Ransomware attack screen showing ransom payment demand

What Do We Do Now? The Immediate Aftermath of Declining Ransomware Demands

In the early morning hours of May 12, Evan W., director of IT for a large healthcare organization, swiped his card to go to what he thought would be a typical day at work. But by 1:00 p.m., he was in a conference room that smelled uncomfortably of sweat and fear, surveying a range of familiar and unfamiliar faces seated around him and glowing from various monitors. Some were colleagues; others were representatives from insurance agencies, law firms, cybersecurity firms, and PR agencies. All were trying to come up with a simple answer: What do we do now? The organization’s global systems had been encrypted by ransomware, and the decision had just been made not to pay the ransom. But they had to have a plan to quickly resume operations—because lives and jobs depended on it.

While the frequency of global ransomware attacks continues to ebb and flow, its damages on any one affected organization continues to climb. Hourly downtime can cost up to $1M per hour; but ransomware carnage today also often includes the publishing of corporate sensitive information and the complete destruction of corporate data and even IT systems. Threat actors show no empathy or remorse. If an organization refuses to comply with their extortionate demands, these criminal actors are likely to act very quickly, exacting whatever vengeful destruction they possibly can.

The aftermath of declining the ransom demand

Once the decision is made to decline the ransom demand, ground zero for organizations is addressing idle corporate systems and inaccessible corporate data. While paying ransoms never infers a guarantee that victim organizations will get a functioning decryption key, not paying invokes certainty that they will not, leaving their business at a standstill. The organization’s need to pay recurring costs like payroll continues; the revenue streams needed to fulfill those obligations comes to screeching halt until the business can find alternate ways of restoring infrastructure health and operations. Since threat actors rarely take kindly to those who fail to succumb to their demands, they often will additionally publish sensitive data that has been exfiltrated from the business on the Dark Web (typically websites they have been purpose-built by ransomware affiliates for stolen data) and/or wage a Distributed Denial of Service (DDoS) attack against corporate systems.

Why not just pay the ransom?

Paying the ransom may seem like the obvious answer to resuming operations and avoiding vengeful actions, but an increasing number of organizations are opting out. Last year, only 68% of victim organizations chose to pay (down from 82% the year prior). There are many reasons why an organization may decline—such as having complete, restorable backups or simply not trusting the promises of or wishing to relent to criminals.

Best course: Plan ahead and have a strategy

Companies achieve better outcomes when they have a strategy and pre-defined path to act instantly and decisively to restore systems, resume operations, and defend against additional actions. Many of these decisions must be made at the executive level, so creating a cogent plan of action should not be done on the fly; it should be an intentional strategy that is mapped out, tested, and vetted well in advance. During the immediate aftermath of a ransomware attack, C-level and IT leaders are consumed with responsibilities, from critical decision making to informing employees, interacting with third-party resources, and planning for an uncertain future—so pre-planning for a range of scenarios is essential to ensuring leaders’ attentions are not unduly divided and the optimal outcome can be achieved. Elements of planning should include:

  • Have a Disaster Recovery/Business Continuity (DR/BC) plan in place that defines which parties must be involved if disaster occurs, who to call in which order, who is responsible for which actions, and lays out a set of possible scenarios on how you would react/respond given those circumstances. Your cyber insurance carrier’s terms and requirements should be integrated into this plan, and each scenario should be tested as if it were happening in real life (tabletop exercises).
  • Understand that, should a ransomware incident occur, restoration professionals are not always brought in by cyber breach coaches (legal experts assigned by cyber insurance carriers). Many decisions on how to restore may be made without this expertise (or left to your untrained IT staff), and it could cost you significantly in downtime and loss of revenue expenses. While carriers are increasingly bringing in restoration pros to reduce the high cyber insurance losses of downtime, you may need to plan to assert your preference to bring in these professionals—since downtime affects both your organization and its customers the most.
  • Include scenarios in your DR/BC plan for: paying the ransom; not paying the ransom; and paying the ransom but not receiving a functional decryption key. Consider how you would work to restore operations in each scenario.
  • In several scenarios, you will be highly dependent on having resilient, immutable backups from which you can restore your essential data. Consider having a ransomware backup assessment to understand the security and restorability of your backups, ensuring you have multiple, secure, immutable copies of all data.

If ransomware strikes before you are prepared

If your organization is struck by ransomware and the decision is rendered not to pay the ransom, it is advised to stall the threat actor before informing them of this decision so that you can pull expertise into the room as quickly as possible to make the best, next-step decisions (“Stall and Call”) so you can be prepared for any additional actions, such as DDoS attacks or data publication. In this scenario, you already know that systems are down and that a decryption key will not be delivered to restore your data and systems. It is recommended that, in addition to contacting law enforcement and your cyber insurance carrier (who will bring in a range of experts), you advocate for assistance in cyber restoration to minimize downtime, facilitate malware removal, and expedite forensics work.

Ransomware is everyone’s problem

The costs of ransomware continue to climb; and the costs associated with business interruption now drive 60% of cyber losses for the insurance industry, increasing overall rates. For those companies who have not been affected by it, most wonder when they will be; few feel completely immune, as threat actors find such a wide span of vulnerabilities to penetrate the organization. Until it strikes your organization, it’s difficult to know how broadly it will impact your systems, whether paying the ransom will be the right decision, and what ramifications it will have for your long-term future. The best course is to prepare for a range of scenarios and have a plan to react, respond, and restore so your business can resume operations, saving revenue, customer relationships, and jobs.