We are in the midst of a global pandemic. This scourge is easily transmitted, and infections are difficult to eradicate. It learns from our defenses and then mutates into new variants. It comes in various forms, with exotic names such as Sodinokibi, GandCrab and Ryuk. Sometimes its effects are mild, but in many cases it can cause extreme disruption and panic and has devastating consequences. But this plague, also known as ransomware, can’t be treated with a vaccine or avoided by wearing masks or washing hands.
So how bad is this pestilence? Ransomware has infected government entities, large corporations, healthcare providers, universities and businesses of all types and sizes. And the ransom amounts paid have only been increasing.
According to a company that negotiates ransom payments for victims, attackers at the end of 2019 collected more than double the ransom amounts paid earlier in the year – with the high end at $780,000 and the low end at $1,500. The average payment is now $84,116, and organizations had on average 16 days of downtime (up from about 12 days). And the publicly available information, mostly relating to government entities, shows payments in 2019 of $500,000 by one Florida city, $600,000 by another and $400,000 by a Georgia county. In many instances, private entities have received demands of over $1 million.
The question clients always ask us (whether before or during an attack) is “should we pay a ransom?” No one wants to support criminal activity or feel like they let the bad guys “win.” The issues raised can be ethical or moral – are we encouraging the proliferation of these attacks by paying a ransom? After all, wouldn’t these attacks stop if they weren’t successful in extracting payments from victims?
After Baltimore was shut down due to ransomware, Mayor Bernard C. Young said this:
“Why don’t we just pay the ransom? I know a lot of residents have been saying we should’ve just paid the ransom or asking why we don’t pay the ransom.
Well, first, we’ve been advised by both the FBI and Secret Service not to pay the ransom. Second, that’s just not the way we operate. We won’t reward criminal behavior.
If we paid the ransom, there is no guarantee they can or will unlock our system.
There’s no way of tracking the payment or even being able to confirm who we are paying the money to. Because of the way they requested the payment, there’s no way of knowing if they are leaving other malware on our system to hold us for ransom again in the future.
Ultimately, we would still have to take all the steps we have taken to ensure a safe and secure environment. I’m confident we have taken the best course of action.”
Is the mayor right? Well, the fear of paying for an encryption tool and not receiving it (or it not working to decrypt the files), while not totally unreasonable, is likely overblown. Generally, according to industry experts, about 98% of victims received a decryption tool after paying the ransom. And a similarly high percentage of those tools then worked to decrypt the data.
And what does law enforcement say? The FBI’s latest public service announcement on ransomware, released Oct. 2, 2019, notes that the FBI “does not advocate paying a ransom.” Significantly, in a departure from prior statements on the subject, the FBI also stated: “However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
Translation – this is a business decision, and the FBI now acknowledges that reality. In fact, businesses need to weigh the viability of backups, the costs of downtime, what data is encrypted, the speed of recovery from backups vs. decryption and various other business issues (i.e., making payroll, meeting customer expectations, satisfying shareholders and other stakeholders) in making the decision to pay a ransom. This is rarely a purely ethical/moral decision – particularly when your business can’t function otherwise, and your backups are also infected by the attack. It is a rare CEO who would choose to let their business be crippled in order to avoid paying cybercriminals.
Of course, prevention is always the best medicine. Among the steps to take to avoid this quandary are:
- Regularly back up data and verify the backups work.
- Store backups off-site.
- Security training: Educate and train users regarding phishing emails and other threats.
- Keep your systems patched and up to date.
- Deploy endpoint protection, including appropriate anti-virus and anti-malware solutions, and regularly update them.
- Use multifactor authentication.
Hopefully you will never be faced with this tough decision to pay or not pay. But ransomware is a lucrative business, and no one is immune to this plague.