ransomware

Ransomware Case Studies: Why Not to Pay

Ransomware Case Studies: Why Not to Pay 

There are endless reasons why an organization should not pay up during a ransomware attack. It’s never a good idea to give in to a cyber criminal’s demands. For one thing, the global community advises that companies do not pay the ransom to hackers. Ransomware attacks are a serious crime, and the act of paying the bad actors just encourages their criminal behavior to continue. When a company does pay up, it is a gamble and not a guarantee. Hackers are under no obligation to do anything when you pay the ransom. And since payments are made anonymously via cryptocurrency transactions, they can easily just take your money and run.

Below are case studies of organizations confronted with ransomware hacks, detailing their decisions and elucidating the implications of paying criminals.

Case Study 1: Jackson County Ransomware Attack

Background:

In March 2019, Jackson County, Georgia, suffered a ransomware attack that encrypted its computer systems, disrupting government operations and compromising essential services, including emergency response systems and court proceedings. The ransomware, identified as Ryuk, demanded a ransom payment in Bitcoin for the decryption key.

Response:

Faced with the urgency of restoring critical services and the potential loss of essential data, Jackson County officials chose to negotiate with the ransomware operators and paid a ransom of approximately $400,000 in Bitcoin to obtain the decryption key. Despite the considerable expense, officials hoped that paying the ransom would expedite the recovery process and minimize the impact on government operations.

Outcome:

Paying the ransom did not yield the desired outcome for Jackson County. While the decryption key successfully restored access to encrypted files and systems, the recovery process was prolonged and costly. Moreover, the incident raised questions about the effectiveness of paying ransoms to cybercriminals and sparked criticism from cybersecurity experts and government officials.

Furthermore, the ransom payment did not prevent future cyber attacks, as Jackson County experienced subsequent ransomware incidents in the following years. The incident served as a cautionary tale about the risks and consequences of capitulating to ransomware demands, highlighting the need for robust cybersecurity measures and proactive incident response strategies to mitigate the impact of cyber threats on organizations and communities.

Case Study 2: Singapore Health Services (SingHealth)

Background:

In July 2018, SingHealth, Singapore’s largest group of healthcare institutions, suffered a ransomware attack that compromised the personal data of 1.5 million patients, including the Prime Minister. The ransomware encrypted crucial medical records, and the attackers demanded a substantial ransom for the decryption keys.

Response:

SingHealth decided not to pay the ransom. The Singapore government has a firm stance against negotiating with cybercriminals to avoid encouraging further attacks and paying the ransom did not guarantee the integrity and completeness of the restored data.

Outcome:

The attack disrupted access to electronic medical records, causing delays in patient care and administrative processes. However, manual backups allowed for continued albeit slower operations. The recovery process, including forensic investigations, system restorations, and cybersecurity enhancements, was estimated to cost around $20 million. The incident led to substantial improvements in SingHealth’s cybersecurity infrastructure and policies, enhancing its defenses against future cyber threats.

Case Study 3: Riviera Beach Ransomware Attack, USA

Background:

In May 2019, the city of Riviera Beach, Florida, fell victim to a ransomware attack that encrypted its computer systems, disrupting municipal operations and compromising critical services, including water utility management and emergency response systems. The ransomware, identified as Ryuk, demanded a ransom payment in Bitcoin for the decryption key.

Response:

Faced with the severity of the attack and the urgent need to restore essential services, Riviera Beach officials opted to negotiate with the ransomware operators and paid a ransom of approximately $600,000 in Bitcoin to obtain the decryption key. Despite the considerable expense, officials believed that paying the ransom was necessary to expedite the recovery process and mitigate the impact on municipal operations.

Outcome:

Paying the ransom did not result in a swift resolution for Riviera Beach. While the decryption key enabled the restoration of encrypted files and systems, the recovery process was protracted and costly. Moreover, the incident attracted widespread attention and criticism, raising concerns about the city’s cybersecurity preparedness and decision-making process.

The ransom payment did not deter future cyber attacks, as Riviera Beach experienced subsequent ransomware incidents in the years following the initial attack. The incident served as a stark reminder of the risks and consequences of capitulating to ransomware demands, underscoring the importance of investing in robust cybersecurity measures and proactive incident response capabilities to safeguard against cyber threats.

These case studies highlight real-world examples of when paying ransomware resulted in adverse outcomes for organizations, emphasizing the need for a comprehensive and strategic approach to cybersecurity resilience that prioritizes prevention, detection, response, and recovery.

Case Study 4: University of California, San Francisco (UCSF) Ransomware Attack, USA

Organization: University of California, San Francisco (UCSF)

Background:

In June 2020, UCSF, one of the leading medical research institutions in the United States, experienced a ransomware attack that targeted its School of Medicine’s servers. The ransomware operators, believed to be the NetWalker group, encrypted critical data related to COVID-19 research, patient records, and academic work.

Response:

Faced with the urgency of recovering vital research data and the potential loss of sensitive medical records, UCSF officials deliberated whether to negotiate with the ransomware operators and pay the demanded ransom or attempt to recover without paying. Despite the critical nature of the affected data, UCSF chose not to pay the ransom.

Instead, the university mobilized its cybersecurity response team and collaborated with law enforcement agencies, cybersecurity experts, and third-party vendors to investigate the attack, contain the breach, and restore its systems using backups and recovery procedures.

Outcome:

The decision not to pay the ransom resulted in significant challenges for UCSF. While the university managed to recover most of the encrypted data and resume its research activities, the incident caused disruptions to ongoing projects, delays in academic work, and financial losses associated with recovery efforts.

Moreover, the ransomware attack highlighted vulnerabilities in UCSF’s cybersecurity infrastructure and prompted the institution to invest in enhancing its defenses, implementing stronger security measures, and raising awareness about cyber threats among faculty, staff, and students.

While the recovery process was arduous and costly, UCSF’s decision not to pay the ransom preserved the integrity of its research data, upheld ethical principles, and sent a clear message that capitulating to ransomware demands is not an acceptable solution. Additionally, the incident underscored the importance of proactive cybersecurity measures and robust incident response capabilities in safeguarding critical data and maintaining the trust of stakeholders.

Case Study 5: Norsk Hydro (Norway)

Background:

In March 2019, Norsk Hydro, a large aluminum production company based in Norway, suffered a severe ransomware attack. The attackers deployed a strain of ransomware known as LockerGoga, which encrypted the company’s data and demanded a ransom for its release.

Response:

The company had a strict policy against paying ransoms, believing it would only perpetuate criminal activity and that there was no guarantee that paying the ransom would result in the decryption of their files.

Outcome:

The attack caused significant operational disruptions, forcing the company to switch to manual operations at some of its plants. Production at several facilities was halted, and IT systems were down for weeks and the cost of the attack was estimated to be around $45-50 million due to lost production and recovery efforts. However, the long-term impact included increased spending on cybersecurity measures and insurance. Norsk Hydro’s transparency in handling the crisis garnered public support and bolstered their reputation. The company’s response included regular updates on the situation and collaboration with cybersecurity experts.

What should organizations do during a ransomware attack instead?

Improve your security posture 

Whilst a ransomware attack is undoubtedly a stressful and unpleasant situation to be in for any organization no matter the size, there are steps you can take to help reduce the risk of an attack becoming a successful compromise.  

These steps cover technical and organizational measures you can implement to improve security hygiene; ensure good vulnerability management and secure configuration, and improve employee awareness of the threats and TTPs used by ransomware groups.  

For further advice on how to protect against ransomware attacks,  our blog on the three crucial steps to follow to defend against ransomware is a good starting point.  

Incident Response 

No matter how hard you try you cannot, however, guarantee that you will not fall victim to ransomware. For this reason, you need to implement an incident response plan and supporting procedures which cover steps to follow in the event of a successful attack. These cover everything from detection, containment, eradication and recovery.   

Having a well-rehearsed plan in place will help you identify, mitigate and recover from a ransomware attack based on decisions you have already made when not under the pressures listed at the top of the blog.  

A response plan will instill confidence not only within your organization but throughout your wider supply chain. It can help when applying for or renewing cyber security insurance as well as ensuring that you have a team of people in place to investigate a breach immediately and start the process of recovering systems.  

For more information on incident response measures, download our free Guide to Incident Response.  guidance on incident response. If you would like support with improving your incident response capability and enhancing your ransomware defenses, please see our cyber security services.

Monitoring Remote Sessions

Security monitoring is crucial for preventing ransomware attacks as it enables early detection, identification of vulnerabilities, monitoring for anomalies, data protection, and compliance with regulatory requirements. 

TSFactory’s RecordTS v7 will record Windows remote sessions reliably and securely for RDS, Citrix and VMware systems. Scalable from small offices with one server to enterprise networks with tens of thousands of desktops and servers, RecordTS integrates seamlessly with the native environment.