Double-extortion ransomware: Two different considerations
Brian Lord, CEO
Double-extortion ransomware reflects the inevitable evolution of the digital version of kidnap and ransom. While information and digital security departments are starting to become increasingly familiar with this emerging technique – the oft-overlooked consideration is that each part of the extortion can demand very different Board risk judgements. Organisations’ readiness for this type of conflicting debate and decision making is still developing and the time to assess it is not necessarily when it happens to you, and the clock (and sometimes two clocks) are ticking.
The journey to ‘double-extortion’?
Ransomware has been around for a long time and for several years has been a highly lucrative source of income for many criminal organisations. Their initial business plan was simple: people and organisations totally depend on data and technology for their lives and operations to meaningfully function. Remove their access to it and charge them money to restore access. Get your price point right and they will pay relatively quickly; even quicker if you put a time limit on it. They got their price point right, self-governed the pricing market and started off on individuals and micro/small businesses. And the victims did pay. In the millions. The criminals were helped, of course, by local law-enforcement’s inability to do anything (or even really understand it) and any private help their victims might buy-in came with a bill that was greater than the ransom, with no guaranteed chance of success.
Then came stage 2. Like any lucrative business, it had to evolve. The overall ‘cost of sale’—i.e. hitting thousands of little targets—was not optimal and gave little time for product development. Solution: sell the basic capability and target data to low level criminals to go and harvest the small, low hanging fruit while you concentrate on bigger targets. Same principle but requiring more complicated techniques to succeed and with much, much higher price points. This business model is slightly more nuanced, introducing customer help lines of a type that put most legitimate organisations to shame; introducing the ability to negotiate the price down; and accepting a lower victim conversion rate. So, the price point was built accordingly. And the same principle worked: many victims paid and alongside the franchised revenue from the low-level criminals who now preyed on the small victims, it remained a lucrative business.
Welcome to stage 3. Irritatingly for the criminals, their potential victims eventually reacted to the threat and the more robust back-up systems for critical data become more widespread. This seriously threatened the business model that depended upon victims’ inability to access their data or use their systems. While this wasn’t pain or cost free for the victims; it shifted the calculus much more towards the ‘don’t pay’ decision point. This was a threat to their business model – one they weren’t prepared to walk away from just yet. Fully cognisant of increasing data privacy regulation, media interest and public expectations over data privacy, the concept of double-extortion emerged as one of the criminals’ risk mitigation measures.
Before deploying the ransomware, the criminal would remove copies of large amounts of their victims’ data and then deploy the ransomware as normal. The victims were faced with one of two versions:
- The Hard Sell: Criminals deploy the ransomware and if payment was not forthcoming (perhaps due to the victim’s confidence in their back-up) then existence of the stolen data would be revealed with the associated threat that data would be dumped in public view on the internet if the ransom was not paid.
- The Upsell: Upon receipt of the ransomware payment, only then would the criminals reveal the existence of the stolen data along with an additional separate payment demanded to avoid public exposure.
The different risk judgement
Double-extortion attacks differ from regular ransomware at the Executive/Board decision making level. The payment of basic ransomware is, in most commercial sectors, a pure loss/gain financial decision (with additional regulatory considerations in some sectors). There’s a moral dilemma of course (funding global criminality; perpetuating success of criminal activity), but in the main, the decisions are invariably balance sheet dominated. This leads to challenging Boardroom discussions, but the debate is straightforward.
However, the second half of the double extortion is much more nuanced. Making a payment to avoid the public revelation of something that has happened (remember the data has already been lost/compromised at this point), is a far more complicated and complex Board discussion. Doing so to avoid a regulatory disclosure is beyond the pale for most, but even accepting a quiet disclosure to the ICO and other regulators may now be necessary, the reputational issues of paying extortion to deliberately avoid media scrutiny, shareholder scrutiny, client scrutiny and public scrutiny becomes a very fraught issue, particularly with a clock ticking in the background.
Having helped steer Boards through these discussions both in table-top exercise form and in real life situations, I can safely say that the first time a Board has to undertake these very complex discussions should never be in real life, with a real clock ticking on the wall, with a non-functioning business in the background and six and seven figure payments in play.
Unfortunately for camera manufacturer Canon, they experienced this after refusing to pay attackers who took a number of their systems offline. Having refused the initial ransom demand—presumably either because they doggedly refused to pay, or a compromise could not be negotiated—the criminals carried out their threat and published 2.2GB of data online.
Should a payment be made?
Just like human kidnap and ransom, the official law enforcement advice on ransomware remains that victims should not pay the demands. Firstly, because it funds illegal activities globally, secondly that it perpetuates a crime that needs to be eradicated and, finally—and one of the main reasons—there is no guarantee that you will get anything back even if you do pay. For example, in a recent independent survey by Sophos, of those organisations hit by ransomware and made the decision to pay, only 26% got their data back by paying the ransom.
There is no single answer to this predicament. Each case will have unique business circumstances and considerations which will vary depending on the nature of the business. For example, in some cases, it has been reported that the cost of downtime to a business can be up to 10 times the amount of the demanded ransom, and some organisations have understandably elected to pay in order to minimise operational disruption. And sometimes the cost of fully rebuilding and replacing an entire compromised system itself gets dangerously close to the ransom cost (remember the criminals work out their ransomware pricing carefully). There is also the reassurance of being covered by a cyber insurance policy which in some cases, but not all, can cover the cost of the ransom (more on that later). As mentioned, invariably this is a pure business decision based upon gain/loss where the ethics of funding criminality have a different weight in each different calculus. But if having taken the difficult decision to pay with visibility of all the prevailing risks of doing so, then negotiate the ransomware price down. Sadly, you are not negotiating a deal on a level playing field, but the initial asking price is always the starting price in any negotiation.
However, on the issue of paying extortion to avoid having compromised data publicised; it is worth noting that I have yet to come across a case where making this payment outweighed the risks of not doing so (even if ensuring regulatory compliance was still met). There are many ways of negotiating a route through the many complex challenges that such a decision creates and managing the risks along the way. But don’t let the first time you do undertake this process be when it is happening for real.
Don’t necessarily rely on your cyber insurance
As mentioned above, some organisations rest assured (sometimes in a false sense of security) that their ransomware payments are covered by a cyber insurance policy. Coalition, one of the largest cyber insurance providers in North America, recently reported a 260% increase in ransomware attacks amongst their policyholders in the first six months of 2020. These attacks accounted for 41% of the cyber insurance claims they received during this period.
However, it’s important to note here that their report does also warn that one in five organisations has a major hole in their cyber security insurance and of the 84% of respondents who have cyber insurance policies, only 64% of them have insurance that covers ransomware attacks. And under the terms of policies, there is a difference between paying a ransom and making a payment to avoid a data theft publication. A thorough review of cyber insurance cover is fully recommended and certainly don’t rely on existing insurance policies to mitigate the full impact of an attack.
How to mitigate the risk of double-extortion ransomware
Board decision-making on a good day can be a difficult process! Add in a crisis situation and the challenges multiply. Even more so when you’ve never considered the scenario before, are unfamiliar with the risks and you have a wide range of stakeholders and other variables to think about. Board-level tabletop exercises provide organisations with an opportunity to take stock of how well any Cyber incident would be handled – not at the technical level but the governance decision making about the consequences.
PGI has worked with Board- and Executive-level teams to both identify the most likely threats their organisations face and work through the appropriate Board response. This is done in a sympathetic, non-threatening and non-disruptive environment and fully understands many Boards’ lack of familiarity of the issues.
The first time you make a decision in a crisis like this should ideally not be in a real-world situation.
Technical and process considerations
It is important to gain an understanding your maturity of preventing and responding to such an attack in the first place. We have helped many organisations do this using our Cyber Maturity Modelling framework. Our approach is particularly effective because it identifies and adjusts technical cyber security controls and information security controls and procedures that already exist (sometimes introduced for different purposes) as well as identify areas that are vulnerable to contemporary cyber risk. The approach also measures these controls against maturity targets that are relevant to the organisation’s own risk tolerances as well as the prevailing legal, regulatory and compliance landscape.
The entry point (human) consideration
Considering that almost every attack requires some kind of human interaction to run—either by clicking on a link or opening an attachment—it is clear just how imperative it is to have a cyber-aware workforce who can identify and prevent this kind of threat. Our team have developed a phishing capability assessment with the purpose of measuring workforce cyber awareness and delivering targeted training to reduce the organisation’s risk exposure to this type of attack. To complement this, we also have a suite of cyber security awareness training that can help encourage the growth of an organisation’s security-minded culture—protecting business assets such corporate intellectual property, improving data protection—and invoke good online behaviours to reduce corporate risk.