In 2020, Polish game developer CD Projekt Red (CDPR) experienced an extreme example of Murphy's Law. Shortly after releasing Cyberpunk 2077, one of the most anticipated video games of the past five years, CDPR suffered a ransomware attack, which led to assets being frozen and exfiltrated. The timing could not have been worse: the studio was dealing with critical and commercial backlash to its big release, and anonymous hackers were threatening to auction off some of its most important intellectual property – including source codes for many of its biggest video game properties.
Confronted with all of this, CDPR did something unexpected. It refused to pay any ransom. Within a day of becoming aware of the breach, the developer had released a copy of the ransom note and a public message declaring its refusal to pay, daring the hackers to go ahead with their threats to sell the stolen data.
There were consequences to saying no. News of the attack caused the stock price to drop, source codes for its most popular games, and personal information of employees, began appearing in the wild, and CDPR acknowledged that future projects could be affected by the leak as well.
None of these repercussions were surprising or hard to foresee. So how could CDPR have refused the hackers so quickly and emphatically? If I were armchair breach coaching, I would suggest CDPR was able to say no because it was an organization that was sufficiently prepared to identify and assess the fallout from a ransomware attack. And CDPR isn't alone in refusing to play game with threat actors.
Following a steady rise in payments in the early era of ransomware, more and more organizations have begun to refuse ransom demands. Part of this may be attributable to increasing distrust that payment could guarantee the safe and secure restoration of operations, but it also can be linked to organizations having increasing confidence in their own resiliency to bounce back from a hack.
Now, not every organization can just say "no" to a ransom demand. A hospital has to consider very different factors than a dry-cleaner. But all organizations should be proactive in ensuring they are positioned to 1) act nimbly when responding to a breach, 2) mitigate damages and 3) preserve the option to walk away from the threat.
Here are six things organizations can do today to become more resilient to cyber threats:
- Maintain up-do-date IT environments and robust backup solutions. Organizations will have to balance the costs and risks when determining what works for them. At a minimum, ensuring personnel adhere to best practices when using the organization's equipment and patching known exploits as soon as possible can significantly reduce the risk of the organization suffering an incident at all. Compartmentalizing various aspects of the business's operations can also help with trying to limit the damage a hack may cause.
- Ensure all personnel are aware of best security practices. A chain is only as strong as its weakest link. Social engineering remains an extremely effective way for hackers to get into systems. Organizations should be proactive in keeping everyone with access to its IT environment apprised of common red flags can help stymie a hack attempt or at least flag suspicious behaviour to be traced.
- Identify the crown jewels. Know what an organization cannot afford to lose or have disclosed (such as employee information, or intellectual property and other proprietary assets), and ensure this data is stored and backed up separately. To the extent public disclosure can have a legal or commercial impact (for instance trade secrets or unpatented inventions), this should be accounted for in any incident response plan.
- Have insurance coverage. Particularly, policies that apply to cyber security incidents. Organizations will have to determine the level of risk they are comfortable with (and the attendant premiums), but a good policy should account for direct and consequential expenses, including the costs of forensic investigators and legal counsel. Knowing the requirements to trigger a policy is also important. Some policies require the insurer to sign off on major decisions, including legal counsel, and that can be a roadblock during a crisis if it isn't anticipated beforehand.
- Identify relevant stakeholders. Know who needs to be informed of an incident. There will often be privacy-related reporting obligations, which can vary across jurisdictions. There may also be contractual requirements with vendors or clients to keep them apprised of any breach. Having an up-to-date list of what needs to be reported, and to whom, can save critical crisis-response time for the organization.
- Have a crisis roadmap. All the steps above should be accounted for in the crisis roadmap. Have a script setting out initial response steps, including a clear decision-making structure which will allow you to move quickly in making authorizations and key decisions to respond to the incident. Many decisions will need to be made in the wake of an incident that would not be part of the business's normal operations, and the risk of paralysis can be very real.
If an incident occurs, organizations must be prepared to move quickly to corral the key information and act on it. Some questions an organization must be prepared to immediate address include:
- What happened? Has data only been encrypted, or has it been extracted? Are threat actors still actively in the IT environment and monitoring communications? Can the encrypted data be restored independently of the threat actors? Knowing what happened is essential for knowing how to use the crisis roadmap.
- Who needs to know what, and when? If data has been ex-filtrated or frozen, who needs to be alerted immediately and who can be informed later? Which law enforcement or regulatory authorities need to be looped in, and when? Is there an insurance policy that requires notice to the insurer?
- Is there a ransom demand, and can/should we even pay it? It is not strictly speaking illegal to pay a ransom demand, but organizations must be mindful of whether the threat actors they are dealing with are on any sanction lists which could criminalize payments. Even if it is not on a sanctions list, the trustworthiness of threat actors can vary significantly – with some having reputations of keeping their word and others being less predictable.
- What is the business and legal risk? What is the business loss if the data remains encrypted or is exposed? What legal jeopardy will the organization be in if the data has been exposed? From whom?
Dealing with a ransomware attack can be a surreal experience akin to being robbed at gunpoint by a ghost. Organizations that may be used to making decisions over days or weeks must be able to act within hours. Having a crisis roadmap and the capacity to quickly scan and identify what happened can significantly enhance the ability of an organization to react to the threat, however it manifests.
CDPR knew within a day that it would (and could) refuse to pay the ransom. It could not have been an easy decision to make, but one that required balancing the risks and benefits of having invaluable and sensitive information stolen against the business expediency of restoring systems and recovering assets by paying the ransom.
It is important to note that organizations that suffer a breach do not need to fend for themselves. There is an entire service industry that has grown in response to the rise in cyber security incidents. Breach coaches (who are often lawyers), as well as forensic investigators and negotiators, can offer immediate advice and expertise to organizations and help orient them in a crisis. Law enforcement and regulators are also often prepared to offer assistance when asked. There are many resources, including lawyers, who can help organizations be proactive as well, including building out the roadmap, mapping out risks, and running tabletop exercises. The better prepared an organization can be in advance of a crisis, the easier it can be to know when to just say "no".