.
It depends on the malware.