Categories
Computer & Network Security

7 Questions to Ask Before Deciding Whether to Pay a Ransomware Attacker

Intro

  • Ransomware is on the rise, owing to the pandemic. In 2020, ransomware exceeded $1.4 billion in the US alone, according to an estimate from Emsisoft.
  • Definition: When threat actors prevent a company from accessing their systems, network, or data until a demand is met.

7 Questions to Ask Before Deciding Whether To Pay a Ransomware Attacker

  • 1. & 2. Do You Have a Backup? Will it Work?
    • Today’s ransomware groups take backups into account. Even if you have backed up your critical files, it’s important to know the capabilities and functionality of your restoration services. If a threat actor has access to your backups, there is a good chance they will attempt to encrypt or even delete them. If you haven’t done so before and haven’t deeply investigated your capabilities, you won’t know how lengthy or difficult such a restore could be. You may also not understand whether there are backdoors in your restores or whether attackers have accessed any online backups.
  • 3. How Much Will the Ransom Really Cost You?
    • Many organizations wind up making the calculus that making the ransom payment is cheaper than losing data and/or business continuity. How badly does your company need the impacted system or the data stored on that system? if the machine is integral to business operation? There is also a cost to public perception and reputation. Paying ransoms may cast your organization in a negative light.
  • 4. Do I Call Law Enforcement?
    • Statistically speaking, law enforcement faces a low chance of catching ransomware groups. They also may not have the capacity to crack encryption or obtain decryption keys. However, that doesn’t mean there’s no utility to the act. One may reach out to law enforcement because it may be more likely the perpetrator will be caught, for the possibility that technical assistance from law enforcement may help, or because it helps show regulators and the public that you took all reasonable actions. It may also fulfil a requirement in cyber insurance coverage.
  • 5. Have You Considered the Risk of the Ransom Being Reneged?
    • Threat actors must maintain credibility in their claim that receiving the ransom payment will restore the victim’s systems. For the most part, that’s been the case, but further deception has occurred on more than a few occasions (Such as demanding another payment). Given that possibility, it’s in your interest to speak with ransomware experts about how your particular group has handled ransom payments.
  • 6. Have You Considered Law Enforcement Guidance?
    • Anyone who’s seen an action movie knows that the US doesn’t negotiate with terrorists. Perhaps surprisingly, the FBI doesn’t require or encourage not paying a ransom under any circumstances. What do they say?
      • “Whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers. Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup.”
  • 7. Can You Forstall The Attack on Your Own
    • Ransomware attackers use many of the same methods as typical attackers. It’s possible that there’s guidance out there that could help you resolve the hack on your own. 
      • The “no more ransom” project, a collaboration between European law enforcement and cybersecurity companies Kaspersky Lab and McAfee, offers decryption tools for more than 85 ransomware varieties.

Conclusion

  • Deciding to pay a ransom or not is a difficult question to answer. Ultimately, it should be an informed and calculated decision based on due diligence and support from internal and external parties. However, if we want to do our part to try and curb ransomware attacks, we should design our systems and protect our organizations such that paying the ransom is left as a last resort.