Dear Ramey: We Paid the Ransom. Has Our Data Been Deleted? 

4/6/2021

Answering burning questions from victims of cyber events

DEAR RAMEY: 

I’m a bit embarrassed to say this, but we were hacked. They stole our data, posted a blog about it, and said they’d only remove the post if we paid a ransom. It was a very a disheartening situation. We either risked continued public embarrassment or paid these extortionists a large fee to remove the post. My question is, what guarantee do we have that they deleted our data after we paid them? – CHERRY-CHEEKED CHIEF LEGAL OFFICER 

DEAR CHERRY-CHEEKED CHIEF LEGAL OFFICER: 

Disheartening is a good word for these types of events. It’s a terrible position to be in and not something anyone should ever have to experience — with the worst part often being the utter lack of control around guarantees. So, yes, you can hopefully recover your IT operations. Yes, you can learn from the event and move forward. However, and this is a big however, there really are no guarantees that the extortionists will delete your data if you pay the ransom.  

Though the cyber underground is filled with different personalities, most are mainly motivated by the same things: publicity (bragging rights) or money. They learned a while ago that reputation matters and if they are known to honor their word and provide functioning decryptors, the consequent word-of-mouth marketing helps “encourage” other victims to pay.  

On February 27, 2020, BleepingComputer.com reported the FBI saying that $140+ Million has been paid to ransomware groups. Per the FBI and based on analysis of several cryptocurrency wallets involved in payments, this amount was paid over a six-year period. The number, however, has limited visibility into victims who chose to pay but may not have reported into the FBI.  

Based on analysis from Arete IR superheroes, payments to ransomware groups topped $100 million in 2020 alone. What’s more, on November 4, 2020, Coveware identified a 31 percent increase in average payments from Q2 to Q3 of 2020. Clearly, the numbers speak for themselves. Ransomware groups are running as businesses — illegal ones, of course, but businesses, nonetheless.  

Understanding that ransomware activity is at an all-time high and payments for decryptors and the removal of public blogs has also increased, one can infer that these groups uphold their end of the bargain. While traditional guarantees like contractual obligations, arbitration, or lawsuits are not available, the digital agreement to “remove our name from your blog, delete our data, and provide a decryption key for 30 percent of your demand” seems to be enough for organizations to pay and the threat actors to delete your data and provide access to a decryptor that will start the long road to recovery.  

But to repeat what I said at the beginning: There are still no guarantees. Whether you have or have not been a victim of data exfiltration and ransomware attacks, there are steps your organization can take to detect and prevent an attack: 

1. Deploy an Endpoint Detection and Response (EDR) tool throughout the enterprise to all servers, laptops, and desktops. EDR tools can detect early signs of an attack and prevent the attackers from performing continued reconnaissance within the environment. 
2. Engage a Managed Detection and Response (MDR) team to offset the security team and monitor the environment via the EDR tool. The MDR team will act as “eyes on glass” to instantly respond and triage alerts, escalating the most critical to the security team for remediation. 
3. Perform a security assessment against an industry-leading cybersecurity framework. The assessment will identify weaknesses in security controls and provide a roadmap for improving security overall. The security assessment should also include a penetration test to have an ethical hacker attempt to gain access to the network and report on findings. Extra points if you do this and don’t tell your MDR service to see if they can detect the ethical hacker!! 

Arete IR Director Stephen Ramey is here to answer burning questions from victims of cyber events. If you have a question, please don’t hesitate to reach out at [email protected]. Arete wants to help by sharing our insight and experience.