Ransomware is all the rage; and that’s not a good thing. Assuming one has the misfortune of being a victim of ransomware, they quickly need to decide: do you pay the ransom or not?
The FBI ransomware guidance provides a lot of good information. For the ransomware victim, they need to consider several things. First, the FBI advises to implement your security incident response and business continuity plan. This assumes a firm has such a plan in place.
They also don’t encourage you to pay the ransom; suggesting instead to evaluate all options to protect shareholders, employees, and customers. With that, consider two scenarios:
Company #1 has an effective information security and disaster recovery program. They have security software in place, including advanced firewalls and anti-malware detection. Their backup protocols ensure systems are backed-up nightly and data in near-real time. Backups tapes are then moved to a separate network where they are then synced to the cloud.
No system is perfect and due to several factors coming together at once, a user clicks on a link which installs ransomware. They are then faced with the decision to pay or not.
They immediately take systems off-line and determine the scope of the outbreak. They determine which machines are infected and reimage them. Knowing when the issue occurred, they could restore all the data to the degree they only lost the last 2 hours. Given that, they don’t pay the ransom. “At this point many of my clients breathe a sigh of relief that their backups worked”, says Mitch Zahler, CISO at Proactive Cyber Security, “what they fail to do many times is place additional controls to reduce the chances of being infected once again.”
Company #2 has a very lean information security program. In fact, their IT Department is all of two people. These two people do their best to ensure the firm has good security controls in place, but never considered how to defend against malware, since they never had any formal training or oversight. As to backups; they have an automated system to perform incremental backups. Given they have no free time, no one has ever tested if the backups work.
When a user went to a site for free movies, they also installed ransomware on their desktop. The IT team didn’t immediately know what to do and started to Google about ransomware. When they see their databases are encrypted and users can’t access data, they take the system offline and go to their backup tapes.
When they attempt to start restoring, the program aborts to having too many CRC errors. The source was either that the tape was too dirty or old. Had they looked at the backup logs, they would’ve seen this going back two years.
At that point, they’re locked out of their own data. They could go back to their last known good backup copy, but that means they’d lose two years of data. Have absolutely no choice, no leverage or no plan B; they pay the ransom. “Because we cater to SMBs, we have noticed that either third-party or one person IT departments think they are cybersecurity professionals. After they suffer an incident they have a knee-jerk reaction and start placing sometimes useless controls on their systems but keep on getting hit,” says Zahler.
As the FBI notes, paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after having paid a ransom. In this case, company #2 got lucky and were provided with a decryption key.
The FBI is right, when you can, don’t pay it. As even if you pay it, there’s no guarantee that you get the key.
When it comes to ransomware, the message is that the best way to avoid having to pay a ransom is by having a good security program in place to ensure you don’t become a victim. Even the best program can’t guarantee they’ll never be a victim of ransomware. But they can ensure that in the rare event it does occur, they’ll be prepared, and able to heed the FBI’s advice, and not pay.
Pay up with your comments over on Facebook.