When a demand for your money or your data pops up on a critical system, you have only a short period of time to decide whether to respond to a ransomware attack.
Online extortion is on the increase, as criminals use a variety of attack vectors, including exploit kits, malicious files, and links in spam messages, to infect systems with ransomware. Once all the files have been encrypted, victims can either try to recover the files on their own or pay the ransom. While there have been some exceptions, victims are seldom able to break the encryption and restore access. More often, successful circumvention of a ransomware attack involves wiping the affected systems and promptly restoring everything from clean backups.
Whether or not the organizations should pay the ransom is not a security decision -- it's a business decision. Paying encourages criminals to attack again. Not paying means lost revenue while waiting for IT to recover the files. This isn’t an easy choice, but read on for reasons to not pay the ransom.
1. You become a bigger target
As they saying goes: Do not feed the trolls -- otherwise, they'll keep making provocative statements to get a reaction. Ransomware is a little like that; paying ransom simply encourages the attackers. Criminals talk; they will tell others who paid the ransom and who didn’t. Once a victim is identified for paying up, there's nothing stopping others from jockeying for a piece of the ransom pie.
Another danger looms: The same attackers can come back. Since you paid once, why not again?
2. You can't trust criminals
Relying on a criminals to keep their word is a risky endeavor. It seems like a simple exchange -- money for a decryption key -- but there's no way to tell the ransomware gang can be trusted to hold up their half of the bargain. Many victims have paid the ransom and failed to regain access to files.
This cuts both ways: Why pay up if you don't expect to get your data back? Reputation matters, even in the criminal world.
The CryptoWall gang is well known for its excellent customer service, such as giving victims deadline extensions to gather the ransom, providing information on how to obtain bitcoins (the preferred method of payment), and promptly decrypting the files upon payment. Other malware families, such as TeslaCrypt, Reveton, and CTB-Locker, have less reliable reputations. Which can really be trusted? Paying to find out is not the best strategy.
3. Your next ransom will be higher
Extortionists typically don't ask for exorbitant amounts; the average ransom ranges between $300 to $1,000. But as more organizations succumb, criminals feel increasingly confident enough to raise prices. It’s hard to put a market price on data if the victims really, really need to get their files back.
Consider that Hollywood Presbyterian Medical Center paid $17,000 to restore access to its electronic medical records system. That's a pittance compared to potentially $533,911 in lost revenue while the hospital's IT department tried to reclaim the data and patients went to different hospitals, based on rough calculations by Andrew Hay, the CISO of DataGravity. Maybe it's $17,000 now, but the gang might easily demand $50,000 next week, and so on.
It’s simple economics. The seller sets prices based on what the buyer is willing to pay. If victims refuse to pay, attackers have no rationale to raise the ransom amounts.
4. You encourage the criminals
Take the long-term view. Paying ransom restores the data for the organization, but that money will undoubtedly fund additional criminal activity. Attackers have more money to spend on developing more advanced versions of ransomware and more sophisticated delivery mechanisms. Many cyber crime gangs operate like legitimate companies, with multiple revenue streams and different product lines. The money from ransomware schemes can be used to fund other attack campaigns.
"There is always a liability piece to what the money is funding," said William Noonan, deputy special agent of Cyber Operations for the U.S. Secret Service, speaking at a Verizon RISK Team event during the RSA Conference in San Francisco.
Paying the ransom feeds the problem.
One reason to pay
Each of the above arguments are perfectly valid. But there’s a compelling reason why many wind up paying: They need their files back. They don’t have a choice.
When ransomware hits all the case files at a police department, there's no time to wait for someone to try to break the encryption and recover the files. When active investigations are pending, restoring from backups may take too long. Set aside the should-haves and could-haves -- if the organization did not have a sufficiently robust backup strategy in place to restore the files (or the backups got corrupted, too), preaching about the importance of prevention is extremely unhelpful.
Many victims may also decide to pay out of fear that if they don’t, the attacker will cause more damage in retaliation.
Organizations who opt to pay are not alone. In a recent BitDefender study, half of the ransomware victims said they paid, and two-fifths of the respondents said they would pay if they were ever in that situation. Industry estimates suggest the CryptoWall gang has extorted victims out of more than $325 million since June 2014.
An ounce of prevention ...
It can’t be stressed enough that persistent backups make it possible for organizations to recover from a ransomware infection without having to pay the criminals. A good backup strategy includes Linux, Mac OS X, and Windows. This is not a Windows-only problem, as ransomware has been found for all three operating systems. Mobile devices aren't immune, either. Think holistically across all platforms.
- Back up regularly, and keep a recent backup copy offsite and offline. Backing up to shared volumes doesn’t work if they are mounted locally on the computer -- ransomware can access those files, too. After running a backup, unplug the USB drive so that ransomware doesn’t also infect the storage device. Regularly test the backup to make sure the files are archived correctly. The aftermath of a ransomware infection is not the time to discover that critical files were not being stored or jobs weren’t kicked off in a timely manner.
- Many ransomware attacks rely on malicious email attachments or links in spam emails. Make sure everyone, from rank-and-file employees and IT staff all the way to senior executives, know the basics: Don’t click on links without scrutinizing the email to make sure it’s legitimate; verify the message before opening a file attachment; and if the document asks to enable macros, don’t do it. It might be a good idea to install Microsoft Office viewers so that files can be scrutinized without opening them in Word or Excel -- which makes it harder for malicious code to execute.
- Keep all software updated. Many exploit kits rely on unpatched vulnerabilities in popular applications such as Microsoft Office, Internet Explorer, and Adobe Flash. Roll out those updates as soon as possible, and make it harder for attackers to push ransomware on to computers as part of a drive-by-download attack.
A pound of cure
Not paying ransom is the better decision, but organizations should not be shamed of giving in to attackers’ demands. It’s a complicated question, and each organization should make the call most appropriate for its situation. But once paid, take precautions so that if another ransomware infection strikes, not paying at all becomes an easier choice to make.
Prevention pays off.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.