Tuesday, April 30, 2019

Should you pay if your business is attacked by ransomware?


Cleveland Hopkins Airport flight information boards have been out of service since last Monday (story here). Yesterday, after paying contractors more than $750,000 to restore them, the City finally acknowledged the cause—a ransomware attack.

Ransomware is malicious software that locks and encrypts a victim’s computer data. The criminal then demands a ransom to restore access, usually within a set amount of time. If the ransom is not paid, the data is destroyed.

The best way to guard against ransomware is to take diligent cybersecurity precautions. For starters, use security software, keep software, apps, and operating systems updated, backup everything as often as practical so that you can restore if needed, and beware phishing emails and suspicious links.

Despite all these precautions, however, ransomware attacks grow 350% annually, with 18% of all attacks in the U.S. Indeed, business will fall victim to a ransomware attack every 14 seconds, costing a total of $11.5 billion in 2019.

If you are a victim, the number one question you will ask is, “Should we pay the ransom?”

For many reasons I say (usually) no. And I’m not alone in my thinking. The FBI agrees with me. In its Ransomware Prevention and Response for CISOs, the agency warns as follows:

The best response is to not pay unless it is an absolute necessity and there is no other way to recover the hijacked files at all.

Why not pay the ransom?

  1. Cybercriminals will tag you as mark at hit you again (and again, and again). The thieves don’t want to waste their time targeting businesses that won’t pay. And, while I’ve never trolled the dark web to look, I’m certain there exists databases one can buy that lists companies that have paid and should be targeted for future attacks.

  2. There is no guarantee you will get your data back. Remember, you are dealing with criminals. Dishonesty is their best (worst) quality. How much faith do you have that they will treat you honestly and fairly, and return your data? Indeed, according to one survey, of the 38.7% who opt to pay the ransom, less than half recovered their files using the tools provided by the attackers.

  3. You won’t learn your lesson. If you don’t feel the pain of a prolonged outage and what it takes to recover from it, you won’t take the proper and necessary steps to guard against it happening again.

  4. You help enable ransomware to continue. As long as companies pay ransom, cybercriminals will continue to use ransomware If it ain’t broke…

All these good reasons notwithstanding, there are just as many reasons why you might choose to pay. For starters, it might be your only option if you don’t have a reliable backup. Or, it might be quicker to recover by paying the ransom than by restoring.  It also might be less expensive to pay for the unlock code than to restore and recover (if you lack cyberinsurance to cover the expenses). Plus, any money you save you can reinvest in future security enhancements and protections.

Bottom line: downtime costs money. You can’t afford to have your systems offline for a day or longer. If you suffer a ransomware attack, immediately invoke your Incident Response Plan (you have one of those, right?), and involve your Cyber Incident Response Team, including your incident manager and lead investigator (typically from IT), communications and public relations, HR, and your lawyer. Time is money, and this will prove to be an expensive enough lesson.

* Photo by Christiaan Colen on Flickr