Ransomware attacks put the victim under pressure to give up large sums of money.
When British rock band Radiohead were targeted by cybercriminals demanding a $150,000 ransom to not leak 18 hours of unreleased music on the internet, the group chose to call the criminals’ bluff. Not only did Radiohead refuse to pay the ransom, but they released the music themselves at a nominal price, thus defusing the criminals’ threat.
The Radiohead case is unusual, but it reflects a dilemma facing the growing number of organisations whose data has been held to ransom in so-called ransomware attacks.
According to cybersecurity firm Malwarebytes, ransomware has gained rapid momentum among businesses with an increase of 195% in detections from Q4 2018 to Q1 2019.
Unfortunately, most victims of ransomware attacks lack the sangfroid shown by Radiohead. They are understandably frightened. They panic when they see the tell-tale message on their computer screens telling them that all their important files have been encrypted, and that they must pay a ransom to get the decryption keys to unlock the affected files.
The temptation to pay up is strong. Particularly if the files contain confidential business information or customer data that organisations are legally obliged to keep safe.
The perpetrators of ransomware attacks are increasingly targeting organisations instead of individuals. Organisations have much more to lose if business-critical data is inaccessible or employees are idled for several days while an organisation tries to recover from the attack.
When paying up makes sense
Coveware, a US firm specialised in helping organisations combat ransomware, says the average downtime due to a ransomware attack is 7.3 days. The cost of this lost productivity and lost sales may be five or ten times greater than the ransom amount demanded by the cybercriminals.
For that reason, consultants say it may make sense to immediately pay the ransom. This gets the company back on its feet as soon as possible, no matter how unpalatable such a decision may be from a moral point of view.
Slow to recover
Even if a business thinks it is well prepared with backups of all important data and a contingency plan, recovering from a ransomware attack is complicated.
Josh Zelonis, senior analyst at Forrester Research, says: “Organisations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.”
One organisation that chose to tough it out and not give in to the criminals’ demands is the US city of Baltimore. Their 10,000 computers became unusable in early May 2019 when they were infected with the RobinHood ransomware. The mayor announced he would not pay the ransom of 13 bitcoins. Cryptocurrencies are often used in ransomware attacks to increase the challenge of identifying the criminals.
A mammoth recovery operation went into action to get the city’s computers functioning again, but it was an expensive and slow process. A month later, only one third of the city’s employees were back online with new credentials. Many of the city’s payment processes had to be done manually.
It is estimated that the disruption cost Baltimore a total of $18m. Had the mayor paid the ransom, it would have only cost the city around $100,000.
Of course, paying the ransom encourages the criminals to repeat their attacks, maybe on the same organisation. In addition, there is no guarantee that if the ransom is paid, the decryption keys the criminals supply will work. The recovery rate for different types of ransomware varies from close to 100% to only 80%, according to Coveware.
According to Forrester Research, the decision of whether to pay or not ultimately comes down to an organisation’s dispassionate assessment of the costs and consequences.
How to prevent ransomware attacks
As with other types of malware, the best way to minimise infection is to ensure that the software on your organisation’s computers is kept up to date with security fixes and patches.
Ransomware is usually distributed by email, so all incoming emails must be scanned for ransomware along with other threats. Employees need to be educated to not click on links in unusual-looking emails. It is also good practice for IT departments to disable the ability for most users to run scripts contained in emails.
Being able to avoid infection in the first place is clearly preferable, but organisations should also be prepared to minimise the damage from a ransomware attack that does succeed.
How to prepare to combat ransomware
The overriding aim should be to make it as difficult as possible for ransomware to spread easily on the company’s network.
The key here is to identify the most valuable data in your organisation. This could be personally identifiable customer information, intellectual property or financial information for example. Then you must restrict access to solely those users who really need to use that information. This principle is typically known as “least privileges”.
Next, sensitive data should be segmented on the network. A separate database or server with additional security should be used if necessary. For example, users who want to access the company’s financial information might be required to use multi-factor authentication.
Finally, all data that you cannot afford to lose access to should be backed up so that there is always a recent copy. Duplicate data should be stored on a different computer, in the cloud or even on a removable media.
If the worst does happen and your organisation is hit by a ransomware attack, then your first move should be to try to identify the ransomware. Websites such as ID Ransomware and Nomoreransom.org can do this and tell you if a decryption tool is available in the public domain. In which case, you may be able to decrypt the affected data without having to pay the ransom.