Fraud Management & Cybercrime , Incident & Breach Response , Managed Detection & Response (MDR)
Fujifilm Reportedly Refused to Pay Ransom
Report: After Ransomware Attack, Japanese Conglomerate Restored Operations Using BackupsJapanese conglomerate Fujifilm, which earlier this month was the victim of a ransomware attack, reportedly refused to pay a ransom.
See Also: Gartner Guide for Digital Forensics and Incident Response
The company restored operations using backups, with its computer systems in the U.S., Europe, the Middle East and Africa now fully operational and back to business as usual, news site Verdict reports, citing a Fujifilm spokesperson.
Details such as the ransomware strain, delivery vectors, extent of the damage, and the ransom amount demanded by the cyber gang - suspected to be REvil - have not been revealed.
The company did not respond to Information Security Media Group’s request for comment.
Chloe Messdaghi, an independent cybersecurity disruption consultant and researcher, says Fujifilm apparently “took the first responsible steps of recognizing the situation and systematically shutting all systems down to examine the attack … There may have been some hiccups and bumps, but because they had done the solid work of ensuring their data backups and restoration processes were current, they were able to decline paying extortion and their disruption to business was minimal.”
Surge in Ransomware Attacks
Cybersecurity, risk and intelligence consultancy S-RM estimates that ransomware attacks accounted for 46% of all cyberattacks between Jan. 1, 2021, and March 31, 2021.
Among major recent attacks in the U.S. were those targeting Colonial Pipeline, meat processing firm JBS and the D.C. Metro Police Department.
Blackfog, an IT management services company, reports that the number of ransomware attacks each month this year has been higher compared to the corresponding period in 2020.
The White House has urged businesses to improve their cyber defenses. President Joe Biden launched a ransomware task force to coordinate federal investigations.
To Pay or Not to Pay
Other organizations that have recently been hit by ransomware attacks but refused to pay ransoms include CD Projekt Red; Ireland’s state health services provider, Health Service Executive; Canon and Bose.
Among the ransomware victims that have opted to pay their attackers is Colonial Pipeline Co., which paid DarkSide a $4.3 million ransom in May and received a faulty decryptor. The U.S. Department of Justice was subsequently able to recover $2.3 million worth of bitcoins paid.
The U.S. subsidiary of the world's largest meat processer, Brazil-based JBS, recently paid an $11 million ransom to REvil attackers for the promise of a decryption tool and a "guarantee" that REvil would not leak stolen data.
The FBI, Britain's National Crime Agency and other law enforcement agencies have stressed that paying ransoms should be avoided. The FBI notes: “Paying a ransom doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.
In the U.S., it's illegal to make payments - even indirectly - to individuals on the Specially Designated Nationals and Blocked Persons List or countries covered by economic embargoes, such as Iran and North Korea. Ben Carr, vice president of the Information Technology-Information Sharing and Analysis Center, notes the Office of Foreign Assets Control rules prohibit ransom payments to these individuals and countries.
Risk Management
Jamie Smith, head of cybersecurity at the consultancy S-RM, says weighing whether to pay a ransom should be a risk-based process.
“The reality is that when it comes to ransomware, the vast majority of criminals stick to their word and decrypt data once paid," he says. "This is certainly not like waving a magic wand; it can still take months to fully restore affected systems. But it does usually mean that businesses can return to operations sooner. It also reduces the risk that sensitive information will be leaked online."
He adds, however, that when organizations pay a ransom, "it also makes ransomware a profitable business model - so attacks are likely to continue increasing."
So far this year, the average ransomware recovery cost - including ransom, downtime and other expenses - has totaled about $1.8 million, compared to $761,000 a year ago, according to the Sophos State of Ransomware 2021 report.
Best Practices
Charlie Miller, senior adviser at Shared Assessments, a risk management research organization, says vital components of a ransomware risk management program include updating incident response plans, establishing a data vault to allow recovery of malware-free data, offering cyberattack simulation programs for company executives to help with risk assessment and response, and buying cyber insurance.
Companies should also “identify a cyber forensics expert and ransom negotiator to have a go-to in the event of an attack," Miller says. "It is also a great idea to have an ethical hacker on staff as they often possess deeper levels of understanding as to how threat actors work and think and may provide useful guidance and next steps.”