When the ransomware demands come in it’s really too late to come up with a good response plan, so do that as soon as you can, an Interop audience was told.
“You need to decide beforehand whether you will pay and under what circumstances,” John Pironti, president of IP Architects, says. “It’s a cost benefit decision in the end.”
+More on Network World: FBI: Ransomware threat at all-time high; how to protect company jewels | See all the stories from Interop +
But in the heat of the moment what should be a rational business decision becomes an emotional issue that challenges the morals and pride of decision makers. “They don’t want to be the ones that paid,” Pironti says, speaking from experience consulting with ransomware victims. It just feels wrong to cave in to the demands of criminals who have encrypted your machines and won’t turn over the keys until you pay.
Ultimately those who make the decision must act in the best interest of the company. That means deciding when not paying the cost of the ransom is worth the consequences: lost productivity, missed customer engagements and the cost of replacing devices that are irreversibly encrypted. “At what point does it cost more to respond to the incident than to pay the ransom?” he says. Businesses need a response playbook.
One company Pironti dealt with was being threatened with a crippling DDoS attack if they didn’t pay $9,000. Rather than do so they spent more than $200,000 on DDoS protection gear and consultants to ward off the attack. And then the attack never came.
When it comes time to pay, try to negotiate down the demand. Earlier this year extortionists demanded $3.6 million from Hollywood Presbyterian MedicalCenter to unlock ransomware. They wound up paying $17,000.
In some cases the negotiations don’t even go through a human being, he says. Automated responses sometimes accept lower amounts, and the keys are delivered also automatically once payments – typically in Bitcoin – are made.
Beyond deciding to pay or not to pay, businesses should do threat and vulnerability analyses to identify how adversaries could get in, what they could infect and what the business impact would be.
Planning be also important because the timeframe for making a decision can be narrow depending on the time limit set by the extortionist.
Once paid, getting the network back to normal is no simple matter. Businesses need to do forensics to see how the attack unfolded so measures can be taken to block the same type of attack in the future. That’s because attackers sell lists of businesses that have paid ransom and what methods the attackers used against them so those who buy the lists can use the same attack tool again and again. “They only work as hard as they have to,” Pironti says. So it may create a long-term problem to pay.
+ MORE ON NETWORK WORLD How to respond to ransomware threats +
Businesses also need to find out where the attackers went within the network to discover where they might have buried malware for use at a later time, he says. Often the ransomware attack is used as a distraction so network security pros don’t notice other types of attacks.
One of the best protections against ransomware attacks is effective backup, but it’s not foolproof. For example, if it is inserted in machines and lies dormant the ransomware itself can be backed up, so machines restored with the backup will still be infected. That’s why forensics are important to determine when and where the malware was placed. And it’s important to reimage machines, not just restore data.
“You have to ask did your backups backup everything? Do so recently enough? Do they have integrity?” he says.
If there is a bright side, ransomware extortionists generally do what they say they will do. If the victim pays up, they’ll send the keys to unlock the encryption.
The problem isn’t likely to go away any time soon. Over time, these attacks are getting more sophisticated and difficult to prevent. When security researchers reverse engineer a strain of ransomware to find out how to disarm it, the criminals quickly abandon it and come up with something else.
The FBI suspects that in the first quarter of 2016 $209 million was collected by ransomware crooks. Pironti says the figure is likely much higher, and so the problem will continue.
“The only way we know to break the cycle is to refuse to pay,” he says, but that option may come at a high cost. “Are you willing to become the sacrificial lamb?”
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.