We’ve recently been considering the rise of ransomware attacks – the deployment of malware by cyber criminals to encrypt organisations’ files and systems rendering them inaccessible or unusable. The criminals then pressurise the victim for payment to regain access to their systems, and/or threaten to publish stolen data or to publicly name and shame the company.
Such attacks have “exploded” during 2020 (according to IBM’s security arm ), with victims from the global like Travelex to the local such as municipal governments, schools and universities. Millions of pounds are being spent on investigating attacks, rebuilding networks, restoring backups, paying ransoms and putting preventative measures in place.
It’s certainly a horrifying prospect: your systems down and productivity halted, your data at real risk of being published, damaged or destroyed - not to mention the potential reputational fallout. Faced with this, it’s easy to see how paying the criminals to recover access might seem the most straightforward and least damaging option.
But is it…? Following an advisory from the US Government in October which alerted insurance and security companies that facilitating ransomware payments may lead to prosecution , the question of paying or not paying cybercriminal ransoms has become a hot topic.
We consider the pros and cons of coughing up the cash....
Why you might be tempted to pay
A quick cost-benefit analysis under pressure might suggest that paying the attackers’ ransom is the fastest route to getting your systems back and limiting further destruction or damage. The criminals’ bargaining may sound plausible, and their ransom demands probably represent a fraction of the projected costs of recovering and rebuilding systems and loss of income during downtime if you don’t pay. A recent ransomware attack on shipping giant Maersk was reputed to have cost them $300m, and a 2019 attack on global aluminium producer Norsk Hydro around £45m : considering the average ransom demand is more like $10,000 (although some are much higher) it’s not a stretch to see why organisations might decide that coughing up is the most expedient solution – indeed, out of 11 of the biggest ransomware attacks globally in 2020, seven of the victims allegedly paid the demanded ransom .
But why it’s better to think twice
However. There’s a lot more to the situation than meets the eye. Consider the following:
- However plausible your attacker might sound, there is absolutely no guarantee that they will stick to their word and restore your systems and data once you’ve paid. Have you heard the one about the honourable trustworthy criminal? No, us neither. You could well find they disappear into the ether leaving you stranded with your systems still infected, and a lot lighter of pocket.
- The authorities are beginning to take a much dimmer view of people who pay out to cyber criminals. As mentioned, the US Government has recently stated that paying out could lead to prosecution – outlining its justification that ransom payments fuel the rise of ransomware attacks, advance criminal profits and “could be used to fund activities adverse to the national security and foreign policy objectives of the United States” . In the UK, the NCSC states that “law enforcement do not encourage, endorse, nor condone the payment of ransom demands.” It’s not technically illegal to pay a ransom in the UK, but if the criminal you pay out to turns out to have terrorist links you could be prosecuted under the 2000 Terrorism Act. At the very least, if you’re considering paying, lawyers advise you do your due diligence into just who your attacker might be .
- Payment is making the crime a success. Which emboldens the criminal to strike again. You’re perpetuating the problem, not to mention advertising to other attackers that you are a soft target likely to give in to pressure. You’ll be on every criminal’s mug-list out there.
- There are also practical challenges – ransomware is usually demanded in Bitcoin or other crypto currency – how do you suddenly acquire significant sums of crypto currency?
We think overall it is a very brave organisation who pays a ransom, given the stance of the authorities and the lack of guarantee of success. If the survival of a business is dependent upon it, then serious consideration may be given to it, but you need to be very wary of the risks involved.
So what are my other (safer) options?
As with so much in life – and certainly cyber security – prevention is always better than a cure. Your best option in the face of rising ransomware incidents is to take sensible precautions to avoid or at least mitigate the impact of an attack:
- Make regular backups, keeping an offline backup separate to your network, and protecting versions held on cloud services.
- Reduce the risk of malware reaching your systems, by filtering and blocking suspicious websites or file types at your network boundary, strengthening defences at remote access points, and thwarting lateral movement of malware.
- Install defences to stop malware running if it does infiltrate – invest in quality anti-malware software and device management such as AppLocker, keeping it all well-configured and up to date.
- Put an incident management plan in place should the worst happen – plan your detection, isolation, triage, rebuild and recovery strategies; outlining communication plans, roles and responsibilities to prevent headless chicken territory (which could lead to rash decisions on ransom payment).
- Take measures to minimise the impact of data exfiltration should the criminals threaten to publish your sensitive data – the NCSC has some useful guidance on this.
For further help on how to prevent and plan for a ransomware attack, consult the NCSC’s information, or get in touch with our experts here at Hexegic who know their stuff in this area and would be happy to give their advice.