You are here

Ransomware Resilience – NCSC Shares Guidance for Organizations Considering Payment in Ransomware Incidents

Ransomware Resilience – NCSC Shares Guidance for Organizations Considering Payment in Ransomware Incidents

Created: Tuesday, May 14, 2024 - 14:49
Categories:
Cybersecurity, Security Preparedness

Analyst Comment (Jennifer Lyn Walker): The decision to pay or not to pay a ransomware extortion demand isn’t always as straightforward as we’d like. The NCSC puts forth some poignant considerations. Members are strongly encouraged to incorporate these considerations into ransomware response plans and discuss them with leadership BEFORE you experience a ransomware incident.

The UK’s National Cyber Security Centre (NCSC) shares ransomware payment advice for organizations who are experiencing a ransomware attack and the partner organizations supporting them. It aims to minimize the overall impact of a ransomware incident and help reduce:

  • Disruption and cost to businesses.
  • The number of ransoms paid by ransomware victims.
  • The size of ransoms where victims choose to pay.

The NCSC recommends victim organizations review the guidance before paying a ransom to a criminal group.

Things to consider:

  • Don't panic. In the immediate aftermath, a ransomware attack can feel overwhelming. Ransomware actors know the tactics to use to pressure organizations into making quick decisions. But slowing down to review the options will improve decision-making and lead to a better outcome.
  • Review alternatives, including not paying. Decisions about payment should be informed by a comprehensive understanding – as much as is possible – of the impact of the incident. Cyber criminals will try to convince you that payment is the only way to recover. It can take time to check your options. You might have viable backups, or there may be unexpected ways to help recover systems and data, partially or fully. You may even be able to access decryption keys through third parties, such as law enforcement, who make them freely available.
  • Assess the impact. Decisions about payment should be informed by an understanding of the impact on your business in areas such as business operations, data, and financial.
  • Consider the correct legal and regulatory practice around payment. There are legal and regulatory considerations for organizations to consider before paying a ransom. You should also take into account the relevant local laws and regulations applicable to all the jurisdictions in which you operate – for example, if you are a parent company operating in the U.S. with subsidiaries elsewhere, where both are impacted by the attack.
  • Be aware that payment does not guarantee access to your devices or data. Even where a decryption key is acquired, it’s unlikely to result in an immediate return to business as usual, particularly for large organizations. Running a decryption key across complex networks can take time. If a victim organization has access to both backups and a decryptor, it may prove quicker to use backups. 
  • Investigate the root cause of the incident to avoid a repeat attack. Making a payment without clarifying the original source for the compromise, and then taking appropriate mitigation actions, leaves your organization open to further incidents. Some ransomware attackers may offer to disclose how you were compromised, but don’t take this at face value and instead seek to independently validate how it happened.

For the full guidance and more on each consideration, access NCSC.