Post-Ransomware Response: Victim Says 'Do the Right Thing'Experts Laud Scottish Environment Protection Agency for Transparent Response
If your organization, despite its best cybersecurity efforts, suffered a ransomware outbreak today, would it be well prepared to "do the right thing" with its response?
The Scottish Environment Protection Agency has provided a good example, issuing clear and regular communications as it rebuilds many systems from scratch after refusing to pay a ransom.
"We were clear that we would not use public finance to pay serious and organized criminals intent on disrupting public services and extorting public funds."
Those communications have been issued via a dedicated site launched by SEPA after the Dec. 24, 2020, attack. The agency has also continued to issue regular updates as well as hold weekly briefings - and question-and-answer sessions - for its staff of 1,200.
From the start, Terry A'Hearn, SEPA's chief executive, has made clear that the organization would not pay the ransom being demanded by its attackers, which are part of the Conti ransomware operation.
"As Scotland's environmental regulator, SEPA plays an important role in protecting and enhancing Scotland's environment, supporting Scottish organizations to do the right thing and holding to account those who seek to do the wrong thing," A'Hearn said.
"Whilst confronted by a complex and sophisticated criminal cyberattack on Christmas Eve, we were clear that we would not use public finance to pay serious and organized criminals intent on disrupting public services and extorting public funds," he said. "Working with the Scottish government, Police Scotland and the National Cyber Security Center, and within the confines of a live criminal investigation, we've been vocal and transparent on the criminal attack, the theft and illegal publication of data, the impact on our services and progress toward our recovery."
The BBC reported earlier this week that SEPA has spent nearly 790,000 pounds ($1.1 million) responding to the attack. Conti's data leak site includes links to 4,150 stolen agency files that it dumped online after SEPA refused to pay a ransom (see: Ransomware Cleanup Costs Scottish Agency $1.1 Million).
How much were attackers demanding? A spokeswoman for SEPA tells me: "We haven't released any information about the ransom demand."
SEPA continues to restore system functionality, noting that more than 70% of its staff members are now back online. But the organization also continues to have a number of workarounds in place. Some services also have yet to be restored, such as the ability to "receive, verify or determine applications" for waste management, to approve importing or exporting waste, or to receive online reports of illegal dumping. In addition, SEPA must still work through a massive backlog of emails.
'Not a Poorly Protected Organization'
The ransomware attack against SEPA succeeded despite the organization apparently having good defenses in place. A'Hearn said the key to recovery has been rapidly responding to the incident, expedited by a close working relationship between the organization's senior management and its board.
"SEPA is not, was not, a poorly protected organization," Malcolm Graham, deputy chief constable of Police Scotland, told Scotland's Public Sector Cyber Resilience conference in February.
Graham says SEPA had in place a lot of the defensive measures that he would have expected to see. He said the incident is a reminder of attackers' ability "to overcome some fairly sophisticated and secure protection barriers that people have in place round about their organizations."
Incident Response: The Communication Imperative
All of which begs the question: Even if an organization prepares well but still gets hit, what are the best incident response practices to implement?
Another organization faced with this question was Danish shipping giant Maersk, which got hit during the outbreak of destructive NotPetya malware in May 2017. Experts lauded the company's response because it emphasized transparency with customers during the lengthy response effort. The clear communications stood in sharp contrast to how some other NotPetya victims chose to proceed.
SEPA's incident response has also earned plaudits because the agency has been clear and forthright about what happened, albeit within the confines of the incident remaining an active police investigation.
"Certainly in terms of crisis communications they've been great," says Jude McCorry, CEO of the public-private Scottish Business Resilience Center, which helps organizations recover from online attacks. "The way they've handled things with the press, with staff and partners has been very proactive, and they appear to have just gotten on with the day job as much as they can."
Many breached businesses, unfortunately, choose to do the opposite, by attempting to minimize the event and any culpability the organization might have (see: Ubiquiti's Breach Notification: The 'No Evidence' Hedge).
McCorry adds: "When the time is right to come out and speak to organizations, I think it will be very helpful to a lot of people out there to listen to a case study on how SEPA handled things, what they've learned and how they dealt with it."
Ransom Demand: Not Paid
SEPA has also been praised for refusing to pay its extortionists.
"Frankly, the moral courage of the organization refusing to pay the ransom is a huge deal and is to be commended," Ciaran Martin, an Oxford University professor of practice in the management of public organizations, said at Scotland's Public Sector Cyber Resilience conference in February.
"There is no specific answer to all cybercrime. Some of it is state-backed; some of it's not. Some of it is for money; some of it is for political advantage. So you know, it's as variable as crime and malign activity in the nondigital world," said Martin, who until August 2020 served as the U.K. government's cybersecurity chief. "But one of the reasons why ransomware has reached epidemic proportions is that it is being incentivized, and the more [responses like] Terry's [Terry A'Hearn] and SEPA we have, then the less advantageous it will be."