Ransomware: Should You Pay The Ransom?

Uploaded on 2016-07-27 in TECHNOLOGY--Hackers, GOVERNMENT-Law Enforcement, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

Security professionals dread the day when they get the call that ransomware has infiltrated their network and has already started encrypting files, drives and network shares. 

After the initial shock has worn off and the ransomware is no longer encrypting new files, the decision quickly turns to whether to pay the ransom in order to (maybe) recover the files.

Noticeably absent from this article is the actual answer to that question. That is because there are lots of issues and questions that go into this decision. I want to highlight some of the issues you will face and help work through the answers.

1.    Can you live without the files?

Files encrypted by ransomware are locked and cannot be viewed or accessed by anyone in the organization. It is important to catalog the extent of the loss. Files can be grouped based on how critical they are to the organization.

2.    Do you have backups, and if so, how recent?

The existence of backups for encrypted files gives you options. You might have the ability to recover encrypted files through your own backups. The existence of backup varies by company and by type of system that has been compromised.

3.    Recovery

If you have backups of the encrypted files, how quickly can you recover from backup? Companies have varying strategies for backup/storage and retrieval. Recovery can take multiple days. When that happens, paying the ransom may be a viable alternative to restore files more quickly.

4.    Do you have an obligation to outside parties?

File availability requirements may impact your decision-making. If you need to have files available quickly, that may tilt the balance in favor of paying the ransom for the possibility of recovering them quickly. Obligations may be to customers, suppliers, regulatory organizations, legal entities and many others.

5.    Is it possible to decrypt the files without paying the ransom?

Some ransomware is not well written. If you are lucky enough to have become infected with a weaker variant of encryption, it is possible to use a recovery pack.  A good resource for identifying and remediating some types of ransomware can be found in this list of decryptor tools.  

6.    Assess the likelihood of getting the encryption key after paying the ransom

Not all ransomware organizations are trustworthy (big surprise). Some will take your money and not provide you with the decryption keys.

On May 20, 2016, Kansas Heart Hospital paid a ransomware organization an undisclosed amount, only to have the organization extort them for a second time for additional money. The hospital refused to pay the second ransom, stating: “The policy of the Kansas Heart Hospital in conjunction with our consultants, felt no longer was this a wise maneuver or strategy.”

7.    Other risk factors

You need to consider reputation, regulatory and financial risk when deciding whether to pay or not pay the extortionists. Make sure you’re considering all angles.

The recommendation from the FBI and several non-government organizations is to never pay a ransom. Some reasons to not pay the ransom include:

  • There is a possibility that you will not get the files recovered after you pay.
  • It encourages bad actors to continue developing ransomware.
  • You fuel a perception that you are weak by giving in to the bandits.
  • You fuel a perception that you are inept if you don’t know how to prevent/resolve security breaches.
  • In the real world there are other issues that need to be evaluated when deciding to pay the bad guys.
  • Locked files are critical to your business or represent a significant investment.
  • Operations are compromised because of the locked files.
  • There is no backup, so the files would be lost forever.
  • Restoration of the files will take a significant amount of time and will impact business.
  • Need to divulge lost files to customers.
  • Regulatory consequences for the lost files.

So while it is easy to say, “Never pay the ransom,” sometimes there are practical considerations that need to be evaluated. 
Ransomware victims pay less than they expect!

However, if you’re a cyber-criminal looking to enter the ransomware game, but not sure how much money you should demand for the unlocking of a victim’s files, don’t worry. Kaspersky Lab has done the research for you.

The security firm, together with B2B International, says people value their smartphone data, on average, at $682. In 39 percent of cases, the figure exceeds $1,000. On the other hand, cyber-criminals which have managed to lock a victim’s device through ransomware, usually demand $300.

"These figures explain why so many people are willing to pay extortionists, and once again, demonstrate the need for preventive protection measures against online threats", the two companies say.

The ransomware situation has been called an epidemic quite some time ago, and it is obviously going to continue, as long as people pay ransom. And in that respect, things aren’t looking too bright. At least 40 percent of victims decide to pay, Kaspersky Lab says.

They do that, mostly because they don’t backup their device, and then fear things like photos would be lost forever.

Landesk:    BetaNews

 

« US Carmakers Want Hackers To Help Them Improve Cybesecurity
US Defense Intelligence Agency Is Researching Employee Social Media Histories »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall (and why does it matter)?

Watch this webinar to hear security experts from Amazon Web Services (AWS) and SANS break down the myths and realities of what an NGFW is, how to use one, and what it can do for your security posture.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

RedTeam Security

RedTeam Security

RedTeam Security is a provider of Penetration Testing, Social Engineering, Red Teaming and Red Team Training services.

Giesecke+Devrient (G+D)

Giesecke+Devrient (G+D)

Giesecke+Devrient develop security technologies in four major areas: enabling secure payment, providing trusted connectivity, safeguarding identities and protecting digital infrastructures.

The Open Group

The Open Group

The Open Group: Leading the development of open, vendor-neutral IT standards and certifications.

WizNucleus

WizNucleus

WizNucleus develops, markets and supports a software platform (Cyberwiz-Pro) that enables Critical Infrastructure enterprises to ensure the future state of their cybersecurity and remain compliant.

TrainACE

TrainACE

TrainACE, is a professional computer training school offering courses in information technology with a focus on Advanced Security training.

Symantec

Symantec

Symantec delivers data-centric hybrid security for the largest, most complex organizations in the world – on devices, in private data centers, and in the cloud.

Security Alliance

Security Alliance

Security Alliance provide bespoke cyber intelligence consulting and research services.

Fortiphyd Logic

Fortiphyd Logic

Fortiphyd Logic equips operators of the power grid, oil & gas, and other critical infrastructure with the tools and training they need to defend their industrial networks from advanced cyberattacks.

SecureNation

SecureNation

SecureNation offers a wide variety of cutting-edge technologies and IT services to address almost any of your information security, network security and information assurance needs.

Intechtel

Intechtel

Intechtel is a cyber security company, in addition to providing other internet, technology and telephone services.

Virtual Technologies Group (VTG)

Virtual Technologies Group (VTG)

Virtual Technologies Group is a single source, IT product and services provider for SMBs and IT departments, delivering reliable, cost-efficient service, maintenance and support solutions.

Willyama Services

Willyama Services

Willyama Services is a certified Information Technology and Cybersecurity professional services business providing services to government and private sector clients.

OneStep Group

OneStep Group

OneStep Group are a leading Australian provider of information and communications technology (ICT) services, connecting businesses through technology solutions and support.

CyberSalus

CyberSalus

CyberSalus is a pioneering cyber tech services company dedicated to protecting the digital integrity of healthcare organizations.

StepSecurity

StepSecurity

StepSecurity provides a comprehensive security platform for GitHub Actions.

Heritage Cyber World

Heritage Cyber World

Heritage Cyber World is a one stop solution for all your security needs that brings together a team of security experts and analysts to deliver high-class security services.