Never pay ransomware demands, expert advises
27 March 2017 | 0
When ransomware criminals lock up files and demand payment to decrypt them, don’t pay, was the advice given by one expert at SecureWorld.
When there is no risk of losing crucial data, that’s easy to say, and to make is possible requires planning, says Michael Corby, executive consultant for technology consultancy CGI.
“Plan to have data available in a form that won’t be affected by ransomware—encrypted and stored separately from the production network,” he says. “You need a clean copy of the data in a restorable form. Test that the back-ups work.”
Restore and recover are the key words, and they should be done keeping in mind that the malware has to be removed before recovering.
While Corby advocates not paying ransom, he says he knows of law enforcement agencies that think paying is inevitable sometimes as the only way to recover essential data. They go so far as to encourage businesses to get a bitcoin wallet before being hit by ransomware so payments can be made quickly if necessary. Ransomware criminals generally issue tight deadlines for payment.
The first rule of responding to ransomware that all employees should know is: do not try to figure it out. When the ransom demand appears on the screen, they should disconnect the device from the network immediately and tell Information Services (IS). In turn, IS should scramble are response team that includes themselves but also the legal department, public relations, human relations, executives and IT.
The organisation should notify the authorities, which is often complicated, as calling in law enforcement can mean relinquishing control of the investigation and perhaps devices and the data they contain that are needed as evidence.
Corby has a number of steps he advises businesses to take as best practices against ransomware that also are good general network hygiene:
- Hold awareness programs about malware for end users
- Patch and update software including security and antivirus software
- “Decriminalise” being hit by ransomware so fear doesn’t stop end users from reporting it immediately
- Manage administrative accounts to insure least privilege.
- Disable macros
- Consider limiting BYOD to an approved list of devices that should then adhere to strict security policies
IDG News Service