Your data has been encrypted. It’s out of reach. A cyber criminal is demanding ransom in return for decrypting your data.
Do you do it? If you don’t have backups in place, there’s no good answer.
Ransomware attacks are one of the biggest cyber threats facing businesses today. Fueled by 2017’s WannaCry and Petya attacks, overall ransomware infections are on the rise. The effects can be devastating to organisations’ bottom lines. From business interruption to reputational damage, to clean-up costs, it’s an uncomfortable situation to navigate.
Many risk managers are turning to special consultants to help.
The first word of warning given by one such consultant, Winston Krone, computer forensics expert and global managing director at Kivu consulting? That it may not be a very good idea to negotiate a ransom.
The average ransom demand in 2017 was just over US$500, according to Symantec. But some businesses have paid much more. Last year, South Korean web hosting firm Nayana reported paying a whopping US$1m in ransom.
But it usually doesn’t get to that point.
“The vast majority of ransomware events don’t result in clients having to pay ransom,” says Krone.
Only 34% of ransomware attacks end in payment, according to research from the Norton Cyber Insight team. Instead, companies are either able to recover their data using backups, or they allow the encrypted data to die.
“In the vast majority, the company is able to repair from backups,” Krone says. “Or, what they find is that the data that’s been encrypted is unnecessary for the application.”
The first thing Krone and his team do when they are brought into an event is to interface with everyone from the C-Suite to IT to assess the situation. “There are a lot of confusing parts to this,” he says. “We will assist IT to determine if backups really exist, and then we’ll look at the particular variant and the attacker.” After working on hundreds of cases, Krone’s team often knows the perpetrator and the type of people they’re dealing with.
In ransomware events, companies negotiating a ransom always run the risk that some of the encrypted data was permanently destroyed during the attack, and even if they pay the ransom, decryption will be physically impossible. “We provide the reality check,” says Krone. “We look at the attacker and the malware and assess whether the encryption process broke the data.”
Another point to give risk managers pause is that a demand for ransom is often just the tip of the iceberg. “We know from experience that ransom events are often the end of a large attack. It could be a cover up of what’s really happening,” says Krone. “Risk managers have to understand that even if they can recover from backups, not doing at least some form of post mortem to find out what happened is a serious issue.”
The real conversation, then, is one surrounding business interruption and business continuity. “Risk management has a crucial role to play in these breaches,” he says. “Paying the ransom may still be a valid business decision, but you may not get too much out of it.”
“I’ll be brutal,” Krone says. “We do pay ransoms. We provide information to the client and give them an idea of what they’re likely to recover if they pay the ransom, so they can make a business decision.”
Organisations with backups, however, says a report by Symantec, can circumvent the ‘unpalatable choice of losing important data or paying a ransom to cyber criminals.’