This is an op-ed from Anne Neuberger, deputy assistant to the president and deputy national security adviser for cyber and emerging technologies.
At the end of October, the White House convened this global coalition, the International Counter Ransomware Initiative (CRI), which includes 48 countries, Interpol, and the European Union, to drive international policy, disruptions, and diplomacy to fight ransomware.
Together, we released the first-ever CRI policy statement declaring that member governments should not pay ransoms while committing to assist any CRI member with incident response if their government or lifeline sectors are hit with a ransomware attack.
We rolled out global tools to strengthen cybersecurity by launching a mentorship and practical training program for new CRI members as well as innovative platforms enabling CRI member countries to rapidly share information to tackle threats.
As we’ve combed through the available data on ransomware attacks and ransom payments in the US, we believe it is important to provide updated advice to CEOs and organizational leaders working to keep their companies, hospitals, and schools safe and dry up the flow of ransoms that incentivizes the next attack.
Here is what we’ve learned:
Recovery time from a ransomware attack: Ransomware negotiators and incident response firms report that the average victim can recover in days, if they possess proper backups. In contrast, victims who pay a ransom and then use the attacker’s decryptor spend weeks or longer to recover their data. Recovering from backups is almost always faster than paying a ransom and attempting to recover data with a decryption key provided by a cyber criminal.
Recovery costs from a ransomware attack: Ransom payments are equal to, or approaching, the cost to recover/rebuild internal systems from scratch.
Ransom payments primarily intended to prevent stolen data from being leaked: Paying the ransom doesn’t remove victims’ potential liability and reporting obligations to regulators, state bodies, insurers, or clients. The data is still compromised and there’s no guarantee that the data won’t be leaked, destroyed, or used by the attacker to extort the company in the future.
Insurers can help harden targets: Insurers who tie insurance policies to cybersecurity requirements incentivize organizations to put in place practices that make them harder targets.
Here is what we ask of you.
Generate and test backups: Ransomware actors extort payment through prolonged disruptions to operations. Having the capability to recover quickly through backups gives you options. Ensure that backups are regularly tested and that they are kept separate from your organization’s network — so that if the network is compromised the backup will still be available. Ensure they are versioned so the organization can go back in time if a more recent backup was corrupted in the attack.
Share information with law enforcement to prevent/help the next victim: Ransomware attacks follow similar patterns and playbook. If you experience a ransomware attack, sharing information such as techniques and tactics with the US government can help prevent the next attack. Go to https://www.ic3.gov/Home/ComplaintChoice.
Invest in your security and resilience: It will give you a far better return on investment than a ransom payment.
Monitor your digital doors and windows: Account management, multifactor authentication, patch management, training for employees, and reviewing logs, amongst other security controls, will make your organization stronger.
The Biden Administration is committed to continuously disrupting criminal actors, their networks, and illicit crypto infrastructure. The White House’s International Counter Ransomware Summit further unites countries around the world in the fight.
Your partnership and your leadership are critical. Together, we can make ransomware a less profitable and less viable business.