Ransomware should haunt you all the time
9 May 2016 | 0
When the ransomware demands come in it is really too late to come up with a good response plan, so do that as soon as you can, heard audience the Interop network and architecture conference.
“You need to decide beforehand whether you will pay and under what circumstances,” John Pironti, president of IP Architects, says. “It’s a cost benefit decision in the end.”
But in the heat of the moment what should be a rational business decision becomes an emotional issue that challenges the morals and pride of decision makers. “They don’t want to be the ones that paid,” Pironti says, speaking from experience consulting with ransomware victims. It just feels wrong to cave in to the demands of criminals who have encrypted your machines and won’t turn over the keys until you pay.
Ultimately those who make the decision must act in the best interest of the company. That means deciding when not paying the cost of the ransom is worth the consequences: lost productivity, missed customer engagements and the cost of replacing devices that are irreversibly encrypted. “At what point does it cost more to respond to the incident than to pay the ransom?” he says. Businesses need a response playbook.
One company Pironti dealt with was being threatened with a crippling DDoS attack if they did not pay $9,000 (€7,900). Rather than do so they spent more than $200,000 (€175,575) on DDoS protection gear and consultants to ward off the attack. And then the attack never came.
When it comes time to pay, try to negotiate down the demand. Earlier this year extortionists demanded $3.6 million (€3.16 million) from Hollywood Presbyterian MedicalCenter to unlock ransomware. It wound up paying $17,000 (€14,927).
In some cases the negotiations do not even go through a human being, he says. Automated responses sometimes accept lower amounts, and the keys are delivered also automatically once payments — typically in Bitcoin — are made.
Beyond deciding to pay or not to pay, businesses should do threat and vulnerability analyses to identify how adversaries could get in, what they could infect and what the business impact would be.
Planning be also important because the timeframe for making a decision can be narrow depending on the time limit set by the extortionist.
Once paid, getting the network back to normal is no simple matter. Businesses need to do forensics to see how the attack unfolded so measures can be taken to block the same type of attack in the future. That’s because attackers sell lists of businesses that have paid ransom and what methods the attackers used against them so those who buy the lists can use the same attack tool again and again. “They only work as hard as they have to,” Pironti says. So it may create a long-term problem to pay.
Businesses also need to find out where the attackers went within the network to discover where they might have buried malware for use at a later time, he says. Often the ransomware attack is used as a distraction so network security pros don’t notice other types of attacks.
One of the best protections against ransomware attacks is effective backup, but it is not foolproof. For example, if it is inserted in machines and lies dormant the ransomware itself can be backed up, so machines restored with the backup will still be infected. That’s why forensics are important to determine when and where the malware was placed. And it’s important to reimage machines, not just restore data.
“You have to ask did your backups backup everything? Do so recently enough? Do they have integrity?” he says.
If there is a bright side, ransomware extortionists generally do what they say they will do. If the victim pays up, they’ll send the keys to unlock the encryption.
The problem is not likely to go away any time soon. Over time, these attacks are getting more sophisticated and difficult to prevent. When security researchers reverse engineer a strain of ransomware to find out how to disarm it, the criminals quickly abandon it and come up with something else.
The FBI suspects that in the first quarter of 2016 $209 million (€184 million) was collected by ransomware crooks. Pironti says the figure is likely much higher, and so the problem will continue.
“The only way we know to break the cycle is to refuse to pay,” he says, but that option may come at a high cost. “Are you willing to become the sacrificial lamb?”
IDG News Service