Our Views:
A selection of issues relevant to Forensic and Cyber Security matters during the last month. This month’s theme is “Dealing with the rise in Ransomware”.
Ransomware is a type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
Ransomware continues to plague businesses worldwide. The Cybersecurity and Infrastructure Security Agency (CISA) has observed an increase in ransomware attacks across the world and consider it a leading risk to private and public organisations today. CISA has published some specific advice in response to the recent ransomware threats here.
Our experience also suggests that New Zealand organisations continue to be vulnerable to ransomware and need to utilise good planning in order to respond and recover effectively from these events. Sound preparation is the best way to combat or minimise the impact of a ransomware incident. You should consider steps such as:
- Conducting a tabletop exercise centred on ransomware to fully investigate the various threats, defences and required response plans
- Establishing a sound formal incident response plan for ransomware that includes a decision tree, covering each possible threat scenario identified and actions for response
- Conducting a risk analysis to determine appropriate financial responses to a ransomware incident
- Undertaking staff awareness and training
- Testing your business continuity plan and procedures
Economics of Ransomware – To Pay or Not to Pay?
Generally, the payment of a ransom is discouraged as it may further encourage this type of criminal activity. Further, recovery of locked files is not guaranteed. Recent studies highlight that while more organisations are paying ransoms, up to 40% of those that paid still lost their data.
Recovering from a ransomware attack can be a time-consuming and costly exercise. Paying the ransom may therefore be a cheaper (and only) option to recover data. A thorough cost v benefit analysis should be undertaken with a clear understanding of all risks involved to assist in this decision.
The Ransomware Incident Response Process
In the unfortunate incident of being affected by ransomware, the following process can be used as a general guideline.
Ransomware response involves four key stages:
- Stage 1: Incident Assessment and Specific Response Plan
- Stage 2: Risk Assessment and Negotiation
- Stage 3: Payment of the Ransom
- Stage 4: Recovery
- Incident Assessment and Specific Response Plan
Firstly, follow your Cyber Incident Response Plan or similar process to analyse your data, the urgency of your response effort, your budget, the ransomware variant and the threat actor (cyber-attacker). Cyber insurance providers may also require this information.
Your response team should be formed, including identifying authorised representatives. If required, external experts can assist you through the process. Recent variants of ransomware require additional technical steps to be undertaken by the victim, before the decryption keys are provided on payment of the demand. These steps further complicate the recovery process, which may increase the risk of not recovering data.
Activities undertaken by your experts will involve discovering the scope of the cyber-attack by collecting all ransomware ID’s and notes and samples of encrypted files. Where required, forensic copies of affected computers will be created. Additionally, the state of your backups should be assessed, and mitigations completed to prevent further spread of the malware. If you can successfully restore from backup, you should conduct a post incident review. Stages two, three and four below may not be required.
- Risk Assessment and Negotiation
If you are unable to fully recover from backup, then you may need to pay the ransom.
When conducting negotiations for ransomware payment, it is useful to have an expert who has dealt with this type of incident assist you. There are organisations who specialise solely in handling ransomware negotiations. They will work with you in this process to attempt to achieve the best outcome.
During this stage any known information about the threat actor will be reviewed including whether they have been involved in prior negotiations and whether any information about them can be obtained from their wallet address or other sources.
A risk assessment would be undertaken based on any insight found (e.g. how likely is settlement to be successful, is the technical likelihood of decryption high or low etc.). You will set a ransom budget. Negotiations may take time but can also lower the ransom demand.
You will then supply a sample of encrypted files to the threat actor who will then provide proof of decryption. It is preferable not to provide them with confidential information for this process, however bear in mind that the threat actors may have viewed or copied your data during the cyber-attack.
- Payment of the Ransom
Payment of the ransom to the threat actor may be in cryptocurrency or multiple payment forms. This is another reason why using an intermediary specialised in negotiation and ransom payment who maintains cryptocurrency accounts may be advised.
If professional negotiators are engaged, an Anti-Money Laundering (AML) check is used before any money is transferred to ensure none of the parties involved in the transaction (including the threat actor’s wallet address) are on an OFAC Sanctions list.
The negotiating entity then manages the financial exchange.
- Recovery
Once the decryption tool is received and run, troubleshooting of any failed files is undertaken and occasionally further communication with the threat actor is required. Any clean data is moved to clean environments and standard restoration services performed.
A post-incident review should always be undertaken, and any lesson learned adopted into your incident response plan.
For readers wishing to receive additional Forensic and Cyber Security information, the Premium Edition of the NZ Incident Response Bulletin is now available to clients who are subscribed to our Incident Response Retainer. The Premium Edition contains recent publications on Threat Alerts, Security Frameworks, Information Security Surveys, Forensic News and Research. Please contact us at support@incidentresponse.co.nz for further information or to request a one-off complimentary copy.
To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 