When the bits hit the fan: What to do when ransomware strikes

Feature When I first became a company chief techie, the finance director patronisingly explained the basic asymmetry of prevention vs cure. Spending money on assets to stop an attack come out of capex, but spending after the disaster would be up to the insurer, with premiums deducted out of opex. Also, prevention costs reduced current bonuses.

But according to Bill Mew, founder and CEO of Crisis Team, who advises companies on how to escape the hole they are in, if you're expecting cyber insurance to come to your rescue – don't. His experience is that if it is a small claim, you will probably get paid eventually, if only to keep you from complaining too loudly.

The odds are... at least some of your backups have been compromised, since not only do ransomware flingers target them, but it's entirely possible they've been with you for months

However, as we have seen in the cases of the insurer Zurich American Insurance Company, which fobbed off damage claims after its client suffered NotPetya ransomware infections, if it's a large claim, there are exclusions that may mean you don't get a payout. Zurich infamously cited "Act of War" exclusion to its client Mondelez. Yes, really. (In october 2018, Mondelez sued Zurich for breach of its "all-risks" property insurance policy, looking to be made whole for $100m in losses. The litigation is ongoing.)

The reason Zurich could reach for this contractual clause is that both the US and the UK government pinned the blame for NotPetya on Russian criminals trying to damage the Ukrainian government. The logic from the insurer was that since the malware could be traced back to nation state actors, this could be considered "an act of war" (excluded in most insurance policies) - like finding a WWII bomb under your data centre. Of course, given that much malware is attributed to nation state groups, this does not bode well.

OK, so you've gone with an insurer anyway. Here's what to look out for

Some of the insurers sell themselves on having a list of recommended firms to help you in a crisis, from law to technical and – given that attacks now make front pages – PR.

But here's the thing. The technical people work for the insurer, not you, so while they provide help and untangle your systems, they will also be looking for the ways you have not complied with the "reasonable" precautions mandated by your policy.

Providing that every single piece of software is patched up to date, there are scanners on everything, a full inventory, all access is at least 2FA, you don't ever ignore alerts, your backups are regularly validated as is pentesting, and all this is documented – then that might not be a problem. But back in the real world, it is.

Keeping the "helpers" isolated is simply not an option as their work requires they go everywhere. And they will report back, because they want the next lucrative remediation. This means you might need to ask around for someone who will definitely be on your side.

In ordinary everyday screw-ups, there is blame to be redirected, shared and dodged, but in the worst cases the game theory switches from trying to blame others to absorbing it

Of course, if you're using an external firm to process data, this could be seen by the insurer as akin to letting your teenager drive your Ferrari and your claim may well fail, so your supply chain is exposed and likely uninsurable in any useful way.

Also, as we saw with the pandemic, some insurers will simply refuse to pay up if a lot of people get hit at once – and it's not all that hard to imagine ransomware causing just such an occurrence.

Mew compares it to assessing fire risk from looking at your office across the street, because a full examination of the risk surface and consequential losses for when it goes titsup is so hard and expensive that we both know you've never done it yourself.

Dead man's handle

So let's say the worst happens – and you discover data ain't your data any more.

Your first thought will be to cut internet access, which is rational but may move you to the next ring of Hell.

Thieves attacking your servers in search of credit card and other valuable data want to stay covert for as long as possible, but when they find they can't call home, they will go for the second bite and start encrypting your data. So you will need to shut down everything, but don't start with internet. Start with your backups, in case they are still viable.

The odds are, however, that at least some of your backups have been compromised, since not only do ransomware flingers target them, but if their motive is primarily theft, then it's entirely possible they've been with you for months. Infosec firm Cerberus Sentinel has quoted an average of 206 days, which like any other crime statistics is probably wrong, but in the right ballpark.

This means that restoring from storage is unlikely to get you out of this. And that applies to your offsite disaster recovery too, since it relies on those backups and quite likely those machines are infected as well.

You have been assimilated

Before you even think about connecting up to anything again, your machines need to be gone over with a fine-toothed comb, which goes beyond scanning machines for signatures but monitoring the network as they are brought back to detect anything that might be phoning home, and to sniff out unexpected data access patterns and spreading.

But there is an arms race. Infoseccers at Cerberus explained malware they have christened the Borg, which they said goes beyond the dead man's handle and tries to detect when network scans and other probes have gone quiet before it kicks into action. Scrupulous scans of your systems are necessary, said Cerberus, because 8 to 12 per cent of the assets the crooks find on the network aren't on the official lists, so if you are dealing with one of the more professional gangs, it's possible they know things about your estate that you don't and are hiding there.

In the age of the cloud, shadow IT needs little more than a corporate credit card and a contempt for the ability of IT to deliver. This means that when you take a look at your estate, you may find critical systems you never knew about, as well as the traditional Microsoft Access database or spreadsheet that turns out to be the only copy of vital customer info.

If they feel you're worth the effort, the ransomware gang will have spent time and effort casing the joint. So you will be faced with a hard choice of junking your hardware – which is Mew's preferred option – or having someone decontaminate it. Either way you're going to lose data and experience downtime, but as an IT pro you need to be upfront about this with management. This is survivable provided you set clear expectations and deliver on them, which is often more important than what you deliver.

That can mean paying a ransom. I've dealt with negotiations before, but it may be that the encrypted data is simply too critical to be lost and you have to pay. That's not yet illegal - although many strongly advise against it - and it will stick in your throat, but if you've reached that point, you need to make certain that your data can be retrieved. Do not expect for a second this means the crooks have destroyed their copy, however.

For Pete's sake, have a plan

Alternatively, any proper crisis plan that you've actually tested would be nice. Attacks are quite different to the system failures - for which most companies have at least a basic business continuity plan.

When you take a look at your estate, you may find critical systems you never knew about, as well as the traditional Microsoft Access database or spreadsheet that turns out to be the only copy of vital customer info

You need to be able to say what you are going to do. Everyone I've spoken to said that something like 90 to 95 per cent of those hit by ransom gangs have no proper cyber crisis plan. And like any other piece of software, you can't say it works because it looks like it does – you need to test it. This must go beyond one or two members of IT: you need a proper tabletop work-through with the people who would actually be dealing with such an attack in real life – not a team of a developers whose productivity won't be missed, a networker who was hired to keep corporate onside, or a new SOAS graduate representing finance – and no one from sales (who will moan they don't like geeky stuff and refuse to waste their time on it and tell you 'Sales outranks IT'.)

That's a fight you need to win, and there's lots of gory evidence to present to hammer the message through. In an attack you are dealing with a skilled active adversary and you should not be naïve enough to believe they will go along with your expectations. The person with an actual plan, even one that's not 100 per cent, is the one who gets to set the agenda and has a shot at saving their job and the firm that supports it.

You can't hide behind a cloud

As well as insurance exclusions for "hardware you don't own," a scary percentage of people seem to believe that if they use Amazon or Google's hosted services, their companies' data is under big tech's protective wing. However, the harsh reality is that if you can access the data, a piece of malware on your computer can do that too, even if some of the lower level attacks can't work on the cloud.

Let's not forget insider threat – there have been instances of disgruntled and/or bribed staff helping in an attack, and although there has been a stream of media coverage of breaches, a lot of them simply aren't reported sometimes because they fear reputational damage or, as Cerberus tells us, because governments fear that publicising the fact that critical parts of their supply chain have been compromised is giving too much detail away.

• Fighting an insurer over lockdown payout? UK policyholders just won an important COVID-19 test case
• Black-hat sextortionists required: Competitive salary and dental plan
• Cyberlaw wonks squint at NotPetya insurance smackdown: Should 'war exclusion' clauses apply to network hacks?
• How do we stamp out the ransomware business model? Ban insurance payouts for one, says ex-GCHQ director
• Cover for 'cyber' attacks is risky, complex and people don't trust us, moan insurers

I hope it doesn't shock you to learn that extortionists don't put all that much effort into their decryption software, so although – as ransomware negotiator Nick Shah has told us, you need to prove they can get your data back.

Ransomware victim Colonial Pipeline , which is said to have paid criminals $5m in May this year for a decryptor, reportedly found that it ran so terribly slowly that they might as well restore from backups and just take the hit of the data loss despite having paid the ransom.

So it may be that you need to spin up a whole pile of cloud instances to get your data back quickly enough, after all - your systems mean the business can still make sales. This also lowers the risk of the ransomware re-infecting your systems. But if you do pay the ransom and use a decryptor, you need to be ready for the fact that the data may have been mangled unintentionally – since encrypting live files is an inherently unreliable action and the criminal developers won't have been trying all that hard to manage its integrity.

Learn and survive

The worst time to learn crisis management is during one. You need to think hard about how you might protect your own position in what may be your first major crisis. In ordinary everyday screw-ups, there is blame to be redirected, shared and dodged, but - as mentioned - in the worst cases the game theory switches from trying to blame others to absorbing it.

Specialists usually find out what went wrong and that will tend to lead back to you, someone or something you manage. But in a Tier 1 crisis, once top management have got their heads around how bad it is and what you are doing to make it less bad, blaming others means you've created enemies who will bog down crisis meetings in their efforts to bounce it back at you, which seriously affects your career prospects.

You need to own the problem. If someone fires some blame at you, take it on board and try to make it part of what you are doing to get out of the hole, and let them make themselves look like part of the problem, while you are part of the solution.

You also need to set realistic timescales for how much data can be retrieved. They need to be pessimistic enough that you can most likely over-deliver but not so bad that you spread so much despair that you are ignored, replaced or make people give up. ®