Think Twice Before Paying a RansomWhy stockpiling cryptocurrency or paying cybercriminals is not the best response.
Imagine a scenario in which a financial services firm is hit with a ransomware attack that hijacks its corporate network, rendering systems unavailable to users and effectively grinding business to a halt. Even after officials at the company pay the offending cyber extortionists hundreds of thousands of dollars in ransom, the systems remain unavailable for days.
In such a case, the damages would include not only the ransomware payment itself but the enormous losses related to downtime. That includes uncompleted transactions, lost employee productivity, and unhappy customers — to name a few.
This type of situation unfortunately happens more often than we'd like to think. And it shows why the common practice of stockpiling cryptocurrency for just such an event is often a misguided strategy.
The Prolem with Stockpiling
We've known for years that organizations are quite willing to pay ransoms to cybercriminals who take their data hostage through ransomware. This year, my company conducted a survey of 1,700 business, security, and IT executives to find out how widespread the trend really is.
Alarmingly, nearly three-quarters of the security executives and 60% of CEOs admitted to stockpiling cryptocurrency to pay cybercriminals in case of a ransomware attack or data breach. And about eight in 10 of the security executives whose companies have stockpiled cryptocurrency have made payments to cybercriminals in the past year.
There are many reasons we discourage the practice of stockpiling cryptocurrency to pay cyber ransoms. Buying cryptocurrency in the first place is risky, if only because of its wildly fluctuating values. Furthermore, paying attackers does not guarantee that they will decrypt the affected files and systems.
It's also important to remember that cryptocurrency transactions can't be reversed. Once the payment has been made, it's gone for good.
Restore Your Data — and Your Peace of Mind
While prevention technologies definitely play a role in helping organizations mitigate the effects of ransomware, security plans that also include data loss protection strategies are actually giving companies a fuller defense. When we shift the lens from prevention to protection, enterprises are able to have access to every file in the event of an attack, which gives them options other than paying ransoms.
Even though the number of ransomware attacks have declined 30% since 2017, according to research from cybersecurity and antivirus provider Kaspersky Lab, the attacks remain particularly lucrative for criminals. For one thing, they're inexpensive to execute, and they're easy to pull off. That explains the recent surge in the popularity of "ransomware as a service."
MIT Technology Review reported last April that in 2015 alone, enterprises infected by ransomware paid millions of dollars in bitcoin, which was also the cryptocurrency of choice in 2017's string of WannaCry attacks. WannaCry attacked more than 250,000 systems in 150 countries across private and public sector organizations, including FedEx, Hitachi, Nissan, the Russian interior ministry, and thousands of enterprises in Spain and India.
Perhaps the most notorious attack crippled the UK's National Health Service (NHS) in May 2017 by bringing its data systems to a halt. This is significant because human lives are on the line when healthcare organizations cannot access medical record data immediately to provide the right patient care. Hospitals and clinics often become prime targets for attackers because it is so crucial that they restore systems and access to medical records as quickly as possible and, as a result, often pay ransoms.
Heed the Warnings
These episodes, combined with analytical and empirical evidence, demonstrate that many organizations still have much work to do in order to better protect themselves against all types of cyberattacks, including ransomware.
Here are some suggested measures:
● Perform regular system updates and patches, so that vulnerable systems are not used to run ransomware exploits.
● Conduct regular external system data backups. This allows you to restore information from prior to the time of the ransomware attack.
● Make sure all users are aware of and educated about the tactics used in ransomware and other attacks. This will make users less likely to click on suspicious links and infect their companies with ransomware.
Organizations need to have full visibility over all of their data. This includes having the ability to search and investigate files across endpoints and cloud services in minutes, rather than over the days and weeks it usually takes following an attack.
By taking these initiatives, organizations can be much better prepared for ransomware attacks. It’s a far more sensible approach than saving up lots of cryptocurrency that organizations might end up throwing away.
Jadee Hanson, CISSP, CISA, is the Chief Information Security Officer and Vice President of Information Systems at Code42. Jadee's passion for security started gathering steam with her first role as a security adviser at Deloitte. After five years and a lot of travel, Jadee ... View Full Bio