The Great Payment Debate: How to Evaluate Your Ransomware Response

With ransomware attacks on the rise, all organizations must assume they will eventually be a target and start putting prevention and mitigation strategies in place now.

The federal government has called ransomware one of the biggest national security threats. For organizations hit by a ransomware attack, there's still a lot of fear and uncertainty about what to do. It's not a cut-and-dried situation; while the FBI recommends not paying ransomware, there's a lot more nuance to be considered.

A recent CNBC survey of US CFOs concurred that Colonial Pipeline had "no choice." The reality is that the company's hand was forced. For critical infrastructure like this, that's a legitimate concern.

So, how do you evaluate the situation when you face a ransomware attack? Here are some points to consider.

Don't Assume You'll Get Your Money Back
The Colonial Pipeline situation was a bit of an anomaly, because the US Justice Department was able to recover the approximately $2.3 million in bitcoin the company paid to the DarkSide bad actors. This was an action taken by the Justice Department's newly created Ransomware and Digital Extortion Task Force.

The growth of cryptocurrency platforms has helped ransomware attackers in some ways, by making it easier for them to extort money. Unlike the days when a cybercriminal had to rely on something like a wire transfer service, cryptocurrency has simplified the process. It's instantaneous, and the paper trail is shorter, if it exists at all. That means it's harder to reclaim payments if they are made, so this shouldn't even be a factor in your consideration. Don't assume you'll be able to get that money back.

Fueling the Cybercrime Fire
One of the most significant issues with paying ransom goes beyond the impact on your individual company; it gives the bad actors what they want. If they get paid out, that emboldens them to keep going — and to go bigger. Those payments are funding their efforts to weaponize new technology and expand their attacks. We're already seeing the ripple effect of ransomware. Colonial Pipeline, JBS, and Kaseya are some of the largest attacks, but they're far from the only ones.

Ransomware is now in a "boom" phase, contributing to a bustling cybercrime industry that often targets large sectors, including healthcare, education, finance, the legal sector, and manufacturing. According to the latest FortiGuard Labs "Global Threat Landscape Report," average weekly ransomware activity is tenfold higher than levels from a year ago.

Understanding the Risks and Impact of Potential Exposure
This should be top of mind when it comes to considering whether to pay ransom: What information could the attackers get? Where is that information stored? How valuable is it?

Remember that paying doesn't guarantee your data won't be exposed. Some organizations, when experiencing a ransomware attack, might find it easier to pay than have their IT team spend days trying to recover data, all while business operations remain at a standstill. However, that's not always the case. It's also important to remember that paying a ransom does not guarantee the threat will go away instantly. In some cases, the information that organizations worked so hard to protect had already been exposed and can cause long-term problems.

There have been instances where organizations try to call the bad actors' bluff, but this isn't recommended because they usually aren't bluffing. Your data could very well be released in damaging ways.

In This Together
While paying ransom isn't recommended, we can't vilify those companies that do — it's a nuanced situation, and each is unique. The point is that prevention and mitigation are always the preference when it comes to ransomware. Organizations must start assuming they will get hit by ransomware and that, therefore, they need to put prevention and mitigation strategies in place.

That said, if you do get attacked, it's important not to make a hasty decision to pay the ransom. Think carefully about all aspects involved and seek help if you need it. Your security vendor, for instance, can help you with quarantining access and come up with the right incident response. They also can help with reporting the attack to law enforcement. There are internal and external stakeholders that can assist an organization hit by ransomware. 

This includes entities like the Cybercrime Support Network, a nonprofit organization created to meet the challenges facing businesses affected by ransomware. This collaboration provides more insight for the greater good, too, as more information ensures more effective responses in the future. Simply defeating a single ransomware incident at one organization does not lessen the cumulative impact within an industry or peer group. Sharing intelligence with law enforcement and other global security organizations is the only way to effectively take down cybercrime groups.

Editors' Choice
Robert Lemos, Contributing Writer, Dark Reading
Karen Spiegelman, Features Editor
Robert Lemos, Contributing Writer, Dark Reading