Organisations hit with ransomware must decide if the situation has become extreme enough to pay the ransom. Although law enforcement adheres to a strict policy of not negotiating with the extortionists, nuances do exist. Companies need to understand the full spectrum of options, how interactions with the criminals may evolve and how to position the business to withstand subsequent attacks. Here’s a checklist executives need to consider when they find themselves staring at a ransom note:
- Understand the context. Ransomware has become big business. Analysts estimate that businesses paid more than $1 billion in ransoms in 2016. And this year, shipping giant Maersk estimated that the NotPetya ransomware attack cost the company around $300 million in losses. WannaCry, another major attack that the NSA attributed to North Korea last spring, affected more than 300,000 people in 150 countries.
- Consider the full suite of options. Examine all of your options. Consider questions such as: How valuable is the data under attack? Are backups available? If not, can the organisation afford to lose the data, or is it critical to the enterprise? Could the data loss result in physical harm to anyone, such as if patient records are irretrievable?
- Understand the full implications of paying the ransom. The aspiration must always be to have a resilient enough security posture that ransoms never need be paid. However, there are extreme cases in which paying may be the only sensible option. For example, hospitals may choose to pay if the lives of patients are at risk.
- If you decide to pay the ransom, ask for proof of decryption capability. Before paying any ransom, ask for a sample of the stolen data to be decrypted. You need to verify that the attacker has the technical capability to restore your data. Keep in mind that it’s possible the ransomware used may be faulty, and it may not be technically possible to decrypt your data if the encryption routine was not written correctly.
- Negotiations are possible. Cybercriminals will negotiate with their victims. For instance, when Nayana Communications was subjected to a ransom demand, the Nayana CEO was able to achieve a reduction from $1.6 million to the eventual $1 million paid. In other examples, discounts and deadline extensions were granted by three out of four separate cybercriminal gangs when researchers contacted them posing as victims. If the company does decide to pay, haggling can work.
- Payment does not mean you get your data back. While some criminals will return your data if you pay the ransom, many will not. According to a recent Ponemon study, 45 percent of extortionists did not provide decryption keys upon payment of the ransom. If the criminals do honour their word today, there is nothing to stop them coming back to extort you again tomorrow; now they know you will pay.
- Utilise Forensics. Expert forensic practitioners will attempt to identify a way of recovering the encrypted data. However, companies need to understand that a forensic response takes time, and for the most part if ransomware authors have done their jobs well, yields limited results. In most ransomware cases, forensics can identify how the attackers got in, but are unable to reverse the encryption process. Companies opting for a forensic response should visit the No More Ransom Project’s website which hosts the best collections of decryption tools available.
No matter what decision you make, it’s vital that you launch an immediate security improvement plan to ensure that you minimise the risk of ever being put in the position of having to contemplate paying an extortionist again.
The next blog in this series will examine how to achieve resilience against ransomware with DXC’s 5A approach.