When is it Time to Pay the Piper?
Responding to Ransomware Attacks: Key Issues and Risks
Ransomware1Adopting the working definition used by the CSA, ransomware generally refers to malware designed to encrypt files on an organisation’s system, such that threat actors are in a position to demand ransom from the victim in exchange for decryption of the affected files: https://www.csa.gov.sg/singcert/Advisories/ad-2020-006 is again in vogue as a “global systemic threat”2https://www.businesstimes.com.sg/garage/firms-caught-in-ransomware-should-resist-paying-up-csa, and to borrow the sobering words of the Cyber Security Agency of Singapore (CSA), “the ransomware menace continues”.3https://www.csa.gov.sg/singcert/Advisories/ad-2021-006
According to CSA’s latest update on global and local ransomware trends, the number of organisations impacted by ransomware “has more than doubled in the first half of 2021” from 2020, “with this trend showing no sign of abatement”.4https://www.csa.gov.sg/en/singcert/Publications/the-ransomware-menace-continues Making international headlines recently was the DarkSide ransomware attack on Colonial Pipeline in the United States (US) on 7 May 2021, disrupting operations for almost a week, culminating in the company’s payment of more than SGD 3 million.5https://www.csa.gov.sg/singcert/Publications/the-ransomware-menace-continues It was reported that the company was motivated into paying the ransom to “prevent nearly 100GB of stolen data from being leaked and restore business operations as soon as possible”, in light of “significant threats” to the US civilian power grid at large.6https://www.csa.gov.sg/singcert/Publications/the-ransomware-menace-continues; see also https://www.straitstimes.com/world/united-states/colonial-pipeline-sued-for-gas-crisis-from-ransomware-attack
Against the surge of reported ransomware incidents both locally and internationally, the Law Society of Singapore’s Cybersecurity & Data Protection committee held a webinar on 17 August 2021 titled “Responding to a Ransomware Attack: Legal Issues and Risks”. The webinar was attended by both practising lawyers and corporate counsels.
The first part of the webinar was led by Benjamin Gaw (Director, Drew & Napier LLC), who highlighted key issues arising from ransomware payments. Benjamin emphasised that the Singapore authorities generally do not recommend that victims of ransomware pay the threat actors. In particular, payment may not guarantee that the perpetrators would provide decryption, and may even increase the likelihood of more ransomware attacks. Benjamin also highlighted that, while there are no specific prohibitions against the payment of ransom in Singapore, obligations and/or offences under various sanctions and terrorism financing laws (such as the Terrorism (Suppression of Financing) Act, and the United Nations Act) and anti-money laundering (AML)-related laws (such as under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act) may be relevant to consider. Ethical issues may also arise in the decision matrix as to whether ransomware payments should be made in any particular case.
The second part of the webinar saw Jansen Aw (Partner, Donaldson & Burkinshaw LLP) outlining the key considerations as to liability for victims of ransomware attacks. Regarding potential regulatory actions, Jansen highlighted various requirements under the Personal Data Protection Act 2012, Cybersecurity Act, and Monetary Authority of Singapore (MAS) Notices that corporate victims operating in regulated spaces should be aware about. He also highlighted that offences may be disclosed under the Computer Misuse Act in connection with a ransomware incident. Against the backdrop of Singapore’s cyber insurance landscape, Jensen also discussed the advantages and limits of obtaining cyber insurance against ransomware incidents. He cautioned that, whilst cyber insurance may be useful, insurance should not replace appropriate data protection, and that it would generally be better for organisations to implement preventive measures early than pursue remedial actions later on.
The webinar concluded with a panel discussion moderated by Jeremy Lua (Associate, Norton Rose Fulbright (Asia) LLP), featuring panellists including speakers from the earlier segments, as well as Christopher Ong (Senior Director, Attorney-General’s Chambers), Glenn Seah (Head, Legal & Compliance, Singapore Exchange Limited), and Veronica Tan (Director, CSA). Drawing from their respective experience, the panellists explored a vast array of issues, including general trends in ransomware attacks, the practical steps that organisations may wish to consider in mitigating risks of ransomware attacks, and whether external counsel should be engaged in the course of crisis management. There was broad consensus amongst the panellists that ransomware payment should be discouraged generally, although it was also acknowledged that difficult cases may arise; ultimately, each organisation must weigh for itself the risks involved should it decide to proceed with payment.
It was also observed that there has been a particular surge in ransomware attacks in the healthcare industry, even as the global COVID-19 pandemic develops. Threat actors also appear to be professionalising, for example in providing and/or using “ransomware-as-a-service”. As the tactics employed by threat actors evolve, it was generally agreed amongst the panellists that intelligence sharing would be important and helpful, especially in light of various reporting obligations that organisations may be subject to.
In such a climate of heightened alert for ransomware attacks, organisations may be wondering if it will ever be time to pay the piper in a ransomware scenario. The issue of whether to pay ransoms may not always be straightforward.
In Singapore, as highlighted during the webinar, our regulators have, to date, strongly advised against ransom payments, and for good reasons: ransomware payments only exacerbate the problem by encouraging threat actors to strike again. CSA, for example, has long taken the stance that it “does not recommend”7https://www.csa.gov.sg/singcert/Advisories/ad-2020-006; https://www.straitstimes.com/tech/tech-news/it-doesnt-pay-to-pay-ransom-to-hackers-study-0 paying ransoms – as, from a policy perspective, doing so emboldens threat actors to “continue their criminal activities and target victims”; and in practice, paying the ransom “does not guarantee that the data will be decrypted or that your data will not be published by threat actors”.8https://www.csa.gov.sg/singcert/Advisories/ad-2020-006 In fact, organisations who pay the ransom may even be seen as soft targets, inviting repeated attacks in future.9https://www.csa.gov.sg/singcert/Advisories/ad-2020-006 There is no guarantee that hackers will keep their word.
These are not theoretical risks. Data from a recent study by Cybereason demonstrates the actual futility of ransom payments, reporting that “one quarter of companies in Singapore said they had been targeted for a second ransomware attack by the same people after payment for the first attack was made”, and some “three in 10 firms [in Singapore] who paid the attackers said the released data had been corrupted”. Globally, almost “one in two companies hit by ransomware … which paid up reported the same”.10https://www.straitstimes.com/tech/tech-news/it-doesnt-pay-to-pay-ransom-to-hackers-study-0
Quite apart from commercial reasons, as discussed during the webinar, there are also important legal risks to consider when making ransomware payments, and organisations should consult their legal advisors before making payments reflexively. For example, organisations who make ransomware payments risk falling afoul of criminal laws relating (amongst others) to assisting in criminal conduct (and/or obtaining the benefits thereof), or facilitation of terrorism-related activities.11E.g. under the Corruption, Drug Trafficking and Other Serious Crimes (Confiscation of Benefits) Act, or the Terrorism (Suppression of Financing) Act. Organisations should also be aware that there are also overarching sanction laws which prohibit payments to sanctioned entities generally.
A holistic response against ransomware threats, harmonising both technical and legal strategy, is therefore important.
Responding to Ransomware Demands
What should you do if your organisation’s systems have been infected with ransomware? Here are some starting points you may wish to consider.
First, resist the temptation to pay the ransom as a reflexive response. As discussed above, impulsive payment may be unwise, and to borrow the words of the CSA, you “should not be pressed into injudicious decision-making as [you] try to contain cyber incidents”.12https://www.csa.gov.sg/singcert/Publications/the-ransomware-menace-continues
Instead, consider aligning your organisation’s preliminary technical response and recovery steps with CSA advisories and recommended incident reporting procedures – some resources are listed below in Section IV. In brief, the CSA recommends that you work with your technical teams to sequester the infected system to prevent further spread of the ransomware on internal networks at first instance, and promptly scan, disinfect, backup, and restore affected systems. Organisations are also encouraged to check their systems for dependencies and linkages when assessing the scope of the threat.
It may also be worthwhile to attempt to neutralise the ransomware using trusted and readily available solutions, such as using the decryptors made available by the No More Ransom! Resource (accessible at https://www.nomoreransom.org/), an initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky and McAfee. According to project’s website, this initiative aims precisely to assist victims of ransomware retrieve encrypted data “without having to pay the criminals”,13https://www.nomoreransom.org/en/about-the-project.html which serves as a valuable option in an organisation’s technical toolbox. CSA is also reported to be a partner of this project.14https://www.businesstimes.com.sg/garage/firms-caught-in-ransomware-should-resist-paying-up-csa
Second, in addition to technical remediation, consider consulting your legal advisors and insurers to determine a holistic response strategy, in light of possible legal exposures. For example, the organisation may have obligations at law to file suspicious transaction report(s) with the Commercial Affairs Department in respect of ransomware payments, and/or obligations under the Personal Data Protection Act to notify the Personal Data Protection Commission in respect of personal data breaches, where certain thresholds are reached. Regulated entities may also need to review their obligations under sectoral licensing regimes, for example under the Banking Act (for banks), notification to the Monetary Authority of Singapore (for financial institutions generally), or the Cybersecurity Act (for critical information infrastructure owners), as applicable.
You may also wish to work with your legal advisors to review knock-on effects on your organisation’s arrangements with third parties, such as whether the ransomware incident may have triggered contractual obligations (e.g. to notify the counterparty) or possibly lead to arguments about breach of contract (e.g. as to duty of care to protect systems, confidentiality of data, etc).
Third, in consultation with your technical and legal/regulatory teams, you may decide to lodge a police report and keep local law enforcement apprised. Ransomware attacks are likely to disclose criminal offences, such as under the Computer Misuse Act, and if you are the victim of a cybercrime you may reach out to the Police at https://eservices.police.gov.sg/ to move forward with a possible investigation. On the technical front, to assist organisations with describing cybersecurity incidents, CSA’s Singapore Computer Emergency Response Team (SingCERT) provides the Cyber Aid15https://www.csa.gov.sg/singcert/reporting tool and offers to advise organisations on resolving identified issues. The SingCERT Cyber Incident Reporting Form is accessible via https://www.csa.gov.sg/singcert/reporting. As noted during the panel discussion, if the ransom has already been paid, early reporting to the authorities may also assist with timely tracing and could increase the chances of payment recovery.
Finally, as part of taking steps towards recovery, you may wish to conduct a post-incident review to consolidate your learnings, and assess if further measures are needed to strengthen your organisation’s response to ransomware attacks in the future. As threat actors evolve, every organisation should be motivated to continually improve its cybersecurity postures as part of robust accountability to stakeholders.
The reality of ransomware attacks is that in practice it is often untrue that he who pays the piper calls the tune, and the paying organisation may instead find itself rapidly losing control of the outcome despite acceding to the demands of the threat actors. Past experience teaches us that a robust technical and legal response is more effective than paying away the problem.
Extensive literature has been made available by the CSA and the Law Society in respect of incident response and preventive measures, including recommendations regarding good cyber hygiene, the backing up of critical data, the identification and protection of business-critical assets, and the preparation of business continuity plans:
- CSA, Incident Response Checklist (23 April 2021) based on the framework developed by the U.S. National Institute of Standards and Technology, accessible at: https://www.csa.gov.sg/gosafeonline/resources/incident-response-checklist;
- CSA, Ransomware: A Growing Cybersecurity Threat to Businesses (17 June 2021), accessible at: https://www.csa.gov.sg/singcert/Advisories/ad-2021-006;
- CSA, Protect Your Systems and Data From Ransomware Attacks (28 December 2020 and 18 May 2021), accessible at https://www.csa.gov.sg/singcert/Advisories/ad-2020-006; and
- The Law Society of Singapore, Guide to Cybersecurity Practices for Law Practices (30 March 2020), accessible at https://www.lawsociety.org.sg/wp-content/uploads/2020/03/Guide-to-Cybersecurity.pdf.
In the final analysis, the respected cliché in the cybersecurity world is that prevention is better than cure, and the approach applies likewise to ransomware. Having a robust and well-rehearsed incident response plan can significantly reduce the stresses and errors of floundering only when ransomware hits,16https://www.csa.gov.sg/singcert/Advisories/ad-2021-006 and the importance of pre-emptive measures should not be under-estimated.