Reasons to resist a ransomware attack
15 March 2016 | 0
When a demand for your money or your data pops up on a critical system, you have only a short period of time to decide whether to respond to a ransomware attack.
Online extortion is on the increase, as criminals use a variety of attack vectors, including exploit kits, malicious files, and links in spam messages, to infect systems with ransomware. Once all the files have been encrypted, victims can either try to recover the files on their own or pay the ransom. While there have been some exceptions, victims are seldom able to break the encryption and restore access. More often, successful circumvention of a ransomware attack involves wiping the affected systems and promptly restoring everything from clean back-ups.
Whether or not the organisations should pay the ransom is not a security decision — it is a business decision. Paying encourages criminals to attack again. Not paying means lost revenue while waiting for IT to recover the files. This isn’t an easy choice, but read on for reasons to not pay the ransom.
- You become a bigger target
As they saying goes: Do not feed the trolls — otherwise, they will keep making provocative statements to get a reaction. Ransomware is a little like that; paying ransom simply encourages the attackers. Criminals talk; they will tell others who paid the ransom and who didn’t. Once a victim is identified for paying up, there is nothing stopping others from jockeying for a piece of the ransom pie.
Another danger looms: The same attackers can come back. Since you paid once, why not again?
- You can’t trust criminals
Relying on criminals to keep their word is a risky endeavour. It seems like a simple exchange — money for a decryption key — but there is no way to tell the ransomware gang can be trusted to hold up their half of the bargain. Many victims have paid the ransom and failed to regain access to files.
This cuts both ways: Why pay up if you don’t expect to get your data back? Reputation matters, even in the criminal world.
The CryptoWall gang is well known for its excellent customer service, such as giving victims deadline extensions to gather the ransom, providing information on how to obtain bitcoins (the preferred method of payment), and promptly decrypting the files upon payment. Other malware families, such as TeslaCrypt, Reveton, and CTB-Locker, have less reliable reputations. Which can really be trusted? Paying to find out is not the best strategy.
- Your next ransom will be higher
Extortionists typically do not ask for exorbitant amounts; the average ransom ranges between $300 (€270) to $1,000 (€900). But as more organisations succumb, criminals feel increasingly confident enough to raise prices. It is hard to put a market price on data if the victims really, really need to get their files back.
Consider that Hollywood Presbyterian Medical Centre paid $17,000 (€15,300) to restore access to its electronic medical records system. That is a pittance compared to potentially $533,911 (€480,918) in lost revenue while the hospital’s IT department tried to reclaim the data and patients went to different hospitals, based on rough calculations by Andrew Hay, the CISO of DataGravity. Maybe it’s $17,000 now, but the gang might easily demand $50,000 (€45,000) next week, and so on.
It is simple economics. The seller sets prices based on what the buyer is willing to pay. If victims refuse to pay, attackers have no rationale to raise the ransom amounts.
- You encourage the criminals
Take the long-term view. Paying ransom restores the data for the organisation, but that money will undoubtedly fund additional criminal activity. Attackers have more money to spend on developing more advanced versions of ransomware and more sophisticated delivery mechanisms. Many cybercrime gangs operate like legitimate companies, with multiple revenue streams and different product lines. The money from ransomware schemes can be used to fund other attack campaigns.
“There is always a liability piece to what the money is funding,” said William Noonan, deputy special agent of Cyber Operations for the US Secret Service, speaking at a Verizon RISK Team event during the RSA Conference in San Francisco.
Paying the ransom feeds the problem.
One reason to pay
Each of the above arguments are perfectly valid. But there is a compelling reason iwhy many wind up paying: They need their files back. They don’t have a choice.
When ransomware hits all the case files at a police department, there’s no time to wait for someone to try to break the encryption and recover the files. When active investigations are pending, restoring from back-ups may take too long. Set aside the should-haves and could-haves — if the organisation did not have a sufficiently robust backup strategy in place to restore the files (or the back-ups got corrupted, too), preaching about the importance of prevention is extremely unhelpful.
Many victims may also decide to pay out of fear that if they do not, the attacker will cause more damage in retaliation.
Organisations who opt to pay are not alone. In a recent BitDefender study, half of the ransomware victims said they paid, and two-fifths of the respondents said they would pay if they were ever in that situation. Industry estimates suggest the CryptoWall gang has extorted victims out of more than $325 million (€293 million) since June 2014.
An ounce of prevention
It cannot be stressed enough that persistent backups make it possible for organisations to recover from a ransomware infection without having to pay the criminals. A good backup strategy includes Linux, Mac OS X, and Windows. This is not a Windows-only problem, as ransomware has been found for all three operating systems. Mobile devices aren’t immune, either. Think holistically across all platforms.
- Back up regularly, and keep a recent backup copy offsite and offline: Backing up to shared volumes doesn’t work if they are mounted locally on the computer — ransomware can access those files, too. After running a backup, unplug the USB drive so that ransomware doesn’t also infect the storage device. Regularly test the backup to make sure the files are archived correctly. The aftermath of a ransomware infection is not the time to discover that critical files were not being stored or jobs weren’t kicked off in a timely manner.
- Many ransomware attacks rely on malicious email attachments or links in spam emails: Make sure everyone, from rank-and-file employees and IT staff all the way to senior executives, know the basics: Don’t click on links without scrutinising the email to make sure it’s legitimate; verify the message before opening a file attachment; and if the document asks to enable macros, don’t do it. It might be a good idea to install Microsoft Office viewers so that files can be scrutinised without opening them in Word or Excel — which makes it harder for malicious code to execute.
- Keep all software updated: Many exploit kits rely on unpatched vulnerabilities in popular applications such as Microsoft Office, Internet Explorer, and Adobe Flash. Roll out those updates as soon as possible, and make it harder for attackers to push ransomware on to computers as part of a drive-by-download attack.
A pound of cure
Not paying ransom is the better decision, but organisations should not be ashamed of giving in to attackers’ demands. It is a complicated question, and each organisation should make the call most appropriate for its situation. But once paid, take precautions so that if another ransomware infection strikes, not paying at all becomes an easier choice to make.
Prevention pays off.
IDG News Service