Vulnerabilities / Threats

3/15/2016
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware: Putting Companies Between A Rock And A Hard Place

Paying a ransom encourages more attacks, but sometimes not paying could end up being a lot costlier

Ransomware attacks, in which criminals encrypt data on a victim’s computer and then seek a ransom for unlocking it, have risen sharply in recent months prompting growing debate on the best way to respond to the problem.

The consensus?  There isn’t one really, at least not so far.

Incidents like one in February where Hollywood Presbyterian Medical Center announced that it had paid $17,000 in Bitcoin to recover mission-critical data that had been locked in a ransomware attack, are typical of the approach that many victims themselves have taken.

In 2015, victims paid a total of over $24 million in some 2,453 reported ransomware attacks, according to a soon-to-be-released report from the FBI Internet Crime Complaint Center. Victims who have paid up include at least a couple of police departments.

Many believe that it is the success attackers have had in extracting money from victims that is driving more attacks. Others believe that, unsavory as it is, paying up may be the only option that organizations have if they want to recover from an attack. And some believe it all really depends on the situation.

Here’s a closer look at some of the divided opinions on dealing with the ransomware issue.

Paying Up

The FBI took considerable heat last year when the agency’s special agent in change of the CYBER and Counterintelligence Program in Boston was quoted as recommending that victims might sometimes be best off just paying the ransom if they wanted to recover their data.  Since then the agency has walked back some of the comments and said it doesn’t condone the payment of ransom in any situation. But many share the agency’s original sentiment.

"The FBI is right--it's just not worth the fallout,” says Israel Levy, CEO of BufferZone, a vendor of endpoint security products. “We generally advise organizations to pay and protect,” instead of risking data loss following a successful ransomware attack, he says in comments to Dark Reading.

A majority of security researchers agree that in most cases, data locked or encrypted by a ransomware tool is almost impossible to recover without access to the decryption keys.  It is a challenge that is exacerbated by the fact that attackers often give victims only a relatively short period of time to pay the ransom. After that, the ransom amount could double or even triple.  

Importantly, the ransom amounts demanded usually reflect a good understanding of the victim’s ability to pay, security vendor Symantec said in a report last year. Ransoms amounts for individuals can range from $21 to $700 with the average being around $300. For businesses, the amounts are usually higher, with the sweet spot being around $10,000. Though the amount is much higher than the ransom for individual users, it reflects an amount that business seems “willing to pay and what law enforcements are reluctant to investigate,” Symantec had noted in its report

As a result, unless an organization has an up to date copy of all data that might have been encrypted in a ransomware attack, it may be easier just paying up, say some.

“Taking into consideration the full scope of the risk, the ROI and the risk and recovery process, the only option is to pay,” Levy says. “In most cases your data will not be as current as you want it to be and merely a single file lost can make all the difference in the ROI.” By not paying the demanded ransom, an organization could put critical data at risk, he says.

It’s the reasoning that Presbyterian Memorial used in arriving at its decision to pay the attackers off. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” hospital president and CEO Allen Stefanek had noted at the time. “In the best interest of restoring normal operations, we did this.”

Not Budging

The growing numbers of security professionals in this camp argue that the best way to derail ransomware attacks is to stop making it profitable for attackers.

“By paying, you're not only encouraging this behavior, you're also opening yourself up to further attacks,” said Guy Bunker, senior vice president of products at data loss prevention company Clearswift. “Remember that the people who do this are criminals, and they may well re-encrypt your machine two weeks later,” he said in a statement. 

The best option for organizations to reduce their exposure to the threat is to have a good data backup process in place. “Users should also continually test their backups to ensure they are viable and the process works,” said Travis Smith, senior security researcher at Tripwire in a statement. “By having a streamlined backup process in place, the cost of restoring data will be reduced to a lower price point than the ransom.”  

It Really Depends

This is an approach that advocates a more considered response to a ransomware attack. Those who support it say the decision to pay or not to pay a ransom should be based purely on the kind of data that is affected and the organization’s ability to recover or restore it.

Rohyt Belani, CEO of PhishMe, says a prepared organization should never pay a ransom to an attacker. Like many others, he believes it only invites future attacks. “That said, if an organization is unprepared, they [would] be forced into making a fast decision based on the estimated fallout” he says in comments to Dark Reading.

If the loss of data for instance threatens lives, which is what likely happened with Presbyterian Memorial, then the decision to pay or not to pay becomes a critical situational decision, he says.

“If it’s the company accounting system – can you recover without paying?” he asks. “If it’s locked down customer data – can you work from an older copy? If it’s critical data, are you willing to negotiate?”

It is only by taking the effort to understand the importance of each data class beforehand and the extent of recovery possible with each that an organization can be prepared for a ransomware attack, if it happens he says.

“If it’s critical data that hasn’t been backed up, or the organization cannot operate without it, or recover from such a loss, they will have to make some hard decisions,” Belani says.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Mozilla, Internet Society and Others Pressure Retailers to Demand Secure IoT Products
Curtis Franklin Jr., Senior Editor at Dark Reading,  2/14/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3812
PUBLISHED: 2019-02-19
QEMU, through version 2.10 and through version 3.1.0, is vulnerable to an out-of-bounds read of up to 128 bytes in the hw/i2c/i2c-ddc.c:i2c_ddc() function. A local attacker with permission to execute i2c commands could exploit this to read stack memory of the qemu process on the host.
CVE-2019-8933
PUBLISHED: 2019-02-19
In DedeCMS 5.7SP2, attackers can upload a .php file to the uploads/ directory (without being blocked by the Web Application Firewall), and then execute this file, via this sequence of steps: visiting the management page, clicking on the template, clicking on Default Template Management, clicking on ...
CVE-2019-7629
PUBLISHED: 2019-02-18
Stack-based buffer overflow in the strip_vt102_codes function in TinTin++ 2.01.6 and WinTin++ 2.01.6 allows remote attackers to execute arbitrary code by sending a long message to the client.
CVE-2019-8919
PUBLISHED: 2019-02-18
The seadroid (aka Seafile Android Client) application through 2.2.13 for Android always uses the same Initialization Vector (IV) with Cipher Block Chaining (CBC) Mode to encrypt private data, making it easier to conduct chosen-plaintext attacks or dictionary attacks.
CVE-2019-8917
PUBLISHED: 2019-02-18
SolarWinds Orion NPM before 12.4 suffers from a SYSTEM remote code execution vulnerability in the OrionModuleEngine service. This service establishes a NetTcpBinding endpoint that allows remote, unauthenticated clients to connect and call publicly exposed methods. The InvokeActionMethod method may b...