Ransomware: To pay or not to pay?
PRESENTED BY E92PLUS and HEAT SOFTWARE In the event a customer approaches you in the aftermath of a ransomware attack, should you advise them to stump up or not?
Security VARs and consultancies are increasingly finding themselves at the centre of a new conundrum faced by their customers, and one which has a moral dimension.
Some argue that paying cybercriminals to unlock data or IT systems they have frozen is immoral - and should even be made illegal.
But no lesser authority than the FBI reportedly advises corporate customers to pay up.
With opinion polarised, and ransomware seemingly now everywhere, what should resellers advise end users who seek their counsel in the aftermath of a ransomware attack? We asked several leading suppliers, as well as a specialist IT lawyer and a trade association, where they stood, and received an intriguing mix of responses.
DES WARD: NEVER PAY
Des Ward (pictured right), information governance director at Innopsis, a public sector technology trade association, said resellers should always advise customers to hold firm:
"IT resellers should not recommend that they pay the ransom. Beyond the fact that it is a legal requirement with the Civil Contingencies Act for the public sector to ensure that business continuity management is in place (a requirement that is required by law to be devolved through their supply chain), there is no guarantee that the information will be returned. I have seen varying degrees of sophistication in terms of the ransomware used, and there is a chance that you can retrieve information from poorly created ransomware attacks.
"Also, once you pay, there is an increased chance that you will be subjected to further attacks. The best way to mitigate the risks of these attacks is to comply with legal obligations for BCM, implement backups and patch systems according to vendor timescales."
JAMES MILLER: DON'T PAY, IF YOUR'E A CORPORATE
James Miller, managing director of security VAR Foursys, said small businesses might be justified in paying the ransom, if the fee isn't too high. A 15-person firm paying a $300 Bitcoin ransom is unlikely to get in the press, and is a small price to pay if the cybercriminal gives back access to its system, he reasoned.
But Miller (pictured right) advised corporates to take a tougher stance:
"The situation is a lot different for high-profile corporate or public sector organisations. If the press were to find out that a university, hospital or large corporate paid a criminal gang money to gain access back to their computer systems, this would have a devastating PR effect. Which in turn could have direct commercial repercussions of its own. Larger organisations tend to have more resource to deal with emergency situations like this as well, so in those situations the answer is almost always don't pay. But if there were secure offline up-to-date backups, this may not even be an issue."
MATT HAMPTON: DON'T PAY, IF YOU CAN HELP IT
Matt Hampton, CTO at security VAR Imerja, stressed that there are two types of ransomware, with the lock screen variety easier to remove than the sort that encrypts data. The latter type would make it "virtually impossible" to get back data without paying, he said:
"My first question to any organisation that has been hit would be how much the cost to the business would be of not recovering the data. This has to be weighed against the ransom, and the fact that they would be going against government guidance and may be even potentially supporting terrorist organisations by paying.
"There are situations where it can be argued that the only way the business can survive is by paying the ransom, but that should be the exception to the rule."
ANDY MAYLE: IT DEPENDS
Andy Mayle, chief operating officer at security VAR and MSP Armadillo, said the VAR's job is simply to provide counsel on how to minimise the financial impact of a ransomware attack to the customer.
In the event the customer has not backed up and their data cannot be restored quickly, the VAR must help them determine whether the potential costs that stem from spurning the attackers exceed the ransom itself, he said:
"No-one wants to give in to cyber-terrorists, but it's down to the business and how much they are going to lose.
"It may cost more to get it decrypted. You also have to make sure they've scanned their infrastructure to make sure they've detected and eradicated every piece of malware that might have instigated the ransomware. You then have to investigate how it came in in the first place. It also depends on how many systems are infected. It can be cheaper just to pay. If they phoned us up, it wouldn't be a quick conversation of pay or don't pay."
DAVID LANNIN: PAY
David Lannin (pictured right), director of technology at IT security VAR Sapphire, said payment is normally the only realistic option for customers:
"I was at lunch with a guy from the FBI and he said their recommendation to corporate clients in the US is to pay up and get their data back. It's happened to some of our customers and we are seeing more of it. If you have a way to recover that data through an appropriate backup strategy, not paying is the right thing to do. But it's slightly idealistic to think the spread of malware can be stopped. It's one thing noticing it and another thing noticing it in time before it spreads around the network and potentially infects the systems and backup volumes as well."
DAI DAVIS: ALWAYS PAY
Technology lawyer Dai Davis (pictured below right) pointed out that even some US police organisations, which have the resources of the FBI to draw on, have still reportedly opted to pay after concluding that the few hundred dollars it cost them for the ransom was a lot cheaper than opting to try to decrypt the files.
The NSA allegedly spent $750m developing a machine that could break the encryption used by cybercriminals, but is not commercially available, Davis added:
"Alternatively, you could wait five to 10 years to obtain your data back, by which time it is likely that the encryption technology used in today's ransomware could be broken using more commonly available decryption technologies that are likely to be then available.
"As a lawyer, from a practical perspective, I would have no hesitation to pay up, irrespective that in doing so you are encouraging the crime. It is an economic no-brainer if your business is unlucky enough to be hit. It goes without saying of course, that this is one area of computer security where, again, prevention is better than cure: take regular backup copies of your data, and don't load attachments where you are uncertain of the source."
Channel opportunity?
As Davis says, prevention is better than cure and Neil Langridge, marketing director at security distributor e92plus, said the clear and demonstrable costs end users incur from ransomware attacks could prompt more to invest in their cyber-defences.
"We've certainly seen a significant rise in ransomware this year, and not just in the industry marketing our products but in end users being compromised," Langridge said.
"Unlike enterprise-scale data theft where dwell time (before malware is discovered or the theft is realised) can be a matter of months and no trace is left, ransomware is clear - screen messages, data encrypted and a ticking countdown clock for payment. It not only makes data security more visible than any other malware, but puts a clear price (either the ransomware or cleanup, recovery and restore costs) on not having effective measures in place."
Kevin Foster, testing services manager at MTI, said that firms burned once by ransomware attacks would do well to shore up security to stop being targeted again.
"If you have been caught out and hit once by a ransomware attack, you certainly don't want to go through the same experience again," he said. "Be sure to apply all relevant 'good security' clean-up procedures afterwards; investigate the root cause of the compromise; rebuild infected systems from scratch; conduct a broader security review and apply all recommend good security practice measures to prevent being victim of this and similar attacks in the future."
Matt Walker, vice president of Northern Europe at HEAT Software, added: "Each organisation will have to decide whether to pay based on its own unique situation. The better solution, of course, is implementing the processes and technologies ahead of time to minimise the chances of data being held for ransom and to maximise the ability to recover quickly. Having a preventative strategy in place can save an enterprise from reputational and financial ruin. Maintaining up-to-date file backups, securing browsers and ensuring device software is up to date, all contribute to deescalating a business' ransomware threat risk."
Ransomware: Key facts
1989
The year of the first known example of ransomware, the 'AIDS' Trojan
$300 - $1,000
Average ransom demanded (InfoWorld)
$17,000
Ransom Hollywood Presbyterian Medical Center in Los Angeles paid hackers to gain control of IT system
$325m
Estimated damages sustained from CryptoWall 3 (Cyber Threat Alliance)
67.2%
Instances of CryptoWall 3 that were through phishing emails (Cyber Threat Alliance)
250,000
Computers infected by Cryptolocker in its first two months (Dell SecureWorks)