To Pay Or Not To Pay: Ramsomware Attacks Force Hard Choices
June 27, 2016 (Cy-Pher) — Accordingly to many cyber-security analysts, 2016 is shaping up to be the year of ransomware attacks. There has been a significant increase in ransomware and crypto malware attacks since the beginning of the year, with no signs of slowing down. These attacks are further compounded by the fact that many organizations are paying ransoms demanded by attackers with the hopes of quickly regaining access to their data. Payment of ransoms is emboldening attackers to target other organizations and seek similar or larger ransoms. According to Symantec’s 2016 Internet Security Threat Report, ransomware attacks have evolved and are now targeting users’ mobile devices (e.g., tablets, smartphones and even smart watches).
Ransomware is a type of malware that locks a user’s computer, files or network until the user performs specific actions demanded by the malware, often asking for the payment of a ransom in bitcoins (an untraceable virtual currency). Ransomware is typically installed onto a user’s system through variety of techniques (e.g., a user visiting a compromised website, the attackers taking advantage of unpatched systems, or by way of social engineering or phishing attack which attempts to get an authorized employee to execute a malicious e-mail or click a link to a compromised site). Once it is installed, the malware encrypts files and folders. Victims are usually unaware of the malware until they can no longer access their data or once begin to see ransom messages on their computer. The attackers then demand payment for the key code needed to unencrypt the locked files.
A new twist now has some ransomware attacks threatening to publish the users’ files online unless they pay the ransom. This effectively renders the advice of backing up files ineffective in such scenarios. It also exposes the organization to potential regulatory and legal fallout should certain types of information be published online.
Steps To Protect Yourself
Scary stuff, but there are certain steps organizations can take to protect themselves from ransomware attacks or, at the very least, mitigate the consequences:
- Stay Up-to-date. Keep your operating system and software (including anti-virus and firewalls) up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Also, scan all software downloaded from the internet prior to installation.
- Back up often. Have a data back-up and recovery plan for all critical information Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. It is recommended that this data be kept on a separate device, and backups should be stored offline.
- Enable your popup blocker. Pop-ups are a prime tactic used by attackers. Accidentally clicking on an infected popup can install malicious malware onto your network. Also, disable macro scripts transmitted over email.
- Exercise caution. Avoid clicking on links inside emails, and avoid suspicious websites. Conduct regular employee training to ensure that safe practices are employed while browsing the internet and to not follow unsolicited weblinks in emails. Make sure that employees are aware of ransomware and of their roles in protecting the organization’s data.
- Notify the Authorities. Ransomware is a serious form of extortion and while local police departments may not be equipped to deal with these types of attacks, it is important to inform the Canadian Cyber Incident Response Centre. Organizations may also have an obligation to report breaches of personal information that result in a “real risk of significant harm” to an individual. Given the mosaic of federal and provincial privacy legislation, it is recommended to retain external legal counsel with cybersecurity expertise to assist with the notification process to privacy regulators and law enforcement.
- Cyber-Risk Insurance. Organizations should consider obtaining cyber-risk insurance which will often cover cyber-extortion, including ransomware. Make sure that any limitations are clearly understood so that the organization can make an informed decision.
Should You Pay The Ransom?
There is no simple answer to this question. The FBI recently stated that it did not support organizations paying a ransom in response to a ransomware attack and emphasized the importance of prevention and having a business continuity plan.
The challenge with paying a ransom – even if some insurers agree to cover the cost of paying the ransom – lays in the fact that it does not guarantee that the attackers will provide a valid decryption key, that the encrypted information won’t be corrupted or that the key will not itself contain malware. The often remote nature of the crime puts criminal and civil remedies largely out of reach and it is unlikely that this will change in the short term. More importantly, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.
If an organization has implemented the steps listed above and can avoid paying the ransom without compromising the data in question, then that is clearly the be best possible outcome. However, there have been recent cases where organizations have paid ransoms. For example, a Hollywood Presbyterian Hospital recently admitted to paying a $17,000 ransom to attackers. Unfortunately, payment often emboldens the attackers who then target other organizations or to re-target the victim that just paid the ransom.