05 May Dealing with ransomware: should you pay?
Cyber attack KNVB Campus
Earlier this year, the KNVB servers at the KNVB Campus in Zeist became victim of a cyber attack for the very first time. In the process, personal data of KNVB employees fell into the hands of hackers. The KNVB has not yet disclosed the exact data involved. However, the staff was able to continue working as usual because the internal systems were still working.
Immediately after this cyber attack, the KNVB contacted Fox-IT to get the IT environment back on track. This company is conducting an investigation into the cause of the cyber attack. The story goes that the perpetrators got access to the systems via a phishing email and may have demanded a ransom. The KNVB itself has not yet denied or debunked this.
A collective of cybercriminals
The cyber attack was claimed by the LockBit group. Earlier this year, Britain’s Royal Mail also became a victim of one of their attacks. LockBit is known for penetrating computer systems to encrypt information. Next, these hackers demand absurd amounts of money to unlock the same captured data again and promise not to publish it. This form of extortion is called ransomware.
How does a ransom attack work?
Ransomware is a form of malware. If a ransomware attack is succesful, data files on a device are encrypted with the goal of later unlocking them in exchange for a ransom. Ransomware may also block or take over the IT system by encrypting system files. Usually, someone triggers such an attack by clicking on a wrong link in a phishing email.
A company is given a deadline to pay the ransom. If a company does not pay and the deadline expires, the hacker threatens to publish the stolen data online. Such a period sometimes consists of three or four days, but can also span over a week or more.
What we often see is hackers publishing a timer on their extortion website or blog. In the case of the KNVB, the organization disappeared from such a website again before the date was reached. One could therefore argue that the KNVB paid the ransom, but without a statement this cannot be confirmed.
Should you pay the ransom?
Can a ransomware attack be eliminated by simply not paying up? Unfortunately, no. Many companies fear that the data published after a ransomware attack will cause reputational and financial damage. As a result, it is understandable for companies to pay the ransom, especially if the hacker forwards photos or screenshots of what data was stolen. However, you never know for sure if the hackers will honor their agreements and/or resell the stolen data. That’s why it’s important to know that paying the ransom does not guarantee a flawless outcome.
Defenses against a ransomware attack
Restoring a backup is one solution to regaining access to files. It’s important to think about how quickly a backup can be restored as well as what specific data is most important to keep.
If restoring a backup is not possible, you can check whether a ‘decryptor’ exists. A decryptor is nothing more than an existing key for known forms of ransomware. It may allow you to regain access to the data without paying the ransom. You can find these decryptors on the No More Ransom project’s website.
Arming employees against a ransomware attack
You can’t prevent a ransomware attack, but you can make it as difficult as possible for hackers to get in by following the best practices below:
- Make sure to run daily backups.
- Work with proper encryption on (sensitive) data.
- Tech employees to recognize and report high-risk situations (e.g., phishing and other forms of social engineering).
- Make sure new patches and (security) updates for systems and programs are implemented as soon as possible.
- Don’t just click on links or open files you don’t trust.
- Use only applications approved by your organization. If you are not sure about this or notice something suspicious, report it to the IT department.
Malware such as ransomware will remain because the revenue model of hackers is built with the rationale that an organization will give in – and pay. That’s why paying attention to cybersecurity is critical.
A ransomware attack cannot always be prevented, which is why you need to make sure employees are made aware of its impact and train them in such a way that they help the organization respond to an attack as quickly and appropriately as possible. The faster you respond, the more limited the amount of damage. Employees make your information security approach more effective, and they may even make the difference.
Listen to our podcast about Vink Kunstoffen BV with CISO Tim Janssen, in which we discuss how this organization was hit by a ransomware attack.