It’s the call you hope you never get. Your company has been hit with a ransomware attack. Your systems are offline. Your customer data was stolen by an unknown threat actor who is threatening to leak it. You have lots of questions and few answers. And now, in the midst of this crisis, you need to decide whether to pay the ransom.
A Growing Problem
and digital extortion2
incidents are on the rise. U.S. cybersecurity authorities reported a significant increase in ransomware incidents in 2021—more than 600 ransomware-related suspicious activity reports were filed to the United States Department of the Treasury Financial Crimes Enforcement Network (FinCEN) in the first half of the year alone, according to a recent analysis—implicating nearly every sector in the United States economy.
Hackers continue to professionalize, offering commoditized “ransomware as a service” for hire. There are more vulnerabilities than ever to exploit, with the pandemic-induced shift to remote work exposing additional attack surfaces. The threat actors are doing less “big game” hunting and instead targeting midsize businesses to avoid scrutiny while still achieving volume by targeting a greater number of potentially easier targets. And extortion strategies are diversifying. Hackers aren’t simply locking up networks; they are exfiltrating data and threatening to release it on public leak sites.
And a Profitable One
Of course, the overarching reason for the proliferation of ransomware attacks is that they are profitable. In its recent Financial Trend Analysis, FinCEN projected that the total value of ransom payments in 2021 alone would exceed those of the previous 10 years combined—in just the first half of 2021, identified ransomware-related transactions amounted to $590 million. And that figure represents just the value of reported ransomware events.
Against this ever-growing threat of ransomware, businesses need to take precautions. They should—and, increasingly, are required to—invest in network defenses to thwart ransomware attacks before they happen and formulate incident response plans to respond and recover when the hackers succeed in gaining access. But businesses should also consider when and in what circumstances they would make a payment to a threat actor in a ransomware event. Importantly, the time to think through those considerations is not during an event, but before one happens.
The U.S. government generally discourages paying ransoms to eliminate the incentive to threat actors. Before an attack, many businesses take the same approach and maintain a “no payments under any circumstances” principle. Yet, in the throes of a ransomware threat, there are potential pressure points that have caused companies to rethink their “no payment” principle and, in some cases, change their point of view—or at least make an exception.
Each ransomware and digital extortion event presents a unique set of challenges. They vary based on, among other things, the characteristics of the threat actor or the threat actor group, the type of attack and strain of malware, the persistence of the attack, the victim’s ability to restore and recover data, and the victim’s risk tolerance.
With this variation, we believe that a one-size-fits-all decision tree with “pay” or “not pay” outcomes is not feasible. Instead, we offer the following insights from our experience on the frontline, which every business can use to inform the ultimate decision on payment:
- Intelligence. It is critical to thoroughly attempt to identify the attacker and the ransom recipient. This diligence implicates both insurance and sanctions concerns. In a 2021 advisory, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) highlighted the sanctions risks for facilitating ransomware payments, including by those who make them.
- Known Ransomware and/or Threat Actor. Can you identify the threat actor and/or the variant or strain of ransomware? If so, is there a track record of what happens when payment is made? Is there a danger of re-extortion from the threat actor’s ransomware? Does your incident response provider have an encryption key from a prior client matter with the same attacker set?
- Availability of Benchmarking and/or Intelligence. Can you gather intelligence from your incident response provider or a ransomware negotiator? Do you have any benchmarks for the following: (i) general threat actor trends; (ii) what others have paid this group or for this variant of malware; (iii) whether the decryption key provided after ransom payment worked or possibly contained more malware; (iv) whether the threat actor still leaked exfiltrated data notwithstanding payment and promises to delete it; and (v) whether the threat actor came back after payment to re-extort the company?
- Law Enforcement. There are important reasons to consider contacting law enforcement before deciding whether to pay a ransom demand. Law enforcement generally discourages ransom payments, in part to avoid incentivizing other actors from engaging in this activity. But law enforcement appreciates that business realities sometimes compel payment, and agencies like the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) can supply useful intelligence and reporting cover for regulatory and insurance purposes.
- Additional Intelligence. Do you have an existing connection to law enforcement that you or your counsel can leverage to obtain intelligence on the threat actor or know-how about recovery and decryption without paying?
- Insurance Requirements. Does your carrier require you to notify law enforcement as a precondition for covering ransom payment? If so, consider filing a report with the FBI’s Internet Crime Complaint Center.
- OFAC Guidance. Are you uncertain whether you are paying a sanctioned entity or an actor in a sanctioned country? If so (and as we discussed in a recent update), the OFAC will consider a prepayment disclosure to law enforcement as a voluntary self-disclosure under its Enforcement Guidelines.
- Business Continuity. From an IT and business perspective, businesses should carefully consider the scope of the ransomware attack and the economics behind the likely business downtime, significant IT costs and time to rebuild. The following questions are critical for understanding general preparedness.
- Encryption. Are some or all of your systems encrypted by ransomware?
- Impact. Which systems house your most sensitive data? Does the encryption disrupt key critical business functions and critical information repositories? How pervasive is the disruption?
- Recovery and Downtime. Will the company quickly and adequately restore functions? Does the company have unaffected and up-to-date backups (or were backups not available or damaged in the attack)? Is the business’s cost of lost data and/or restricted access significantly higher than the ransom?
- Exfiltration. Companies should consider the potential consequences of the threat actor’s exfiltration of data from the entity. As mentioned earlier, it is critical to thoroughly conduct a forensics analysis of the breach to fully understand the extent of any exfiltration. If data was stolen, there can be multiple impacts on the company—loss of key IP, compromise of financial reporting information, regulatory fines and possible class actions for personal data breaches and public disclosure of embarrassing, confidential or sensitive information.
- The Prospect of Regulatory Notification, Costs and Class Actions. Does the exfiltrated data contain sensitive customer or other third-party information that would require notification to data subjects and/or regulators and expose the company to litigation?
- Loss of Key Business Crown Jewels. Does the exfiltrated data contain sensitive business information, like trade secrets, whose publication would severely damage the company?
- Lack of Ability to Control the Public Narrative. Can the company make any required notifications to government agencies and data subject victims in advance of the threat actor’s indicated leak of personal, sensitive and valuable data?
- Consequences of Payment. When assessing ransom payments, companies should meaningfully consider whether they’ve conformed with their insurance carrier’s payment prerequisites, and the governance and reputational aspects of payment.
- Insurance. Will your cyber insurance carrier and policy cover the ransom payment? What requirements does your carrier impose before authorizing coverage for a ransom payment?
- OFAC Considerations. Can you take steps to determine whether the threat actor or the payment recipient is in an OFAC sanctions country? What are the government enforcement risks and associated costs with making such a payment? Are you able to assess the potential sanctions implications of making a payment before making it? Considering these inquiries, is payment a legally permissible option?
- Board/Shareholders. How will the board and/or shareholders react to the payment?
- Reputation. How will news of the payment—if publicized—affect the company’s reputation?
Companies cannot answer most of these questions before an attack. But, given how widespread ransomware attacks have become, they should anticipate how to generally respond in common attack scenarios. Payment contingencies should be part of a company’s incident response plan and updated to account for changes to the business and threat landscape.
As always, Fenwick’s Privacy & Cybersecurity Practice stands ready to assist with incident response preparation and tabletop simulation training exercises, as well as response and recovery if the need arises, including advising on whether payment is the appropriate course.
Please contact Tyler Newby, Dave Feder or any member of our Privacy & Cybersecurity Practice with questions.
1. Ransomware is a type of malicious software designed to block access to a computer system until a sum of money is paid.↩
2. Digital extortion is the act of coercing an individual or company to pay in exchange for gaining back access to stolen cyber assets.↩