You’ve been hit by ransomware, should you pay?

By April 2, 2019 No Comments

Your first reaction when faced with potentially losing all your data in a ransomware attack is possibly to reach for your wallet, but is it the right thing to do?

From being the number one attack payload in 2017 according to numerous sources, including Verizon’s 2017 Data Breach Intelligence Report, ransomware seemingly hit a crossroads in 2018, with attacks decreasing in volume but increasing in sophistication.

While the actual attack numbers may have come down, reports suggest that the number of variants being pumped into the market has increased. Ransomware has split into two camps: commodity and targeted. The ransomware commodity producers, like those behind GlobeImposter, and ransomware-as-a-service platforms, like GandCrab, have turned their attention to focusing on volume and rapid iteration. This means that with so many new variants hitting the market, traditional signature-matching security solutions are struggling to keep up.

Meanwhile, targeted attackers have been zeroing in on carefully selected victims, turning their backs on the traditional mass distribution model in favour of something much more specific in the belief that they are more likely to pay out large sums. Their targets typically include businesses, healthcare organisations and local governments.

Perhaps the most well known current example of targeted ransomware attacks is SamSam, which has been responsible for infecting a number of healthcare and local government organisations over the past 12 months. These more targeted attacks have also been seen to use polymorphic techniques to bypass AV.

So, while Petya and WannaCry may be a thing of the past, we shouldn’t be tempted to start writing off ransomware. Furthermore, with hints that the trend from cryptomining malware may be stalling we could yet see ransomware returning to the mainstream.

But the big question here is, if you unlucky enough to get hit, should you pay?

Understandably, very few companies have admitted to paying ransoms, because this is also admitting that their security failed and their network was compromised. This means actual data on whether you will genuinely get your files back if you pay up is sketchy to say the least. There have, of course, been notable high-profile exceptions, such as in 2016 when a  hospital in Hollywood hit the headlines for paying $17,000 to get back its critical files. In this case the criminals did indeed unlock the hospital’s files and normal service was quickly resumed.

In an ideal world, if you do pay, you will get a decryption key once your ransom has been delivered to the cybercriminal’s cryptocurrency wallet. Enter this where the ransomware software prompts you to and your data should be accessible once again.

Of course, as this is the criminal underworld we’re talking about here, there is actually no guarantee that this will actually happen. And there are plenty of stories about of people that have paid and still lost their files. Effectively, if you pay a ransom you’re flipping a coin – ransomware comes with no guarantees.

So, if it’s such a big gamble why would you pay?

For one thing, the ransom is likely to be considerably less than the cost of employing a specialist recovery company to decrypt your data (and it’s also likely to be more successful). Add to that the cost of business downtime and the resources needed to recover data, the cost of any lost data, the reputation damage, plus the possibility of compliance fines, and it becomes apparent that for many companies, paying the ransom is very possibly the cheapest route to business continuity.

So, why wouldn’t you pay ransomware?

In short, because you should have a proper business continuity plan in place. This should include an effective data recovery strategy, a crucial part of which will be a solid backup and disaster recovery plan based around how long you business can stand to be offline (your RTO or recovery time objective) and how much data you can genuinely afford to lose (your RPO or recovery point objective).

However, if you have managed to miss this critical part of modern business, all hope is not entirely lost.

There are plenty of resources online that offer free decryption tools, such as the No More Ransom project, which means could still get your files back without having to pay the ransom. If you are unsure of the particular variant that has encrypted your data, there’s even a ‘Crypto Sheriff’ tool that can determine that for you from the encrypted files themselves.

So, in short, you should only think about paying a ransom if you have exhausted all avenues of data recovery options and it is your last possible resort. In this case it is an option you must consider, especially if the ransom is a lot less than the cost of losing and recovering your data.

Just remember that it’s still a gamble, and there ultimately is no substitute for having a robust continuity plan in place.