Vulnerabilities / Threats

3/15/2016
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware: Putting Companies Between A Rock And A Hard Place

Paying a ransom encourages more attacks, but sometimes not paying could end up being a lot costlier

Ransomware attacks, in which criminals encrypt data on a victim’s computer and then seek a ransom for unlocking it, have risen sharply in recent months prompting growing debate on the best way to respond to the problem.

The consensus?  There isn’t one really, at least not so far.

Incidents like one in February where Hollywood Presbyterian Medical Center announced that it had paid $17,000 in Bitcoin to recover mission-critical data that had been locked in a ransomware attack, are typical of the approach that many victims themselves have taken.

In 2015, victims paid a total of over $24 million in some 2,453 reported ransomware attacks, according to a soon-to-be-released report from the FBI Internet Crime Complaint Center. Victims who have paid up include at least a couple of police departments.

Many believe that it is the success attackers have had in extracting money from victims that is driving more attacks. Others believe that, unsavory as it is, paying up may be the only option that organizations have if they want to recover from an attack. And some believe it all really depends on the situation.

Here’s a closer look at some of the divided opinions on dealing with the ransomware issue.

Paying Up

The FBI took considerable heat last year when the agency’s special agent in change of the CYBER and Counterintelligence Program in Boston was quoted as recommending that victims might sometimes be best off just paying the ransom if they wanted to recover their data.  Since then the agency has walked back some of the comments and said it doesn’t condone the payment of ransom in any situation. But many share the agency’s original sentiment.

"The FBI is right--it's just not worth the fallout,” says Israel Levy, CEO of BufferZone, a vendor of endpoint security products. “We generally advise organizations to pay and protect,” instead of risking data loss following a successful ransomware attack, he says in comments to Dark Reading.

A majority of security researchers agree that in most cases, data locked or encrypted by a ransomware tool is almost impossible to recover without access to the decryption keys.  It is a challenge that is exacerbated by the fact that attackers often give victims only a relatively short period of time to pay the ransom. After that, the ransom amount could double or even triple.  

Importantly, the ransom amounts demanded usually reflect a good understanding of the victim’s ability to pay, security vendor Symantec said in a report last year. Ransoms amounts for individuals can range from $21 to $700 with the average being around $300. For businesses, the amounts are usually higher, with the sweet spot being around $10,000. Though the amount is much higher than the ransom for individual users, it reflects an amount that business seems “willing to pay and what law enforcements are reluctant to investigate,” Symantec had noted in its report

As a result, unless an organization has an up to date copy of all data that might have been encrypted in a ransomware attack, it may be easier just paying up, say some.

“Taking into consideration the full scope of the risk, the ROI and the risk and recovery process, the only option is to pay,” Levy says. “In most cases your data will not be as current as you want it to be and merely a single file lost can make all the difference in the ROI.” By not paying the demanded ransom, an organization could put critical data at risk, he says.

It’s the reasoning that Presbyterian Memorial used in arriving at its decision to pay the attackers off. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” hospital president and CEO Allen Stefanek had noted at the time. “In the best interest of restoring normal operations, we did this.”

Not Budging

The growing numbers of security professionals in this camp argue that the best way to derail ransomware attacks is to stop making it profitable for attackers.

“By paying, you're not only encouraging this behavior, you're also opening yourself up to further attacks,” said Guy Bunker, senior vice president of products at data loss prevention company Clearswift. “Remember that the people who do this are criminals, and they may well re-encrypt your machine two weeks later,” he said in a statement. 

The best option for organizations to reduce their exposure to the threat is to have a good data backup process in place. “Users should also continually test their backups to ensure they are viable and the process works,” said Travis Smith, senior security researcher at Tripwire in a statement. “By having a streamlined backup process in place, the cost of restoring data will be reduced to a lower price point than the ransom.”  

It Really Depends

This is an approach that advocates a more considered response to a ransomware attack. Those who support it say the decision to pay or not to pay a ransom should be based purely on the kind of data that is affected and the organization’s ability to recover or restore it.

Rohyt Belani, CEO of PhishMe, says a prepared organization should never pay a ransom to an attacker. Like many others, he believes it only invites future attacks. “That said, if an organization is unprepared, they [would] be forced into making a fast decision based on the estimated fallout” he says in comments to Dark Reading.

If the loss of data for instance threatens lives, which is what likely happened with Presbyterian Memorial, then the decision to pay or not to pay becomes a critical situational decision, he says.

“If it’s the company accounting system – can you recover without paying?” he asks. “If it’s locked down customer data – can you work from an older copy? If it’s critical data, are you willing to negotiate?”

It is only by taking the effort to understand the importance of each data class beforehand and the extent of recovery possible with each that an organization can be prepared for a ransomware attack, if it happens he says.

“If it’s critical data that hasn’t been backed up, or the organization cannot operate without it, or recover from such a loss, they will have to make some hard decisions,” Belani says.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Russia Hacked Clinton's Computers Five Hours After Trump's Call
Robert Lemos, Technology Journalist/Data Researcher,  4/19/2019
Tips for the Aftermath of a Cyberattack
Kelly Sheridan, Staff Editor, Dark Reading,  4/17/2019
Why We Need a 'Cleaner Internet'
Darren Anstee, Chief Technology Officer at Arbor Networks,  4/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11498
PUBLISHED: 2019-04-24
WavpackSetConfiguration64 in pack_utils.c in libwavpack.a in WavPack through 5.1.0 has a "Conditional jump or move depends on uninitialised value" condition, which might allow attackers to cause a denial of service (application crash) via a DFF file that lacks valid sample-rate data.
CVE-2019-11490
PUBLISHED: 2019-04-24
An issue was discovered in Npcap 0.992. Sending a malformed .pcap file with the loopback adapter using either pcap_sendqueue_queue() or pcap_sendqueue_transmit() results in kernel pool corruption. This could lead to arbitrary code executing inside the Windows kernel and allow escalation of privilege...
CVE-2019-11486
PUBLISHED: 2019-04-23
The Siemens R3964 line discipline driver in drivers/tty/n_r3964.c in the Linux kernel before 5.0.8 has multiple race conditions.
CVE-2019-11487
PUBLISHED: 2019-04-23
The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c, include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hu...
CVE-2018-7576
PUBLISHED: 2019-04-23
Google TensorFlow 1.6.x and earlier is affected by: Null Pointer Dereference. The type of exploitation is: context-dependent.