因此,您的公司受到勒索软件需求的打击。接下来呢?执法机构,如联邦调查局,通常会警告不要支付赎金。但最终的决定并不总是那么容易做出,尤其是在代价高昂的停机时间和敏感数据悬而未决的情况下。
理想情况下,公司将有一个精心排练的事件响应计划,但当事件响应从桌面练习变为现实时,所涉及的利益相关者仍然必须做出艰难的决定。
一、面对勒索软件的第一件要做的事情
一旦提出勒索软件需求,公司的网络安全团队就需要采取行动。第一步是通知公司内外将参与应对事件的每个人。“当这些事件发生时,IT/安全团队永远不应该在真空中运作,”律师事务所Culhane Meadows的联合创始合伙人Heather Clauson Haughian警告说。每个公司的团队、结构和事件响应计划都会有所不同。
通常,内部利益干系人包括首席信息安全官、领导团队的其他成员、总法律顾问、受影响的业务组负责人和沟通。根据公司和事件的严重程度,勒索软件需求也可能值得董事会级别的参与。在公司之外,外部 IT 和网络安全供应商、外部法律顾问和网络安全保险公司都需要在谈判桌上占有一席之地。领导层也可能需要通知执法部门。数字化转型网szhzxw.cn
Clauson Haughian说:“您的法律顾问和网络运营商将帮助您确定还应通知谁,具体取决于勒索软件事件是否包含可能导致未经授权访问数据的系统。除了让所有关键参与者参与进来外,网络安全团队还需要确定事件的程度。“确认受感染的计算机/设备已与公司网络隔离或完全切断,因为勒索软件通常会扫描受影响的网络并尝试横向传播到其他系统,”Clauson Haughian说。记住,不要惊慌。迅速采取行动很重要,但有些团队犯了不考虑后果就采取行动的错误。数字化转型网szhzxw.cn
“我们发现一些组织将开始擦除驱动器并重新加载操作系统,这可能会阻止他们了解黑客做了什么以及他们是否仍然可以访问您的系统,并且可能会阻碍数据恢复和从事件中恢复,”保险公司Beazley客户体验主管Bala Larson分享道。
二、决定按照勒索软件要求进行付款
是否付款的问题并不总是很容易回答。这两个决定都有后果。《信息周刊》的《网络风险和弹性报告:首席信息官如何在 2023 年与灾难决斗》调查了 180 名 IT 和网络安全专业人员。在这些受访者中,10% 的人表示支付赎金以恢复在勒索软件攻击中加密的文件。该报告发现,33%的受访者认为付款是正确的决定,而39%的受访者认为时间会证明一切。那些认为这是错误决定支付的人:2%。在高层次上,反对付费的论点始于它所传达的信息。勒索软件是有利可图的。支付要求的费用会激励网络犯罪分子继续开展勒索活动。在单个公司层面,付款决定伴随着勒索软件团伙无法兑现诺言的风险。他们可能会接受付款,并且永远不会发送可行的解密密钥。他们可能仍然会继续发布被盗数据。
软件公司 Veeam 发布的一份关于勒索软件趋势的 2023 年报告发现,支付赎金的组织中有 19% 无法恢复数据。“赎金支付的全部损失以及数据和系统恢复的剩余成本也应该包括在考虑支付任何款项的风险计算中,”技术公司戴尔科技集团安全、弹性和 IT 法律副总裁 Lavonne Burke 说。
如果付款比拒绝造成的损害更小,公司可能会得出结论,付款是最佳选择。“如果一切都被锁定和/或加密,特别是对于一个紧密依赖其数据来获得运营成功的组织,如医院或教育机构,从停机中恢复过来几乎是不可能的,”网络保险公司Coalition的事件响应负责人Shelley Ma说。数字化转型网szhzxw.cn
2021 年的殖民地管道事件是勒索软件受害者选择付款的最著名例子之一。该公司支付了 4 万美元的赎金来恢复其燃料管道运营。(律政司确实做到了 追回支付给负责勒索软件攻击的组织 DarkSide 的大约 4 万美元。如果公司的团队确定支付是正确的选择,那么了解监管后果非常重要。支付赎金并不违法,除非组织向外国资产控制办公室 (OFAC) 制裁名单上的威胁行为者付款。“在付款之前,公司应咨询外部取证、赎金谈判和法律顾问以及适用的执法部门,以最好地确保他们不会向已知的受制裁实体付款,”伯克说。公司的网络保险公司将是决策过程中的关键参与者。他们可能是支付赎金要求的人,具体取决于公司的覆盖范围。数字化转型网szhzxw.cn
马云解释说,保险公司可以代表客户支付赎金。“其他一些保险单将在客户付款后报销,在事件发生时给投保人带来更直接的经济负担,”她补充道。
伯克指出,赎金还可能伴随着谈判过程的成本和网络保险费的增加。拉尔森表示,与赎金谈判代表合作可能会给领导团队更多的时间来回答问题,帮助他们决定最佳行动方案。
三、决定不按照勒索软件要求付款
如果公司选择不付款会怎样?当公司有足够的脱机备份来还原其系统时,可以做出此决定。“拥有位于云中且完全脱机的强大备份对于成功恢复和尽可能减少停机时间至关重要,”马说。公司还可以使用免费和公开可用的工具解密赎金数据。数字化转型网szhzxw.cn
“在未付款的主要风险是数据发布的情况下,受害者也越来越多地选择不付款,因为付款不会否定违规通知义务,也不会因潜在的数据盗窃而导致的潜在监管处罚,”Burke补充道。
虽然选择不付款意味着公司不必承担赎金费用或承担违反 OFAC 制裁的风险,但仍然存在后果。Burke表示,即使公司可以恢复加密数据,也可能是一个繁琐,耗时的过程,会影响业务运营。此外,勒索软件团伙可能会兑现他们删除和/或发布数据的威胁。停机和声誉损害可能代价高昂。
伯克说,拒绝付款可能会导致威胁行为者加大勒索赎金的压力。“这些技术可能包括对公司网络的分布式拒绝服务(DDoS)攻击,对公司管理层或其他个人的直接威胁,缓慢泄露被盗信息以引起媒体注意,威胁就攻击与监管机构联系和/或联系信息被盗的客户或其他个人施加进一步的支付压力,”她解释道。付款或不付款都有监管方面的考虑。事件响应团队需要了解其公司的所有监管义务,以避免将勒索软件事件的成本与罚款相结合。“组织在收到赎金要求之前需要了解他们的法律和监管风险。他们需要考虑每一项法规,“网络安全公司RSA的首席信息安全官Robert Hughes说。数字化转型网szhzxw.cn
四、事件响应团队将如何进行恢复
决定是否付款只是勒索软件响应的艰苦旅程的一部分。做出选择后,事件响应团队必须面对恢复的前景。根据Burke的说法,如果一家公司付款并从勒索软件团伙那里收到解密密钥,则该密钥需要经过取证人员的审查,以确保它没有恶意软件或任何其他恶意代码。“解密器的可用性和恢复数据的时间差异很大,”她说。“与取证或谈判公司等具有威胁行为者专业知识的专家合作,通常可以显着提高解密的速度和成功率。”解密可能是一个漫长的过程。根据Larson的说法,每TB数据可能需要12到15个小时。
无需付费即可前进的组织将需要探索其他解密方法或依赖其备份。但这个过程需要谨慎地完成。“必须小心检查备份数据,以确保它不包含可能允许后续攻击的恶意软件或威胁参与者工具,”Burke说。
无论公司是否付款,了解攻击是如何发生的对于恢复至关重要。Clauson Haughian强调了进行根本原因分析的重要性,以确定勒索软件变种并确定攻击成功的原因。领导团队还需要咨询其网络安全保险公司和法律顾问,以确保他们知道何时以及如何披露攻击。“数据离开组织大门的那一刻(即,它已被泄露),企业需要通知自己的客户、供应商和任何其他受影响的各方,即使他们已经完全备份和运行,”马说。组织可以选择与公关公司合作,以指导有关违规、补救和防止未来事件的努力的信息传递。“请记住,在勒索软件攻击之后,组织将通过其响应和从事件中恢复的程度而被记住,”伯克说。数字化转型网szhzxw.cn
五、为下一次攻击做准备
进入勒索软件攻击的任何一方都可能导致集体松一口气,但这是一个值得记住的教训。“没有一个组织可以免于’下一次’,”伯克警告说。在勒索软件攻击之后,花时间评估事件响应计划中哪些有效,哪些可以改进。如果组织没有制定计划或没有足够的数据恢复计划,则应制定事件响应协议和不可变备份。休斯强调了在组织研究如何加强其安全性时优先考虑身份的重要性。Colonial Pipeline 攻击背后的勒索软件组织利用泄露的密码来获取访问权限。“Colonial Pipeline是最糟糕的情况,但它并不是一个异常值:网络犯罪分子的目标比攻击面的任何其他组件都多,”休斯说。数字化转型网szhzxw.cn
他强调了多因素身份验证以及身份治理和管理功能在保护组织免受此类攻击方面的重要性。威胁参与者将始终寻找利用漏洞的方法。防御这些威胁需要持续改进。在勒索软件攻击之后,这种改进对于构建更具弹性的未来和应对监管审查至关重要。伯克指出,监管机构希望看到组织在事件发生后表现出改进。“很难避免在袭击后被视为受害者,但是,在正确的协助下,组织可以比受到挑战之前更好地准备,”拉尔森说。
英文原文:
So, your company gets hit with a ransomware demand.
What next?
Law enforcement agencies, like the Federal Bureau of Investigation, typically caution against making ransom payments. But the ultimate decision isn’t always easy to make, especially with costly downtime and sensitive data hanging in the balance.数字化转型网szhzxw.cn
Ideally, a company will have a well-rehearsed incident response plan in place. But the stakeholders involved will still have to make the tough call when incident response goes from a tabletop exercise to reality. The Initial ResponseAs soon as a ransomware demand is made. A company’s cybersecurity team needs to jump into action.
The first step
The first step is to inform everyone who will be involved in responding to the incident. Inside and outside of the company. “The IT/security team should never be operating in a vacuum when these events occur,” warns Heather Clauson Haughian. A co-founding partner of law firm Culhane Meadows. Each company’s team, structure, and incident response plan will vary.
Typically, internal stakeholders include the CISO, the rest of the leadership team, general counsel, impacted business group leads, and communications. Depending on the company and severity of the incident, a ransomware demand may also merit board-level involvement.Outside of a company, external IT and cybersecurity vendors, external counsel, and the cybersecurity insurance carrier need a seat at the table. Leadership will also likely need to inform law enforcement.“Your legal counsel and your cyber carrier will help you determine who else should be notified depending on whether the ransomware incident has comprised any systems that could have led to unauthorized access of data,” says Clauson Haughian.数字化转型网szhzxw.cn
In addition to getting all the key players involved, cybersecurity teams need to determine the extent of the incident. “Confirm that the infected computers/devices have been isolated or completely severed from the company’s network, because ransomware typically scans the affected network and attempts to propagate laterally to other systems,” says Clauson Haughian.Remember, do not panic. Prompt action is important, but some teams make the mistake of acting without considering the consequences.“We have found some organizations will start wiping drives and reloading operating systems, and that can prevent them from learning what the hackers have done and whether they still have access to your systems, and it can hamper data restoration and recovery from the incident,” shares Bala Larson, head of client experience at insurer Beazley.
To Pay
The question of whether to pay is not always easily answered. Both decisions come with consequences.InformationWeek’s Cyber Risk and Resiliency Report: How CIOs are Dueling Disaster in 2023 surveyed 180 IT and cybersecurity professionals. Of those respondents, 10% reported paying a ransom to recover files encrypted in a ransomware attack. The report found 33% of respondents believe that paying was the right decision, while 39% believe time will tell.
Those who think it was the wrong decision to pay: 2%.At a high level, the argument against paying begins with the message it sends. Ransomware is lucrative. Making the demanded payment incentivizes cybercriminals to continue pursuing extortion campaigns. On the individual company level, the decision to pay comes with the risk that the ransomware gang won’t live up to their word. They may take the payment and never send a viable decryption key. And they may still go forward with publishing stolen data.
A 2023 report on ransomware trends from software company Veeam found that 19% of organizations that paid a ransom could not recover data.“The potential for the total loss of the ransom payment coupled with the remaining cost of data and system restoration should also be included in the risk calculus of considering making any payments,” says Lavonne Burke, vice president of security, resiliency, and IT legal at technology company Dell Technologies.数字化转型网szhzxw.cn
If paying would cause less damage than refusal, a company may conclude that payment is the best option. “数字化转型网szhzxw.cn
If everything is locked and/or encrypted, especially for an organization that intimately depends on its data for operational success, like a hospital or educational institution, bouncing back from downtime could be near impossible,” says Shelley Ma, incident response lead at cyber insurance company Coalition.The Colonial Pipeline incident in 2021 is one of the most well-known examples of a ransomware victim opting to pay. The company paid a $4.4 million ransom to restore its fuel pipeline operations. (The Department of Justice did recover approximately $2.3 million paid to DarkSide, the group responsible for the ransomware attack.)If a company’s team determines paying is the right choice, it is important to understand the regulatory ramifications. 数字化转型网szhzxw.cn
Paying a ransom is not illegal unless an organization makes a payment to a threat actor on the Office of Foreign Assets Control (OFAC) sanctions list.“Prior to making a payment, a company should consult with outside forensics, ransom negotiations and legal counse. As well as with applicable law enforcement, to best ensure they are not making a payment to a known sanctioned entity.” says Burke.A company’s cyber insurance carrier will be a critical player in the decision-making process.
They could be the one paying the ransom demand, depending on a company’s coverage. Ma explains that insurers can pay ransom on behalf of clients. “Some other insurance policies will reimburse clients after they’ve paid, causing a more immediate financial burden on the policyholder at the onset of the incident,” she adds.Burke points out that the ransom can also be accompanied by the cost of the negotiation process and increased cyber insurance premiums.Working with a ransom negotiator may give leadership teams additional time to answer questions that will help them decide on the best course of action, according to Larson.
Not to Pay
What happens if a company opts not to pay?
This decision may be made when a company has adequate offline backups to restore its systems. “Having robust backups that live in the cloud and are completely offline are critical to a successful recovery and reducing downtime as much as possible,” says Ma.Companies may also be able to unencrypt the ransomed data using free and publicly available tools.数字化转型网szhzxw.cn
“Victims are also increasingly choosing not to pay in situations where the primary risk of non-payment is the publication of data. As payment does not negate breach notification obligations, or potential regulatory penalties resulting from an underlying data theft.” adds Burke. While choosing not to pay means a company won’t have to shoulder the cost of the ransom or run the risk of an OFAC sanction violation. There are still consequences.
Even if companies can recover encrypted data, it could be a cumbersome, time-consuming process that impacts business operations, according to Burke. Plus, ransomware gangs are likely to make good on their threats of deleting and/or publishing data. Downtime and reputational damage can be costly.Refusal of payment may lead threat actors to up the pressure to extort the ransom. According to Burke. “These techniques can include distributed denial-of-service (DDoS) attacks on the company network. Direct threats to management or other individuals in the company, slow leaks of stolen information to draw media attention. Threating to contact regulators about the attack and/or contacting customers or other individuals whose information was stolen to apply further payment pressure.” she explains. Payment or non-payment both come with regulatory considerations. Incident response teams need to understand all their companies’ regulatory obligations to avoid compounding the cost of a ransomware incident with fines.“
Organizations need to understand their legal and regulatory exposure before they receive a ransom demand.数字化转型网szhzxw.cn
They need to account for every statute,” says Robert Hughes, CISO at cybersecurity company RSA.RecoveryDeciding to pay or not is just one leg of the arduous journey through ransomware response. Once the choice has been made. The incident response team must face the prospect of recovery.If a company pays and receives a decryption key from the ransomware gang. That key needs to be vetted by forensics to ensure it does not come with malware or any other malicious code, according to Burke. “Decryptors vary significantly in their usability and time to restore data,” she says.
“Engagement with experts like forensics or negotiation firms who have prior expertise with the threat actor can frequently increase the speed and success of decryption significantly.”Decryption can be a lengthy process. It may take 12 to 15 hours per terabyte of data, according to Larson. Organizations that move forward without paying will need to explore alternative means of decryption or rely on their backups. But this process will need to be completed with caution. “
Care must be taken to examine backup data to ensure it does not contain malware or threat actor tools which could allow for a subsequent attack,” says Burke.Regardless of whether a company pays or not, understanding how the attack happened is vital to recovery. Clauson Haughian emphasizes the importance of conducting a root cause analysis to identify the ransomware variant and determine why the attack was successful. Leadership teams also need to consult with their cybersecurity insurance carrier and legal counsel to ensure they know when and how to disclose the attack.数字化转型网szhzxw.cn
“The minute data leaves the door of an organization (i.e., it’s been exfiltrated), businesses have requirements to notify their own customers, vendors. And any other affected parties even if they are already fully back up and running.” says Ma.Organizations may opt to work with a PR firm to guide the messaging on the breach, remediation. And efforts to prevent future incidents.“Keep in mind that following a ransomware attack. An organization will be remembered by how well it responded and recovered from the incident,” says Burke.
Preparing for the Next AttackMaking
Preparing for the Next AttackMaking it to the either side of a ransomware attack may lead to a collective sigh of relief.But it is a lesson to be remembered. “No organization is immune from ‘next time,” cautions Burke.Following a ransomware attack, spend the time to evaluate what worked in the incident response plan and what could be improved. If an organization does not have a plan in place or a sufficient data recovery program. It should develop incident response protocols and immutable backups. Hughes stresses the importance of prioritizing identity as an organization examines how to strengthen its security. 数字化转型网szhzxw.cn
The ransomware group behind the Colonial Pipeline attack leveraged a compromised password to gain access. “Colonial Pipeline was a worst-case scenario. But it’s not an outlier: cybercriminals target identity more than any other component of the attack surface,” says Hughes.He emphasizes the importance of multi-factor authentication and identity governance and administration capabilities in protecting organizations against these kinds of attacks.Threat actors will always look for ways to exploit vulnerabilities. Defending against these threats necessitates continuous improvement. Following a ransomware attack, this improvement is vital for building a more resilient future and for navigating regulatory scrutiny. Burke points out that regulators want to see organizations demonstrate improvements following an incident.数字化转型网szhzxw.cn
“It’s hard to avoid being thought of as a victim following an attack. However, with the right assistance, an organization can come out better prepared than before they were challenged,” says Larson.
本文由数字化转型网(www.szhzxw.cn)转载而成,来源于数智化转型网;编辑:数字化转型网默然。
免责声明: 本网站(http://www.szhzxw.cn/)内容主要来自原创、合作媒体供稿和第三方投稿,凡在本网站出现的信息,均仅供参考。本网站将尽力确保所提供信息的准确性及可靠性,但不保证有关资料的准确性及可靠性,读者在使用前请进一步核实,并对任何自主决定的行为负责。本网站对有关资料所引致的错误、不确或遗漏,概不负任何法律责任。
本网站刊载的所有内容(包括但不仅限文字、图片、LOGO、音频、视频、软件、程序等) 版权归原作者所有。任何单位或个人认为本网站中的内容可能涉嫌侵犯其知识产权或存在不实内容时,请及时通知本站,予以删除。
