Vulnerabilities / Threats

3/15/2016
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware: Putting Companies Between A Rock And A Hard Place

Paying a ransom encourages more attacks, but sometimes not paying could end up being a lot costlier

Ransomware attacks, in which criminals encrypt data on a victim’s computer and then seek a ransom for unlocking it, have risen sharply in recent months prompting growing debate on the best way to respond to the problem.

The consensus?  There isn’t one really, at least not so far.

Incidents like one in February where Hollywood Presbyterian Medical Center announced that it had paid $17,000 in Bitcoin to recover mission-critical data that had been locked in a ransomware attack, are typical of the approach that many victims themselves have taken.

In 2015, victims paid a total of over $24 million in some 2,453 reported ransomware attacks, according to a soon-to-be-released report from the FBI Internet Crime Complaint Center. Victims who have paid up include at least a couple of police departments.

Many believe that it is the success attackers have had in extracting money from victims that is driving more attacks. Others believe that, unsavory as it is, paying up may be the only option that organizations have if they want to recover from an attack. And some believe it all really depends on the situation.

Here’s a closer look at some of the divided opinions on dealing with the ransomware issue.

Paying Up

The FBI took considerable heat last year when the agency’s special agent in change of the CYBER and Counterintelligence Program in Boston was quoted as recommending that victims might sometimes be best off just paying the ransom if they wanted to recover their data.  Since then the agency has walked back some of the comments and said it doesn’t condone the payment of ransom in any situation. But many share the agency’s original sentiment.

"The FBI is right--it's just not worth the fallout,” says Israel Levy, CEO of BufferZone, a vendor of endpoint security products. “We generally advise organizations to pay and protect,” instead of risking data loss following a successful ransomware attack, he says in comments to Dark Reading.

A majority of security researchers agree that in most cases, data locked or encrypted by a ransomware tool is almost impossible to recover without access to the decryption keys.  It is a challenge that is exacerbated by the fact that attackers often give victims only a relatively short period of time to pay the ransom. After that, the ransom amount could double or even triple.  

Importantly, the ransom amounts demanded usually reflect a good understanding of the victim’s ability to pay, security vendor Symantec said in a report last year. Ransoms amounts for individuals can range from $21 to $700 with the average being around $300. For businesses, the amounts are usually higher, with the sweet spot being around $10,000. Though the amount is much higher than the ransom for individual users, it reflects an amount that business seems “willing to pay and what law enforcements are reluctant to investigate,” Symantec had noted in its report

As a result, unless an organization has an up to date copy of all data that might have been encrypted in a ransomware attack, it may be easier just paying up, say some.

“Taking into consideration the full scope of the risk, the ROI and the risk and recovery process, the only option is to pay,” Levy says. “In most cases your data will not be as current as you want it to be and merely a single file lost can make all the difference in the ROI.” By not paying the demanded ransom, an organization could put critical data at risk, he says.

It’s the reasoning that Presbyterian Memorial used in arriving at its decision to pay the attackers off. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” hospital president and CEO Allen Stefanek had noted at the time. “In the best interest of restoring normal operations, we did this.”

Not Budging

The growing numbers of security professionals in this camp argue that the best way to derail ransomware attacks is to stop making it profitable for attackers.

“By paying, you're not only encouraging this behavior, you're also opening yourself up to further attacks,” said Guy Bunker, senior vice president of products at data loss prevention company Clearswift. “Remember that the people who do this are criminals, and they may well re-encrypt your machine two weeks later,” he said in a statement. 

The best option for organizations to reduce their exposure to the threat is to have a good data backup process in place. “Users should also continually test their backups to ensure they are viable and the process works,” said Travis Smith, senior security researcher at Tripwire in a statement. “By having a streamlined backup process in place, the cost of restoring data will be reduced to a lower price point than the ransom.”  

It Really Depends

This is an approach that advocates a more considered response to a ransomware attack. Those who support it say the decision to pay or not to pay a ransom should be based purely on the kind of data that is affected and the organization’s ability to recover or restore it.

Rohyt Belani, CEO of PhishMe, says a prepared organization should never pay a ransom to an attacker. Like many others, he believes it only invites future attacks. “That said, if an organization is unprepared, they [would] be forced into making a fast decision based on the estimated fallout” he says in comments to Dark Reading.

If the loss of data for instance threatens lives, which is what likely happened with Presbyterian Memorial, then the decision to pay or not to pay becomes a critical situational decision, he says.

“If it’s the company accounting system – can you recover without paying?” he asks. “If it’s locked down customer data – can you work from an older copy? If it’s critical data, are you willing to negotiate?”

It is only by taking the effort to understand the importance of each data class beforehand and the extent of recovery possible with each that an organization can be prepared for a ransomware attack, if it happens he says.

“If it’s critical data that hasn’t been backed up, or the organization cannot operate without it, or recover from such a loss, they will have to make some hard decisions,” Belani says.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Oracle Product Rollout Underscores Need for Trust in the Cloud
Kelly Sheridan, Associate Editor, Dark Reading,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Gee, these virtual reality goggles work great!!! 
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.