Alert for Ransomware Attack Victims: Here's How to RespondRansomware-Battling Veteran Fabian Wosar Describes Essential Steps and Challenges
As ransomware continues to pummel organizations, if they do get hit, then from an incident response standpoint, what are the essential first steps they should take to smooth their recovery?
"The first thing they should do is isolate the affected systems from the network. The last thing you want is … the infection spreading to other systems," says Fabian Wosar, CTO of Emsisoft, who has spent the past 10 years working to disrupt the criminal business model and help organizations navigate their recovery efforts with data-restoration tools.
"The next step is figuring out how they got in … and the next step after that is, make sure that your backups are secure. And it's absolutely important that you don't access those backup servers using any of the already compromised infrastructure, the reason being is that sometimes ransomware still running on them."
Victims: Research Your Options
How organizations proceed from there depends on whether they have working backups, Wosar says. If not, and a victim decides to investigate paying a ransom - which he never advocates - then he recommends they use a professional negotiating service with knowledge of individual ransomware operations, including typical ransom pricing and whether they tend to provide a decryptor.
In addition, Wosar recommends reaching out to other organizations, including his firm, for free advice on any other approaches that might be available for recovering data. "Honestly, I have seen quite a couple of cases where ransoms were paid, even though it wasn't necessary, and that always pains me greatly," he says.
In this audio interview with Information Security Media Group (click on player beneath image to listen), Wosar discusses:
- Essential response steps when organizations discover they've been hit by ransomware-wielding attackers;
- Best practices for working with cyber insurers, incident responders and ransomware negotiators;
- Questions to ask whenever weighing any attempt to recover by paying a ransom, as opposed to restoring from backups or - sometimes - being able to use free decryptors or unpublicized workarounds.
Wosar is CTO of Emsisoft, where he works to actively disrupt the ransomware ecosystem as well as assist victims, in part via decryption tools.
Mathew Schwartz: Ransomware continues to pummel numerous organizations. From an incident response standpoint, if an organization gets hit by ransomware, what are the essential first steps they should take? To help me answer that question, I'm joined by a Fabian Wosar, the CTO of Emsisoft. Fabian, thanks so much for sharing your time and insights today with me.
Fabian Wosar: You're very welcome, Mathew.
Mathew Schwartz: I think a huge question that many organizations face. And unfortunately, too many of them don't know they should have already known the answer is, they get hit by an attack that disrupts their systems, and which might be ransomware. So if you were in their shoes, what do they do next? What are the essential next steps for them to take?
Fabian Wosar: So the first thing they should do is kind of isolate the affected systems from the network. The last thing you want to do is kind of, yeah, the infection spreading to other systems. Nowadays, especially when you get hit by larger ransomware, yeah, kind of larger ransomware groups, they already did their homework and made sure that they had access to all the systems at the time they pulled the trigger for the ransomware. So it probably doesn't do much, but it's still a good precaution to take.
Now the next step is kind of figuring out how they got in. Now, most companies probably won't have the resources and the knowledge and experience to kind of trace back the steps and figure out how exactly the attackers accessed the network in the first place. And so that's usually where you probably should talk to your insurance providers if you do have cyber insurance. Or go and look for digital forensic and incident response companies who can help you with that task.
The next step after that is kind of make sure that your backups are secure. And it's absolutely important that you don't access those backup servers using any of the already, kind of, compromised infrastructure. The reason being is that sometimes ransomware still running on them.
And the moment you kind of connect to your external hard disk or the moment you kind of connect to two different networks and mount like backup volumes for example, they will readily go and encrypt your backups as well.
Well, now in most cases nowadays, unfortunately, it's also the case that - as I said, again - the cybercriminals did their homework and they compromised your backups, like long before they deployed the ransomware. So the backups are most likely unusable. But it's still kind of a best practice.
Now, from there it all kind of depends like, do you still have like working backups? In that particular case, you can probably get away with just notifying the authorities about the breach, you kind of have to keep in mind that every single ransomware incident and ransomware breach is also essentially a data breach, since some unauthorized people had access to potentially very critical data of your clients, for example.
So reach out to the ICO, for example, here in the U.K., or whatever the data protection organization is in your particular country.
And also, like a very, very important thing, please do report it to law enforcement. It's always very shocking to me when my team and I kind of find the origin servers of ransomware. And we know that 'Oh, yeah, this server is located in this country,' and we reach out to the law enforcement agencies in that particular country, and they tell me, 'Oh, yeah, we can't do anything, because nobody has reported anything.' And without a report, a lot of these law enforcement agencies have no authority to act at all. So please do report it.
Now, if you do have backups, try to recover everything from the backups. If also your backups got hit, or the attackers exfiltrated a lot of data so they not only ransom you for access to your data, but also threaten you to release that data. That's the point where a lot of companies kind of start to consider paying the ransoms.
And I know there are like a lot of different kinds of views when it comes to whether or not you should pay ransom.
Obviously, if you can avoid it at all costs, please do, because your ransom payment, essentially, is financing the operation that hits the next couple of victims. And it's like kind of this endless, perpetual cycle, where people have to pay ransoms in order for their companies not to go under. But in turn, you also condemn other companies to like a similar fate, right?
Now, if you do have to pay a ransom, because either the data that was stolen, would kind of ruin your entire company, or you don't have backups, and you can't rebuild the data from scratch, so to say, since it's not practical, then I would strongly suggest to go to a professional negotiating service. The reason for that is, well, there are like a couple of practical reasons like, yeah, the ransomware negotiators, they can actually give you a proper invoice, and you don't have to explain to make your local tax service what that huge bitcoin transfer was, right?
But the other one is that a lot of these negotiating services like Coveware, for example, they have like vast experience when it comes to handling these cases. They have large databases that allow them to kind of give you an idea how long it's going to take, whether or not the threat actor will just take your money and run. And they will also have valuable insight into whether or not the decryptor that you will get back when you pay the ransom is actually working. Because not all these decryptors actually perform reasonably well, a lot of them kind of have issues.
Mathew Schwartz: Well, that's one of the fascinating insights, you know, Covevare - other negotiating firms are available, of course - but in the quarterly reports that Covevare has put out with the trends that it's seeing, it's been interesting to see it call out different strains of ransomware being more or less reliable on multiple fronts. For example, on the actually giving you a decryptor front, being one of them. Encrypting the data in a reliable manner as opposed to shredding it, being another. And then being able to decrypt the data. There seems to be a huge degree of variability based on the various strains, and apparently the technical knowledge of the attackers or developers, in terms of whether or not your data is that is going to come back out of the encrypter the way that you needed to.
Fabian Wosar: Yes, you absolutely right. So there are like a couple of general rules. If you got hit by like a very large campaign or a very large threat actor, they usually have their stuff together. So their recovery chances are actually quite, quite good.
However, there are a lot of, kind of, I would call them lone wolves, when it comes to these crimes, like single threat actors, like one or two people teams, where the risk of them just taking your money and running is quite high. They usually use ransomware that you can just readily purchase off of darknet markets, for example. Phobos is a good example, Zeppelin, those threat actors, since they are only usually one or two people, they can be very volatile and unpredictable.
Mathew Schwartz: And they can disappear without warning. If they get a $10 million payday, there's no incentive for them to stick around, I suppose?
Fabian Wosar: A common technique is also for these threat actors to just ask for a very small ransom. And then once you pay that ransom, they will ask for more and more and more. So that's like a potential threat. Now, there is ransomware out there who will just kind of damage files during the encryption process, as you mentioned. We actually reported about quite a few of those, for example, Ryuk was one of them, who in about like 5% to 10% of the data that it encrypts kind of damages it, and there's like no recourse for recovering it. It's just gone, right?
Now, the other thing that is true as well, there are ransomware families out there who will encrypt the data correctly, but the decryptor kind of messes up. And those are actually quite common. And those are also the cases where my team and the company I work for, Emsisoft, is kind of stepping in since we have been releasing free decryption tools for the past 10 years. We have like a vast knowledge about what are the things to look out for and how to write decryptors properly. So it's one of the services we do offer to ransomware victims, if they do run into this situation where the decryption tool isn't working, that we can provide them with one of our tools for a flat fee. So they can recover the data using our tools.
One of the services we offer to any ransomware victim and we offer it completely for free is to take a look at the ransomware that they got hit by, and give them advice, what their recovery options are, essentially. So if you don't have an insurance provider, or if you want, like, even if it's just like a second opinion to what your incident response team are, your insurance provider told you, you can simply reach out to us, we have a form on our website, you can just fill it out, and we will get in touch with you usually within 24 hours.
Mathew Schwartz: Fantastic. All right. Thank you for sharing information about that resource.
Fabian Wosar: Yeah, since it's usually a starting point for us getting engaged further. But it's definitely helpful. And honestly, I have seen quite a couple of cases where ransoms were paid, even though it wasn't necessary, and that always pains me greatly. Since, as I mentioned before, I dedicated the past 10 years of my life, essentially to kind of ruin the entire ransomware business models for threat actors. And then companies paying even if it's just like 100,000 U.S. dollars. It just pains me.
Mathew Schwartz: Obviously there's other things that organizations can try, like the No More Ransom portal, for example, with free decryptors. But you won't always have access to free decryptors.
Fabian Wosar: Yeah, essentially, free decryptors have become a very kind of difficult topic. Because a couple of years ago, let's say like two, three years ago, most of these ransomware groups, they were very low-tech. They were very, kind of, low skill, when it comes to things like reverse-engineering capabilities. It was mostly people in their bedrooms or in their basements, right, who blasted out ransomware to as many people as possible asking for like $100. So nowadays, however, whenever you release a free decryptor for a ransomware family, you kind of have to assume that by releasing this tool for free, the threat actors will know within - usually within - less than a day what the actual vulnerability in their code is that you're exploiting in order to decrypt the files for free.
And this has happened, like, countless times.
For example, BitDefender released a free decryptor for ransomware family called DarkSide. And it took the DarkSide threat actors to figure out pretty much within a couple of hours what the actual flaw is, they closed the flaw, and now once again, nobody can decrypt their files for free.
So it's kind of a balancing act between making these decryptors public and helping as many victims as possible, but also preventing the tool to get into the hands of the threat actor so they can take it apart and figure out what their mistake is.
Well our approach is, we kind of have contacts to all the major places where victims usually show up. Places like BleepingComputer, for example. Places like ID Ransomware, which is kind of similar to No More Ransom, where we are also a contributor partner.
So we have access to all these places. And whenever I see victims show up for certain ransomware families where we can help without the victim having to pay anything, then we have capabilities - the capability essentially to reach out to the those victims in private and help them privately.
Now, the downside of that is, is that we don't get a lot of media attention. But that is kind of the point, right? We want to fly under the radar to not alert the threat actors, so they can actually improve their ransomware contraptions.
Mathew Schwartz: So basically, I guess a moral of the story, if you're a ransomware victim, is contact incident responders or as you said, if you have cyber insurance, that is the starting point. And they work with -
Fabian Wosar: Yes.
Mathew Schwartz: - pre-approved incident responders.
Fabian Wosar: Correct.
Mathew Schwartz: Also to ask around to see if there are any known solutions. And I guess an age-old piece of advice with ransomware was: if you can get by, without having to pay for a decryptor, it's possible that a decryptor will come out in the future, even if one is not currently available. So if that situation should happen to be the case for a victim, they might get out of jail in the future for free, I suppose?
Fabian Wosar: Yeah, there have been several cases where once the ransomware - while the entire ransomware campaign kind of closes down, essentially, once the developers made enough money, so they are shutting down the entire project, that they are releasing all the keys for all the victims. That has happened in the past.
But you also have the cases where law enforcement agencies, for example, kind of managed to track down these groups, managed to arrest certain people who had access to the keys, and then the law enforcement agencies have access to the keys and can give you your data back. Both has happened.
Mathew Schwartz: So lots of options, or I guess avenues, the victims should explore, hopefully in advance of becoming a victim, so they know what to do and have the right defenses in place. But then if they do become a victim, there are multiple potential ways that they could get helped from the likes of Emsisoft and others. So, Fabian, thank you so much for your time and insights into ransomware and responding to ransomware today.
Fabian Wosar: Yeah, sure, you're very welcome.
Mathew Schwartz: I have been speaking with Fabian Wosar, the CTO of Emsisoft. I'm Mathew Schwartz with information security Media Group. Thank you for joining us.