Ransomware outbreaks dominated cybersecurity headlines throughout 2017, with thousands of companies, big and small, being affected and paying hundreds to thousands of dollars to faceless attackers. Ransomware infects computer systems through various means, much like other malware scripts, and will encrypt data from individual computers or entire networks. Usually, companies are confronted with a message and instructions to pay the attackers a set amount, usually in the form of cryptocurrency like Bitcoin. The worst part is that, in many cases, businesses that paid up were either attacked again or could never recover their data.
The reality with ransomware is that you can't trust the attackers to keep their word. They have no incentive to let you off the hook just for paying the ransom. Never receiving the decryption key to your files is a common outcome of paying ransomware fees, since the attackers only ever intended to take your money and run. The other outcome is that you receive the decryption key after paying, but make no mistake, paying the ransom paints a big target on your back. Even after upgrading and improving your security immediately after an attack, you'll be under siege by attackers who now know you as an entity that's willing to pay.
Commonly, companies will pay the ransom because the fee is inexpensive compared to what the downtime or loss of their system would cost them. Other times, companies pay the ransom to avoid public embarrassment and sweep the incident under the rug. While it's highly unrecommended, the decision of whether to pay the ransom isn't a black-and-white issue, and many businesses may be in a position where they have no choice but to pay.
However, even considering to pay the ransom should be the last resort. It's up to company leadership to run a risk management plan that determines if paying the ransom is the only course, or if refusing to pay and rebooting the entire system is doable. It will depend on the complexity of the company and how vital the data is to operations.
The only time that paying should be an immediate consideration is in critical situations such as possible loss of human life, which is a potential scenario for healthcare institutions. Sometimes the attacker's demands are time-sensitive, which puts extra pressure on companies to act quickly.
When you suspect you're under attack by ransomware, there are some key steps to take. First, isolate the affected computers from the rest of your network. Sometimes this means literally pulling the plug on the affected machines. Ransomware encryption isn't instant, so there may be time to stop it from spreading across your network if you act quickly.
Next, you should report it to the authorities, namely the FBI's Internet Crime Complaint Center, according to Jack Plaxe, managing director of the Security Consulting Alliance. When you report ransomware within 72 hours, law enforcement agencies have a better chance of helping you respond and gather evidence. While you may prefer to keep the problem behind closed doors, law enforcement can offer invaluable help, including decryption solutions.
Some attackers use older ransomware scripts that have already been cracked. There are several sources online where you can find decryption keys for known ransomware, including ID Ransomware, Avast and Kaspersky.
If the locked-off data in question consists of your customers' personal information, then it's ethical to inform them as soon as possible and keep them updated on the situation. While locking you out from your data, plenty of ransomware variants open a backdoor for the attackers to take your data, allowing them to sell it or use it for their own purposes. Keeping your clientele informed gives them a chance to take their own precautions, such as changing passwords and closing certain accounts, and can help you avoid legal trouble down the road.
As in all cases of malware, the best solutions to ransomware are preventative. A robust backup of your system and a thought-out recovery plan are essential for any business that deals with vital data. Restricting the use of administrative rights can make it tougher for attackers to reach the controls they need to make their encryption successful. There are also some forms of cyber-insurance you can apply for that cover extortion cases.
Unless life is at stake, paying ransomware attackers shouldn't be the first decision on the table. These cases of extortion are crimes that need to be reported to the authorities and not considered clear-cut problems that can go away with a little Bitcoin. Criminals continue to deploy ransomware because it clearly works in their favor. A study by Google, UC San Diego and New York University estimated that more than $25 million was paid out to attackers in the span of two years.