Ransomware is one of the organizations’ biggest (IT) nightmares at the moment. Not surprisingly, you can no longer visit a news site without reporting on companies that have fallen victim and are suffering the consequences.
Author: Vincent Zeebregts, Regional Director Holland at Fortinet
According to a recent survey, as many as 85% of organizations are more concerned about a ransomware attack than any other cyber threat. Any employee can unknowingly trigger a ransomware attack by simply clicking on a link or downloading a malicious file. In their desperation, organizations are quick to pay a ransom to access their mission-critical data again. However, this decision should be carefully considered.
It’s like thugs on the playground taking a student’s book bag and asking him to hand over his lunch money to get his bag back. In fact, cybercriminals do the same against organizations after a successful ransomware attack. They hold sensitive information hostage by encrypting it. Unfortunately, they charge much more than lunch money.
For companies affected by ransomware, of course, much more is at stake. They rely on the decryption keys of cybercriminals for their business continuity or even the very survival of their business. They are needed to decode their data again so that they can be used again. Yet the dilemmas for both types of victims are surprisingly similar.
Is it smart to pay a ransom?
When considering whether to pay the blackmailers in both cases, keep in mind the possibility that you may not get your bag or decryption key back despite the payment. It is hard to believe in the goodwill of cybercriminals. Instead of giving back the things (information) that you prefer to keep secret, hackers could simply empty your ‘book bag’ on the internet so that anyone with an internet connection can see and use the content.
It is also very possible that they are handing over your data to another criminal who can do whatever they want with them. In that case, paying the ransom will not solve your problem. It just makes you a lot poorer. This can lead to your organization having to do without both a book bag and lunch money. And in the worst case, you get a reputation as an easy prey, a money lender who can easily and repeatedly be forced to pay.
The problems associated with paying ransom
No organization wants to have a reputation as a lender in the cybercriminal underworld. You might as well draw a goal on your back. I understand the difficult situation that organizations find themselves in after a successful ransomware attack. Still, I recommend that you do not pay a ransom unless you are sure your business is going down. Paying ransom can lead to repeated sacrifice. You thus encourage cybercriminals and fund their future attacks on your organization and on others.
Is it against the law to pay a ransom?
Victims of ransomware attacks who are forced to pay a ransom of cybercriminals often wonder that it is illegal. There is no law prohibiting doing so if an organization’s data and / or systems are held hostage. However, public authorities and security personnel are strongly discouraged from succumbing to blackmail in any form.
Organizations like CISA, NCSC, FBI and HHS warn victims of ransomware attacks against paying ransom. This does not guarantee that they will actually have access to their files again. According to a bulletin from the Office of Foreign Assets Control (OFAC) at the US Treasury Department, this could encourage cybercriminals to attack multiple organizations or sell their ransom, which others can take advantage of. In addition, there is a possibility that the ransom can be used to finance other illegal activities.
The role of the police
Unfortunately, digital forensics has a huge workload and other priorities. This means that there is a chance that he will not be able to deploy his people in a way that suits your organization best. In addition, research can take time. Infected systems need to be analyzed carefully while your organization is eager to restore all business processes. Nevertheless, digital forensics can provide you with excellent support. However, this support should only be part of your organization’s event plan and not replace it. That plan should involve management, the IT team, the information security team and the legal team.
If you are completely dependent on outside help after an attack, you have a problem. It is an approach for which the word “reactive” was invented. You need to do everything you can to avoid getting into a point where you are forced to pay a ransom. The best way to prevent this is by implementing effective security mechanisms.
How to prevent ransomware attacks
You can increase protection against ransomware attacks by taking the following measures:
Learn more about proactive strategies for providing ransomware protection here.
What to do if you fall victim to a ransomware attack
Organizations can minimize the harmful effects of ransomware by acting quickly. The first step is to isolate the ransomware so that it cannot jump from one device to another via network connections.
To isolate the ransomware, disable the ransomware-infected system. Then disconnect all connections from that system to the network and to any devices. By unplugging the system this way, you can prevent further spread of ransomware. Applying network segmentation will make this process much easier and more efficient.
The next step is to find out what type of malware has infected your system. Usually, ransomware is part of a broader attack. Understanding the type of malware involved can help your event response team find an appropriate solution. For example, some decryption keys for certain ransomware variants have been released.
If it eventually happens …
No matter how many actions you take, your business may still be shaken by a ramsomware attack. It is therefore important to have a data recovery program in place before it comes from a ransomware attack. If you get automatic backups done at different times of the day, data recovery after an attack will only take your organization a few hours. It does not matter if you use cloud services or on-premise backup hardware. Most importantly, you are able to access the backup files from a non-contaminated device. Only then can one be sure that one can keep the misery, no matter how frightening, within limits, and that the business activities can continue after a short time.