Engaging with
your attacker

Should you pay a ransom or extortion demand?

CyberCX does not condone paying cybercriminals. There are also local and international laws that may apply to making ransom payments, which could lead to civil and criminal penalties. Both the Australian Cyber Security Centre and CERT NZ advise against paying ransoms.

We recognise that, in some situations, organisations feel compelled to consider paying a ransom. This decision is the result of a thorough risk-based assessment, specific to the victim organisation’s circumstances.

Any organisation considering paying a ransom should carefully consider all the associated risks and also obtain appropriate advice.

Why are we having this conversation?

CyberCX does not condone paying cybercriminals. But we recognise that, in some situations, organisations feel compelled to consider paying a ransom.

We also know that there is limited (if any) information available to assist organisations in making this difficult assessment. That’s why we wrote this section of the Best Practice Guide. Both Australia and New Zealand continue to be permissive environments for cybercrime and, as we discussed in Part 1, the frequency and impact of cyber extortion is rising. At CyberCX, we want to see Australian and New Zealand organisations able to defend against and respond effectively to these crimes.

We also support a major step-up in law enforcement action against cybercriminals, including to disrupt their operations. If we all do our jobs well, many of the difficult considerations set out in this section may cease to be relevant.

However, this section of the Guide reflects the reality of today’s threat landscape and the difficult choices victim organisations in Australia and New Zealand are facing every day.

Should you pay a
ransom?

Ransomware quick guide

Should you pay a ransom?

If faced with a ransom demand, victim organisations should consider the following.

Are there alternative ways to recover all, or some, of the encrypted data and systems?

Can you restore from backups?

Can you reverse and recover encrypted files through forensic methods?

Can you rebuild systems from base installs?

Can you collect data from other sources?

Do the benefits of paying significantly outweigh the impacts of not recovering any residual encrypted data or systems?

What are the possible benefits of paying the attacker for decryption?

What are the residual operational impacts of data that cannot be recovered?

  • Risks to personal health and safety caused by systems disruption
  • Lost revenue while operations are disrupted
  • Contractual penalties for impacted delivery of products or services
  • Upstream or downstream costs of interrupted operations

What’s your legal and regulatory risk?

  • Risk of contractual claims or litigation resulting from operational interruption and breaches of contractual obligations
  • Regulatory action and fines due to a breach of a regulatory or licensing obligation

Do the benefits of paying significantly outweigh the risks of paying?

Victim organisations should assess the following:

  • Intelligence about the attacker ideally tailored to your specific national, sectoral and organisational context
  • having the attacker prove the decryption method
  • Having the attacker prove the decryption method
  • Threat intelligence on the history of successful recovery after paying the attacker.
  • crisis communications and effective stakeholder management.
  • Ransom payments may be illegal and attract civil and criminal liability under both local and international laws. This can include under laws prohibiting making any form of financial payment to individuals or organisation that are subject to sanctions.
  • The Australian Cyber Security Centre advises against paying ransoms, as does CERT NZ.
  • Any organisation that is considering making a ransom payment should seek legal advice before making any decisions, as a payment may not be

What’s the risk of the attacker returning if I do pay the ransom?

Evidence on this question is varied. In CyberCX’s experience helping organisations across Australia and New Zealand, we have found that cybercrime groups rarely return for repeated attacks against the same victim organisations, whether they pay or not.

In our experience, if the victim organisation properly responds to the incident and remediates the security vulnerabilities that contributed to the breach, the chance of an attacker returning is significantly reduced.

In contrast, some industry reporting indicates that a significant proportion of victim organisations are attacked again, even after they pay a ransom. One global survey by Cybereason of 1,263 respondents found that 80% of organisations who paid a ransom experienced another attack, and that nearly half of those (46%) believed it was the same attacker.3 This survey included no respondents from Australia or New Zealand and focused on the Technology and Manufacturing sectors.

CyberCX has not seen strong evidence that paying a ransom makes an organisation more of a target for future attacks.

We have observed cases where organisations in Australia and New Zealand were attacked by different cybercrime groups in reasonably short succession. In some cases this occurred despite the victims strongly refusing to pay the attackers. We have also observed repeated attacks due to initial access brokers providing the same compromised network access to multiple parties.

Should you pay an
extortion demand?

Data theft extortion quick guide

Key questions to ask

Should you pay an extortion demand?

A victim organisation which recieves an extortion demand during a data theft incident should consider the following.

What is the potential impact of stolen data being leaked?

Determine what data was or may have been accessed or stolen

Review and categorise the accessed or stolen data to determine how to respond

  • Personal information is any information about an identified or identifiable individual. It can include data about a person which on the surface does not identify an individual, but which can reasonably be used to identify who it relates to through data matching, or through existing or attainable knowledge of a potential recipient.
  • Determining ‘what is personal information’ requires assessing the sensitivity of the information and understanding the corresponding privacy risk. This often requires advice from a privacy expert.
  • Many organisations have contracts in place which require notification of data breaches that may affect information related to third parties.
  • This includes information which may be confidential to the organisation, such as research and development, trade secrets or confidential financial data.
  • This includes information that could be used to further compromise the organisation’s environment, including computer systems and networks, operational technologies, physical premises and assets, and its people.

Do the benefits of paying significantly outweigh the potential impacts of the stolen data being leaked?

What might be the impacts of stolen data being published online?

Review and categorise the accessed or stolen data to determine how to respond

What might be the possible benefits of paying the attackers to not publish the data online?

Do the benefits of paying significantly outweigh the risks of paying?

Victim organisations should assess the following:

  • Threat intelligence on whether the attacker has a history of not publishing after payment.
  • Threat intelligence on whether the attacker has a history of deleting data after payment.
  • Crisis communications and effective stakeholder engagement.
  • Ransom payments may be illegal and attract civil and criminal liability under both local and international laws. This can include under laws prohibiting making any form of financial payment to individuals or organisation that are subject to sanctions.
  • The Australian Cyber Security Centre advises against paying ransoms, as does CERT NZ.
  • Any organisation that is considering making a ransom payment should seek legal advice before making any decisions, as a payment may not be legally defensible depending on the circumstances.

What should organisations expect if they do or don’t pay?

What to expect if you pay

What to expect if you don’t pay

Ransomware

What to expect if you pay

You should receive a decryption program.

This should work to decrypt files, however there is a risk it won’t. This risk can be somewhat mitigated by having the attacker decrypt some sample files that you provide them, most attackers will invite you to do so.

You should also receive details of how the attack occurred, however in our experience, these are often incomplete or incorrect.

Given that cryptocurrency payments are not always secret, there is a possibility that the amount paid can be identified and disclosed.

What to expect if you don’t pay

You will likely not receive a decryption program and will either have to restore systems and data through other means or continue operating without restoring them.

There is a chance that at some future time, a decryption method will be publicly released, for example if a cybercrime group releases it or are shut down. The victim organisation should retain encrypted data in case this occurs, if that data is still needed.

Data theft extortion

What to expect if you pay

The attacker should not post stolen data online. Any previous data posted online should be removed, along with references to your organisation, however some attack groups are not thorough when it comes to removing all previous references.

The attacker should delete stolen data. They will often provide proof of destruction in some form. While some attackers have strong reputations for stolen data not being released after payments are made, they should never be trusted to provide absolute assurance.

It is important to note that even if an attacker does not publish stolen data, and claims to have deleted it, victim organisations may still have obligations to report the data theft to regulators, affected individuals and other stakeholders.

You should also receive details of how the attack occurred, however in our experience, these are often incomplete or incorrect.

Given that cryptocurrency payments are not always secret, there is a possibility that the amount paid is identified.

What to expect if you don’t pay

The attacker should be expected to post stolen data online.

In some cases, attackers do not post stolen data online even if victim organisations do not pay, however this should not be assumed, even if it has been previously observed.

Some attackers have been known to contact the customers of victim organisations, offering to remove just their data from publication, in exchange for a payment.

Some attackers also use confidential stolen information such as personal or medical records to extort the customers of victim organisations in a similar way.

Some attackers also use stolen information from a victim organisation to carry out subsequent attacks against related parties, for example using stolen documents and email addresses to craft phishing emails targeted at business partners.

Principles of engagement

Data theft extortion quick guide

Key questions to ask

When and why should organisations engage with their attacker?

Do the benefits of paying significantly outweigh the potential impacts of the stolen data being leaked?

There are reasons for engaging with an
attacker other than to negotiate a payment.

Depending on what an organisation aims to achieve, engagement can be established at various stages of an attack. It can provide some degree of control over the situation, while the organisation determines the best course of action. It can also be used to obtain information that complements evidence recovered by forensic investigators which can help defenders respond to the attack or protect themselves in the future.

Key objectives of attacker engagement include:

There are two key ways to confirm what information was stolen from a network and both should be performed in cases where this has potentially occurred:

  • Locating evidence through a forensic investigation.
  • Obtaining proof directly from the attacker.

In a forensic investigation, this can be one of the more difficult elements of an attack to reconstruct, since it relies on evidence of exfiltration still existing and being complete.

Engaging with an attacker provides a degree of insight into their next steps. while engaging in a genuine dialogue, there is less chance that stolen data will be published online. Having some degree of insight into this timeframe is valuable while the organisation is still working through that decision.

Although a forensic investigation can reconstruct most steps in an attack, its completeness is based upon the availability and completeness of evidence. If any investigative questions remain unanswered, these could be solicited from the attacker.

Many attackers will provide details of the attack after receiving payment. Some will even offer security remediation advice to prevent future similar attacks. However, in CyberCX’s experience, attackers are often inaccurate or incomplete with the information they provide. This is to be expected, as attackers want to protect their methods. Importantly, the advice of a criminal should not be used as the sole basis of formal investigation reporting nor future security remediation.

Most attackers will offer to decrypt sample files as proof that it can be performed. Care should be taken when supplying sample files, to ensure that viable ‘proof-of-life’ is obtained.

Samples files should:

  • Be chosen by the victim organisation, not the attacker
  • Contain no personal or confidential data
  • Be specific to the victim organisation
  • Have contents which are reasonably identified when decrypted.

The final reasons for engaging with attackers are the most obvious:

  • To negotiate the purchase of a program that can be used to decrypt files and recover systems.
  • To obtain agreement that the attacker will not post stolen data online.

How to engage with your attacker

Principles for success

Engaging with an attacker provides a degree of insight into their next steps. while engaging in a genuine dialogue, there is less chance that stolen data will be published online. Having some degree of insight into this timeframe is valuable while the organisation is still working through that decision.

While cybercriminals may provide assurances, and even have strong reputations for keeping their word, they cannot provide absolute certainty regarding their actions. It’s important to remember that you’re dealing with criminals, therefore there are no guarantees.

Victim organisations will be best supported by a professional services firm with operational experience both assisting victims and engaging with cybercriminals, and with access to high-quality threat intelligence. In non-cyber ransom or extortion cases, law enforcement or professional agencies provide advice, engage and communicate with the offenders, and complete any resolution. Cyber versions of these crimes should be treated the same.

Organisations are often more inclined to pay ransoms in the early stages of an incident when the perceived impact is most dire. Attackers often employ tactics to create pressure on the victim organisation to pay at an early stage because they know that the more time that passes, the higher the chance that the victim organisation chooses alternate paths to resolution, which do not involve paying the criminals.

Ultimately, organisations should conduct negotiations on their own terms and on their own timeframe – having a clear incident response playbook ahead of time (per Part 2) and using the decision aids set out in Part 3 can help victim organisations keep the initiative.

While every attack is different, cyber intelligence can inform decision-makers about:

  • who the cybercriminals are
  • how they are known to operate
  • what to expect in response to the victim organisation’s actions

Many of the major cybercrime groups are composed of affiliate members, so even subsequent engagements with the same group can play out in different ways. Threat intelligence about a cybercrime group is valuable and should be factored into decision-making, but it does not provide absolute certainly about what may happen next.

Cybercriminals often apply the ‘it’s just business’ approach to their communication and negotiation. We find that adopting a similar approach helps organisations achieve the best outcome, whether they choose to pay attackers or not.

Principles for staying safe

Most attackers will provide an initial channel to engage them in further communications. This will often be a link to their dark web site, but some groups operate email addresses through platforms that provide high levels of security and anonymity. Organisations should consider the privacy of any communications. In many cases, if an attacker provides a link to an online chat function on their dark web site, anyone with that link (for example, a user who found a ransom note on the network) can often see the transcript of the discussion. It is therefore worthwhile asking attackers to move communications to other channels.

Cybercriminals will not identify themselves – neither should you.

Another important strategy when dealing with cybercriminals is to remain anonymous. They only need to know they’re dealing with someone who is authorised by the victim organisation to deal with them. Personal safety is important; they should not know the identity of the person they’re dealing with.

Threat Actor Profile

Grief

The new kid on the ransomware block

Heightened global law enforcement attention on ransomware in 2021 has led some cybercriminal groups to close their operations either temporarily or permanently. The cybercriminals behind ransomware strains including Avaddon, DarkSide, REvil and Babuk either ceased or rebranded their campaigns in the first half of 2021. But history teaches us that ransomware groups disappear only for new ones to emerge, absorbing affiliates who are suddenly out of a job.

In the middle of a law enforcement crackdown on Cl0p, Emotet, Netwalker and others, Grief ransomware surfaced in 2021, infecting and leaking the sensitive data of at least 24 victims in the first two months of its existence. So far, Grief appears to be focused on small and medium sized businesses in industries that are particularly vulnerable to operational downtime caused by a ransomware infection.

This includes local government entities, retailers, hospitality providers, financial services firms and manufacturers. Grief’s Data Leak Site highlights the time and effort cybercriminals today spend on developing marketing and PR tools – all designed to influence victims into paying a ransom, quickly.

Like many cybercriminals, Grief’s operators have done their research on the victim’s legal and regulatory environment. Grief’s homepage informs victims that the European Union’s General Data Protection Regulation (GDPR) requires them to report a data breach within 72 hours of finding out about it. Grief’s infographics, which reference actual research reports,6 claim that the cost of downtime is 10x higher than the average ransom and adds up to several million dollars – presumably more than what Grief demands.

Grief’s website uses PR tactics to
encourage victims to pay

Arm your business

Download Full Guide

To download Full Guide of this guide, please enter your details below.

Part 1

The growing impact on
Australia & New Zealand

Explore ONLINE

Download Part 1

Download Part 2

Download Part 3

Download All