Ransomware: Should you pay up?
The incentives of hackers are straightforward — they’re looking for a big payday — but it’s less clear whether their victims should cooperate.
The use of ransomware has spiked in recent years: Roughly 40 percent of all spam emails in 2016 contained ransomware, according to a recent IBM Security study.
Part of the reason is simply that it works: Nearly 70 percent of business victims surveyed by IBM said they paid hackers to recover data. The incentives of hackers are straightforward — they’re looking for a big payday— but it’s less clear whether their victims should cooperate.
“It’s very simple in my mind,” said Michael Duff, the CISO for Stanford University, on a ransomware panel at the RSA Conference in San Francisco on Monday. “If you’re not able to reconstitute a system in the timeframe you need, and you need it up and running, pay the ransom.”
Neil Jenkins, of the Homeland Security Department’s Enterprise Performance Management Office (EPMO), said that, “From the US government perspective, we definitely discourage the payment of ransom.”
“From a national perspective… paying ransom encourages the business model,” he said. “The reason this has become such a popular thing to do is they’re actually making money off of this.”
He acknowledged that different entities have different levels of risk tolerance. Stanford, for instance, is primarily a health care organization in terms of revenue, so it can’t afford to lose access to its assets for very long.
Even so, Jenkins argued, “Paying a ransom is not a guarantee you’re going to get access back to the system… that they’re not going to demand more money on top of that. We know of cases where folks have paid the ransom and then been targeted again.”
Duff countered that adversaries have an incentive to return stolen data after the ransom’s been paid, so their so-called business model doesn’t lose credibility. “If you know for a fact if you pay, you won’t get your key back, no one’s going to pay,” he said.
If anything, “you’re basically paying a bug bounty,” Duff argued. “They’ve exposed a weakness in your security… If they didn’t do it, someone else would have.”
Given that bad actors have incentives to keep their word, Gal Shpantzer, CEO of Security Outliers, said that there’s room to “start negotiating with your friends on the other side.”
More importantly, all three stressed steps businesses can take to prepare for ransomware attacks:
- Have a bitcoin account ready.
“It’s now currency, it is real money,” Shpantzer said — and it can take up valuable time to line it up if it’s not done in advance. “Be smart and have people who do this for a living ready to help on speed dial. But also — prevent, prevent, prevent.”
- Prevention starts with backing up.
All organizations should be thinking about best practices and practicing resilience, Jenkins said.
Within the federal government, the majority of attempted ransomware attacks have started with an infected end-user workstation — which makes for a clear-cut cleanup if there are backup systems in place.
“You just take those systems offline, get that person a new computer, they’re good to go,” he said.
Along with having offline backup systems, he said, organizations should have incident response plans, conduct cyber risk assessments, regularly patch vulnerabilities, and conduct penetration testing on a regular basis.
- Know where your assets are.
“If you have stuff on the internet and you’re a developer or a small company that’s pre series A… If you want to make it to Q2, you need to think about what exactly are my developers putting on the internet,” Shpantzer warned. He noted the “great Mongo massacre” of January 2017 — tens of thousands of MongoDB databases left open to the internet were hit by online extortionists.
“Be aware of… where are my assets,” he said. “If you don’t know, our friends from the ransomware community will tell you.”
- Read the fine print of your cyber insurance.
One projection expects the market for ransomware to grow from $8.16 billion in 2016 to $17.36 billion by 2021, and especially for smaller organizations, it is definitely a worthwhile consideration. Just be sure to “read the fine print,” Shpantzer said.