• United States




What to do if your data is taken hostage

Dec 29, 20165 mins
Backup and RecoverySecurity

Find out how to respond to ransomware threats

hostage cropped
Credit: Thinkstock

Getting duped online by a cybercriminal is infuriating. You let your guard down for a minute and the thieves find their way in to your machine.

And then the “fun” begins if ransomware is involved. Hopefully you have your data backed up, but if not now starts the dance with those who have ultimately taken you hostage. Ransomware is obviously analogous to kidnapping, and dealing with the perpetrators can feel much like negotiating with a jumper standing on the edge of high-rise roof.

Look no further for help than the Institute for Critical Infrastructure Technology report that in part describes how to deal with criminals when they are holding your data hostage. The report talks of what to do once a breach has been found.

ICIT says the proper response will depend on the risk appetite of the organization, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and the sectorial regulatory requirements.

[ ALSO ON CSO: The history of ransomware ]

Hopefully the information security team has already planned out a procedure to follow in the event of a ransomware attack. They should begin by notifying the authorities and applicable regulatory bodies. The plan identifies the organization’s recovery time objective (RTO), and recovery point objective (RPO) for data breaches. In the event that a backup exists, then cyber-forensic evidence of the incident should be preserved and documented for/by law enforcement.

In the event that there are no redundancy systems or if the secondary systems are compromised, then the information security team can find and implement a vendor solution or decryption tool.

In many cases, files may be partially corrupted or incompletely decrypted. Even if a vendor solution is a simple executable, the victim may not be able to assure that their system is not still compromised by inactive ransomware, backdoors, or other malware.

Another option is to attempt to recover the data. System backup and recovery are the only certain solutions to ransomware. If you have a backup system, then recovery is a simple matter of restoring the system to a save point. Otherwise, you could attempt to recover data through shadow copies or through a file recovery software tool; however, many ransomware variants delete shadow copies and some even detect file recovery software. Since many variants infect the registry, system restore from a save point may not be possible even if the recovery point remains unaffected.

If you don’t like those options, you can put your head in your hands and do nothing. In lieu of an information security team or vendor solution, options are limited to paying the ransom or accepting the loss of the system or data. If the system is backed up, and the backup remains reliable, then the victim can ignore the ransom demand and restore the system according to the backup. If there is no backup, but the ransom outweighs the cost of the system, then the victim may have to purchase a new device and dispose of the infected system with extreme prejudice.

[ ALSO ON CSO: Tricks that ransomware uses to fool you ]

In what should be a last resort: pay the ransom. If the culprit actually provides the decryption key, then paying the ransom may alleviate the immediate pressure on the organization. Some attackers may release the system after receiving payment because doing otherwise would reduce the likelihood that other victims will pay. If paying the ransom is legitimately being debated, then perform a quick Internet search on the type of ransomware holding your system. Whether or not criminals who use that ransomware are likely to release data after receiving payment is likely to show up online.

Security experts caution about this approach though as there is no guarantee that once the money is paid that the perpetrator would release the data. Also another worry is that once you pay the ransom, the cybercriminal could come back and do the same thing at a later date.

Some attackers recognize this dichotomy of trust. They recognize that if files are never unlocked then no victim will ever pay a ransom. As a result, variants such as CTBLocker (Trojan.Cryptolocker.G) have an option to decrypt a few random files as a gesture of good faith.

Another tact is if the ransom is low, say $300 for a multimillion-dollar organization, then it might make sense to adopt a hybrid approach. This could include simultaneous efforts to pay the ransom, to triage the system, and to attempt to restore from a backup server.

Organizations contemplate if system downtime is more dire than the consequences of the ransom. A hybrid approach ensures that the system will be operational in some amount of time, no matter what. To minimize the expended resources and the impact to the organization, hybrid solutions should only be attempted by a trained and prepared information security team.

The number of ransomware attack variations is limited only by the imagination and motivation of the attackers. A vigilant cybersecurity centric corporate culture that cultivates an environment of awareness is the most effective means to minimize the attack. If you do have an infosec team, it should cover: an immediate companywide vulnerability analysis, a crisis management strategy that takes into consideration all known threats, continuous device and application patching, auditing of third-party vendors and agreements, organizational penetration testing and security centric technological upgrades.