By Thom Fladung/Hennes Communications
In 1989, the first episode of “The Simpsons” aired. The Berlin Wall came down. And during the World Health Organization’s AIDS conference, one of the first documented ransomware attacks occurred – distributed via floppy disk.
A mailing list of 20,000 doctors and AIDS researchers received a floppy disk that was supposed to contain surveys for assessing AIDS patients. In fact, it contained a weapon called malware that encrypted the user’s computer files. To restore them, victims were told to send the PC Cyborg Corporation a check for $189.
And now? Since 2016, more than 4,000 ransomware attacks have occurred in the United States daily, according to the U.S. government. The ransoms have jumped a bit from $189, too. U.S. insurance giant CNA Financial Corp. paid $40 million in late March to regain control of its computer network, Bloomberg News reported.
The stakes have also been raised on how and when organizations talk about the ransomware attacks they’ve undergone.
We believe the fundamental rules that we apply to all crisis communications apply to ransomware attacks: tell the truth, tell it first, tell it fast.
The most surefire way to control the narrative of your story is to tell the story yourself.
And as much as you’d like to keep the bad news to yourself, you may have no choice. If personally identifiable information was breached as part of the ransomware attack, state-specific notification laws will come into play, thrusting your story into the public.
A June 2021 piece in SC Magazine, aimed at cybersecurity professionals, laid out high-level dos and don’ts of alerting customers and others to cybersecurity incidents. “…timeliness, accuracy and transparency are key rules when communicating with your stakeholders,” were among the best practices cited.
Our work with clients on ransomware incidents, advice from cybersecurity attorneys and research also has led us to adopt other best practices for effective ransomware communications:
The value of hyper-transparency? The Norsk Hydro case study
The Norwegian hydro-power and aluminum manufacturer suffered a massive ransomware attack in 2019 that forced manual operations at many plants.
The company immediately began communicating and kept doing so, including:
That approach drew effusive praise.
“[I] Gotta say Hydro’s public facing response has been incredibly good — open, quick, transparent with customers (and public & employees), senior [execs] on camera talking about issues. Wishing them a speedy recovery,” tweeted Kevin Beaumont, a cyber-expert with an extensive social media following.
Did the aggressive communications also help shareholders?
After an initial slip in share price, the stock bounced back to end the day that the attack was announced down less than half of 1 percent. And share prices continued to hold as the attack and recovery unfolded.
Time magazine reported: “Despite the consequences — tens of millions of dollars in lost business — the company’s openness and frank nature when it came to discussing the ransomware attack was enough to protect its stock prices from any significant shock, and prevent further attacks on different companies using the same ransomware virus, as Norsk Hydro cooperated with cybersecurity officials in Norway.”
Of course, there is a cautious other side to the debate of how much to say when.
Sergio Caltagirone, from ICS cybersecurity specialist company Dragos, Inc., told Homeland Security Today that he applauded the company’s response. “Any industrial cybersecurity incident requires a company to prioritize three things: safety, operations, shareholders in that order. They seem to have prioritized correctly.”
But he added that by coming out so publicly so early — and before the details of the attack were known — the company exposed itself to “immense pressure as they’ll … be inundated with reporters, investors, regulators, partners, etc.”
Still, we’d argue in such an attack you’re already exposed to immense pressure. Don’t add to it by hiding, spinning or obfuscating.
Do you reveal paying a ransom – and how much?
A critical decision, obviously, is whether to pay the ransom. And if that answer is yes, ransomware attack victims should plan communications around anticipating the ransom amounts becoming public – whether or not they reveal it.
Colonial Pipeline paid a $4.4 million ransom
In the Colonial Pipeline ransomware attack of May 2021, the company confirmed it paid $4.4 million after “multiple sources had confirmed to The Associated Press that Colonial Pipeline had paid the criminals who committed the cyberattack a ransom of nearly $5 million in cryptocurrency…”
The cofounder of the cryptocurrency tracking firm Elliptic wrote on his blog about what Colonial Pipeline had paid before the company confirmed it.
In explaining the decision to pay the ransom, we see company leaders consistently citing great reluctance – but ultimately a decision to do right by customers and the business.
The Colonial CEO went into detail about the decision to pay in an interview with National Public radio:
“The conversation went like this: Do you pay the ransom or not? And of course, the initial thought is: You don’t want to pay the ransom. You don’t want to encourage (hackers), you don’t want to pay these contemptible criminals. But our job and our duty is to the American public. So when you know that you have 100 million gallons of gasoline and diesel fuels and jet fuels that are going to go across the Southeastern and Eastern seaboard of the United States, it’s a very critical decision to make. And if owning that de-encryption tool gets you there quicker, then it’s the decision that had to be made. And I did make that decision that day. It was the right decision to make for the country.”
Meatpacker JBS USA paid an $11 million ransom.
“This was a very difficult decision to make for our company and for me personally,” said Andre Nogueira, CEO of JBS USA on the ransom payment. “However, we felt this decision had to be made to prevent any potential risk for our customers.”
An Indiana health system paid a $50,000 ransom.
Said the health system CEO: “I agree with every reason not to pay, but until you are faced with the decision, it’s easy to say lots of things. For us it made the most sense to get the decryption keys.”
At 4,000 ransomware attacks a day, organizations and their leaders have no excuses left for not being prepared with communications should they be targeted. The hackers already are holding your computer systems hostage. Don’t let them do the same to your communications.
Thom Fladung is managing partner of Hennes Communications. For more information on cybersecurity crisis communication plans – or plans for any crisis – contact him at fladung@crisiscommunications.com or 216-213-5196.