Should you pay a ransom or extortion demand?
CyberCX does not condone paying cybercriminals. There are also local and international laws that may apply to making ransom payments, which could lead to civil and criminal penalties. Both the Australian Cyber Security Centre and CERT NZ advise against paying ransoms.
We recognise that, in some situations, organisations feel compelled to consider paying a ransom. This decision is the result of a thorough risk-based assessment, specific to the victim organisation’s circumstances.
Any organisation considering paying a ransom should carefully consider all the associated risks and also obtain appropriate advice.
Why are we having this conversation?
CyberCX does not condone paying cybercriminals. But we recognise that, in some situations, organisations feel compelled to consider paying a ransom.
We also know that there is limited (if any) information available to assist organisations in making this difficult assessment. That’s why we wrote this section of the Best Practice Guide. Both Australia and New Zealand continue to be permissive environments for cybercrime and, as we discussed in Part 1, the frequency and impact of cyber extortion is rising. At CyberCX, we want to see Australian and New Zealand organisations able to defend against and respond effectively to these crimes.
We also support a major step-up in law enforcement action against cybercriminals, including to disrupt their operations. If we all do our jobs well, many of the difficult considerations set out in this section may cease to be relevant.
However, this section of the Guide reflects the reality of today’s threat landscape and the difficult choices victim organisations in Australia and New Zealand are facing every day.
Should you pay a
ransom?
Ransomware quick guide
Is there an immediate risk to health and safety?
Are there alternative ways to recover all, or some, of the encrypted data and systems?
Do the benefits of paying significantly outweigh the impacts of not recovering any residual encrypted data or systems?
Do the benefits of paying significantly outweigh the risks of paying?
Should you pay a ransom?
If faced with a ransom demand, victim organisations should consider the following.
Are there alternative ways to recover all, or some, of the encrypted data and systems?
Can you restore from backups?
Backups may still be compromised, since attackers may have been present inside the network when backups were taken, but before data was encrypted. Therefore, backups need to be checked and possibly cleaned after restoration.
Can you reverse and recover encrypted files through forensic methods?
This may be possible, especially in situations where the attack was not executed cleanly, and data was not properly encrypted. In several cases, CyberCX investigators have used forensic techniques to recover damaged data without needing to engage the attackers.
Can you rebuild systems from base installs?
This could include a hybrid approach where operating systems and applications are built from scratch, then production data is imported from backups.
Can you collect data from other sources?
Common sources include out-of-schedule backups, users or developers who may have stored local copies, or business partners who may have their own copies.
Exploring options for recovering your data or systems can take days or weeks. This phase does not need to be completed before engaging with the attacker.
Do the benefits of paying significantly outweigh the impacts of not recovering any residual encrypted data or systems?
What are the possible benefits of paying the attacker for decryption?
Assess the benefits of a possible restoration of remaining encrypted data.
What are the residual operational impacts of data that cannot be recovered?
Major impacts specifically relating to ransomware attacks include:
- Risks to personal health and safety caused by systems disruption
- Lost revenue while operations are disrupted
- Contractual penalties for impacted delivery of products or services
- Upstream or downstream costs of interrupted operations
What’s your legal and regulatory risk?
Possible legal risks arising from a ransomware attack include:
- Risk of contractual claims or litigation resulting from operational interruption and breaches of contractual obligations
- Regulatory action and fines due to a breach of a regulatory or licensing obligation
Do the benefits of paying significantly outweigh the risks of paying?
Victim organisations should assess the following:
Moral and ethical considerations, including that payment will almost certainly fund future criminal activity.
Risk that the attacker will not provide a decryption method. This risk can be partially mitigated by:
- Intelligence about the attacker ideally tailored to your specific national, sectoral and organisational context
- having the attacker prove the decryption method
Risk that the decryption method may not work on all data or systems. This risk can be partially mitigated by:
- Having the attacker prove the decryption method
- Threat intelligence on the history of successful recovery after paying the attacker.
Reputational harm or brand damage. This risk can be partially mitigated by:
- crisis communications and effective stakeholder management.
Legal risks
- Ransom payments may be illegal and attract civil and criminal liability under both local and international laws. This can include under laws prohibiting making any form of financial payment to individuals or organisation that are subject to sanctions.
- The Australian Cyber Security Centre advises against paying ransoms, as does CERT NZ.
- Any organisation that is considering making a ransom payment should seek legal advice before making any decisions, as a payment may not be
What’s the risk of the attacker returning if I do pay the ransom?
Evidence on this question is varied. In CyberCX’s experience helping organisations across Australia and New Zealand, we have found that cybercrime groups rarely return for repeated attacks against the same victim organisations, whether they pay or not.
In our experience, if the victim organisation properly responds to the incident and remediates the security vulnerabilities that contributed to the breach, the chance of an attacker returning is significantly reduced.
In contrast, some industry reporting indicates that a significant proportion of victim organisations are attacked again, even after they pay a ransom. One global survey by Cybereason of 1,263 respondents found that 80% of organisations who paid a ransom experienced another attack, and that nearly half of those (46%) believed it was the same attacker.3 This survey included no respondents from Australia or New Zealand and focused on the Technology and Manufacturing sectors.
CyberCX has not seen strong evidence that paying a ransom makes an organisation more of a target for future attacks.
We have observed cases where organisations in Australia and New Zealand were attacked by different cybercrime groups in reasonably short succession. In some cases this occurred despite the victims strongly refusing to pay the attackers. We have also observed repeated attacks due to initial access brokers providing the same compromised network access to multiple parties.
Should you pay an
extortion demand?
Data theft extortion quick guide
Key questions to ask
Is there an immediate risk to health and safety?
What is the potential impact of stolen data being leaked?
Can the impact be adequately mitigated?
Do the benefits of paying significantly outweigh the potential impacts of stolen data being leaked?
Do the benefits of paying significantly outweigh the risks of paying?
Should you pay an extortion demand?
A victim organisation which recieves an extortion demand during a data theft incident should consider the following.
What is the potential impact of stolen data being leaked?
Determine what data was or may have been accessed or stolen
Note that it can take days or weeks to investigate whether and what data was accessed or stolen. This investigation phase does not need to be completed before engagement with the attacker. In fact, engaging with the attacker may inform this process, for example by obtaining proof of the information they claim to have stolen, although attackers should never be trusted as the sole source of evidence.
Review and categorise the accessed or stolen data to determine how to respond
Any data which has been accessed or stolen should be collected, catalogued, and prepared for searching and review by the investigation team. The data should be divided into the following four categories:
Personal Information (PI)
- Personal information is any information about an identified or identifiable individual. It can include data about a person which on the surface does not identify an individual, but which can reasonably be used to identify who it relates to through data matching, or through existing or attainable knowledge of a potential recipient.
- Determining ‘what is personal information’ requires assessing the sensitivity of the information and understanding the corresponding privacy risk. This often requires advice from a privacy expert.
Third party confidential information
- Many organisations have contracts in place which require notification of data breaches that may affect information related to third parties.
Organisational confidential information
- This includes information which may be confidential to the organisation, such as research and development, trade secrets or confidential financial data.
Security-related information
- This includes information that could be used to further compromise the organisation’s environment, including computer systems and networks, operational technologies, physical premises and assets, and its people.
Do the benefits of paying significantly outweigh the potential impacts of the stolen data being leaked?
What might be the impacts of stolen data being published online?
Any data which has been accessed or stolen should be collected, catalogued, and prepared for searching and review by the investigation team. The data should be divided into the following four categories:
Review and categorise the accessed or stolen data to determine how to respond
For each of the categories of information above, assess the impacts of it being made public, and potential subsequent misuse, accounting for any actions taken to reduce these impacts.
What might be the possible benefits of paying the attackers to not publish the data online?
This assessment should be informed by threat intelligence on the attacker’s history of publishing or not publishing data following to payment.
Do the benefits of paying significantly outweigh the risks of paying?
Victim organisations should assess the following:
Moral and ethical considerations, including that payment will almost certainly fund future criminal activity.
Risk that the attacker will not provide a decryption method. This risk can be partially mitigated by:
- Threat intelligence on whether the attacker has a history of not publishing after payment.
Risk that the decryption method may not work on all data or systems. This risk can be partially mitigated by:
- Threat intelligence on whether the attacker has a history of deleting data after payment.
Reputational harm or brand damage. This risk can be partially mitigated by:
- Crisis communications and effective stakeholder engagement.
Legal risks
- Ransom payments may be illegal and attract civil and criminal liability under both local and international laws. This can include under laws prohibiting making any form of financial payment to individuals or organisation that are subject to sanctions.
- The Australian Cyber Security Centre advises against paying ransoms, as does CERT NZ.
- Any organisation that is considering making a ransom payment should seek legal advice before making any decisions, as a payment may not be legally defensible depending on the circumstances.
What should organisations expect if they do or don’t pay?
What to expect if you pay
What to expect if you don’t pay
Ransomware
What to expect if you pay
You should receive a decryption program.
This should work to decrypt files, however there is a risk it won’t. This risk can be somewhat mitigated by having the attacker decrypt some sample files that you provide them, most attackers will invite you to do so.
You should also receive details of how the attack occurred, however in our experience, these are often incomplete or incorrect.
Given that cryptocurrency payments are not always secret, there is a possibility that the amount paid can be identified and disclosed.
What to expect if you don’t pay
You will likely not receive a decryption program and will either have to restore systems and data through other means or continue operating without restoring them.
There is a chance that at some future time, a decryption method will be publicly released, for example if a cybercrime group releases it or are shut down. The victim organisation should retain encrypted data in case this occurs, if that data is still needed.
Data theft extortion
What to expect if you pay
The attacker should not post stolen data online. Any previous data posted online should be removed, along with references to your organisation, however some attack groups are not thorough when it comes to removing all previous references.
The attacker should delete stolen data. They will often provide proof of destruction in some form. While some attackers have strong reputations for stolen data not being released after payments are made, they should never be trusted to provide absolute assurance.
It is important to note that even if an attacker does not publish stolen data, and claims to have deleted it, victim organisations may still have obligations to report the data theft to regulators, affected individuals and other stakeholders.
You should also receive details of how the attack occurred, however in our experience, these are often incomplete or incorrect.
Given that cryptocurrency payments are not always secret, there is a possibility that the amount paid is identified.
What to expect if you don’t pay
The attacker should be expected to post stolen data online.
In some cases, attackers do not post stolen data online even if victim organisations do not pay, however this should not be assumed, even if it has been previously observed.
Some attackers have been known to contact the customers of victim organisations, offering to remove just their data from publication, in exchange for a payment.
Some attackers also use confidential stolen information such as personal or medical records to extort the customers of victim organisations in a similar way.
Some attackers also use stolen information from a victim organisation to carry out subsequent attacks against related parties, for example using stolen documents and email addresses to craft phishing emails targeted at business partners.
Principles of engagement
Data theft extortion quick guide
Key questions to ask
Victim organisations often need to engage with their attackers, regardless of whether they ultimately negotiate a payment.
There are strategies victim organisations can use to engage with their attacker successfully and safely.
Do the benefits of paying significantly outweigh the potential impacts of the stolen data being leaked?
There are reasons for engaging with an
attacker other than to negotiate a payment.
Depending on what an organisation aims to achieve, engagement can be established at various stages of an attack. It can provide some degree of control over the situation, while the organisation determines the best course of action. It can also be used to obtain information that complements evidence recovered by forensic investigators which can help defenders respond to the attack or protect themselves in the future.
Key objectives of attacker engagement include:
To confirm what information was stolen from the network
There are two key ways to confirm what information was stolen from a network and both should be performed in cases where this has potentially occurred:
- Locating evidence through a forensic investigation.
- Obtaining proof directly from the attacker.
In a forensic investigation, this can be one of the more difficult elements of an attack to reconstruct, since it relies on evidence of exfiltration still existing and being complete.
To know when the attacker will publish stolen data online
Engaging with an attacker provides a degree of insight into their next steps. while engaging in a genuine dialogue, there is less chance that stolen data will be published online. Having some degree of insight into this timeframe is valuable while the organisation is still working through that decision.
To learn about the attack (or not)
Although a forensic investigation can reconstruct most steps in an attack, its completeness is based upon the availability and completeness of evidence. If any investigative questions remain unanswered, these could be solicited from the attacker.
Many attackers will provide details of the attack after receiving payment. Some will even offer security remediation advice to prevent future similar attacks. However, in CyberCX’s experience, attackers are often inaccurate or incomplete with the information they provide. This is to be expected, as attackers want to protect their methods. Importantly, the advice of a criminal should not be used as the sole basis of formal investigation reporting nor future security remediation.
To confirm the ability of decrypting data
Most attackers will offer to decrypt sample files as proof that it can be performed. Care should be taken when supplying sample files, to ensure that viable ‘proof-of-life’ is obtained.
Samples files should:
- Be chosen by the victim organisation, not the attacker
- Contain no personal or confidential data
- Be specific to the victim organisation
- Have contents which are reasonably identified when decrypted.
To get decryption keys or prevent publication of stolen data
The final reasons for engaging with attackers are the most obvious:
- To negotiate the purchase of a program that can be used to decrypt files and recover systems.
- To obtain agreement that the attacker will not post stolen data online.
How to engage with your attacker
Principles for success
“It’s not personal, it’s just business”
Engaging with an attacker provides a degree of insight into their next steps. while engaging in a genuine dialogue, there is less chance that stolen data will be published online. Having some degree of insight into this timeframe is valuable while the organisation is still working through that decision.
Cybercriminals are just that – criminals
While cybercriminals may provide assurances, and even have strong reputations for keeping their word, they cannot provide absolute certainty regarding their actions. It’s important to remember that you’re dealing with criminals, therefore there are no guarantees.
Obtain professional help
Victim organisations will be best supported by a professional services firm with operational experience both assisting victims and engaging with cybercriminals, and with access to high-quality threat intelligence. In non-cyber ransom or extortion cases, law enforcement or professional agencies provide advice, engage and communicate with the offenders, and complete any resolution. Cyber versions of these crimes should be treated the same.
Don’t rush
Organisations are often more inclined to pay ransoms in the early stages of an incident when the perceived impact is most dire. Attackers often employ tactics to create pressure on the victim organisation to pay at an early stage because they know that the more time that passes, the higher the chance that the victim organisation chooses alternate paths to resolution, which do not involve paying the criminals.
Ultimately, organisations should conduct negotiations on their own terms and on their own timeframe – having a clear incident response playbook ahead of time (per Part 2) and using the decision aids set out in Part 3 can help victim organisations keep the initiative.
Make intelligence-informed decisions
While every attack is different, cyber intelligence can inform decision-makers about:
- who the cybercriminals are
- how they are known to operate
- what to expect in response to the victim organisation’s actions
Every attack is different and every attacker will behave differently
Many of the major cybercrime groups are composed of affiliate members, so even subsequent engagements with the same group can play out in different ways. Threat intelligence about a cybercrime group is valuable and should be factored into decision-making, but it does not provide absolute certainly about what may happen next.
Principles for staying safe
Establish private communications
Most attackers will provide an initial channel to engage them in further communications. This will often be a link to their dark web site, but some groups operate email addresses through platforms that provide high levels of security and anonymity. Organisations should consider the privacy of any communications. In many cases, if an attacker provides a link to an online chat function on their dark web site, anyone with that link (for example, a user who found a ransom note on the network) can often see the transcript of the discussion. It is therefore worthwhile asking attackers to move communications to other channels.
Maintain personal security
Cybercriminals will not identify themselves – neither should you.
Another important strategy when dealing with cybercriminals is to remain anonymous. They only need to know they’re dealing with someone who is authorised by the victim organisation to deal with them. Personal safety is important; they should not know the identity of the person they’re dealing with.
Threat Actor Profile
Grief
The new kid on the ransomware block
Heightened global law enforcement attention on ransomware in 2021 has led some cybercriminal groups to close their operations either temporarily or permanently. The cybercriminals behind ransomware strains including Avaddon, DarkSide, REvil and Babuk either ceased or rebranded their campaigns in the first half of 2021. But history teaches us that ransomware groups disappear only for new ones to emerge, absorbing affiliates who are suddenly out of a job.
In the middle of a law enforcement crackdown on Cl0p, Emotet, Netwalker and others, Grief ransomware surfaced in 2021, infecting and leaking the sensitive data of at least 24 victims in the first two months of its existence. So far, Grief appears to be focused on small and medium sized businesses in industries that are particularly vulnerable to operational downtime caused by a ransomware infection.
This includes local government entities, retailers, hospitality providers, financial services firms and manufacturers. Grief’s Data Leak Site highlights the time and effort cybercriminals today spend on developing marketing and PR tools – all designed to influence victims into paying a ransom, quickly.
Like many cybercriminals, Grief’s operators have done their research on the victim’s legal and regulatory environment. Grief’s homepage informs victims that the European Union’s General Data Protection Regulation (GDPR) requires them to report a data breach within 72 hours of finding out about it. Grief’s infographics, which reference actual research reports,6 claim that the cost of downtime is 10x higher than the average ransom and adds up to several million dollars – presumably more than what Grief demands.
Grief’s website uses PR tactics to
encourage victims to pay
Arm your business
Download Full Guide
To download Full Guide of this guide, please enter your details below.
