Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2019
10:30 AM
Jadee Hanson
Jadee Hanson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Think Twice Before Paying a Ransom

Why stockpiling cryptocurrency or paying cybercriminals is not the best response.

Imagine a scenario in which a financial services firm is hit with a ransomware attack that hijacks its corporate network, rendering systems unavailable to users and effectively grinding business to a halt. Even after officials at the company pay the offending cyber extortionists hundreds of thousands of dollars in ransom, the systems remain unavailable for days.

In such a case, the damages would include not only the ransomware payment itself but the enormous losses related to downtime. That includes uncompleted transactions, lost employee productivity, and unhappy customers — to name a few.

This type of situation unfortunately happens more often than we'd like to think. And it shows why the common practice of stockpiling cryptocurrency for just such an event is often a misguided strategy.

The Prolem with Stockpiling 
We've known for years that organizations are quite willing to pay ransoms to cybercriminals who take their data hostage through ransomware. This year, my company conducted a survey of 1,700 business, security, and IT executives to find out how widespread the trend really is.

Alarmingly, nearly three-quarters of the security executives and 60% of CEOs admitted to stockpiling cryptocurrency to pay cybercriminals in case of a ransomware attack or data breach. And about eight in 10 of the security executives whose companies have stockpiled cryptocurrency have made payments to cybercriminals in the past year.

There are many reasons we discourage the practice of stockpiling cryptocurrency to pay cyber ransoms. Buying cryptocurrency in the first place is risky, if only because of its wildly fluctuating values. Furthermore, paying attackers does not guarantee that they will decrypt the affected files and systems.

It's also important to remember that cryptocurrency transactions can't be reversed. Once the payment has been made, it's gone for good.

Restore Your Data — and Your Peace of Mind
While prevention technologies definitely play a role in helping organizations mitigate the effects of ransomware, security plans that also include data loss protection strategies are actually giving companies a fuller defense. When we shift the lens from prevention to protection, enterprises are able to have access to every file in the event of an attack, which gives them options other than paying ransoms.

Even though the number of ransomware attacks have declined 30% since 2017, according to research from cybersecurity and antivirus provider Kaspersky Lab, the attacks remain particularly lucrative for criminals. For one thing, they're inexpensive to execute, and they're easy to pull off. That explains the recent surge in the popularity of "ransomware as a service."

MIT Technology Review reported last April that in 2015 alone, enterprises infected by ransomware paid millions of dollars in bitcoin, which was also the cryptocurrency of choice in 2017's string of WannaCry attacks. WannaCry attacked more than 250,000 systems in 150 countries across private and public sector organizations, including FedEx, Hitachi, Nissan, the Russian interior ministry, and thousands of enterprises in Spain and India.

Perhaps the most notorious attack crippled the UK's National Health Service (NHS) in May 2017 by bringing its data systems to a halt. This is significant because human lives are on the line when healthcare organizations cannot access medical record data immediately to provide the right patient care. Hospitals and clinics often become prime targets for attackers because it is so crucial that they restore systems and access to medical records as quickly as possible and, as a result, often pay ransoms.

Heed the Warnings
These episodes, combined with analytical and empirical evidence, demonstrate that many organizations still have much work to do in order to better protect themselves against all types of cyberattacks, including ransomware.

Here are some suggested measures:

● Perform regular system updates and patches, so that vulnerable systems are not used to run ransomware exploits.

● Conduct regular external system data backups. This allows you to restore information from prior to the time of the ransomware attack.

● Make sure all users are aware of and educated about the tactics used in ransomware and other attacks. This will make users less likely to click on suspicious links and infect their companies with ransomware.

Organizations need to have full visibility over all of their data. This includes having the ability to search and investigate files across endpoints and cloud services in minutes, rather than over the days and weeks it usually takes following an attack.

By taking these initiatives, organizations can be much better prepared for ransomware attacks. It’s a far more sensible approach than saving up lots of cryptocurrency that organizations might end up throwing away.

Related Content:

 

Jadee Hanson, CISSP, CISA, is the Chief Information Security Officer and Vice President of Information Systems at Code42. Jadee's passion for security started gathering steam with her first role as a security adviser at Deloitte. After five years and a lot of travel, Jadee ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PaulChau
50%
50%
PaulChau,
User Rank: Strategist
2/13/2019 | 2:37:58 AM
They won't give in
Isn't it the same situation with a physical hostage situation? When your entire database is held hostage, you should always consult the authorities to seek their advice first before you go ahead and let the hackers win. Even if you pay them up, you might not necessarily obtain your entire system back. They could return it to you but definitely not without retaining something behind to blackmail you again later.
Ritu_G
50%
50%
Ritu_G,
User Rank: Moderator
2/10/2019 | 11:45:10 PM
It could be so much worse
I personally think that if the terrorists or hackers were serious about doing some damage, they wouldn't bother with asking for a ransom at all.  They would just release all of that data in storage to hit where it hurts the most. At the end of the day, the guys that are waiting for cryptocurrency transfers are really just trying their luck to hit a bit of extra money if you ask.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/13/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20907
PUBLISHED: 2020-07-13
In Lib/tarfile.py in Python through 3.8.3, an attacker is able to craft a TAR archive leading to an infinite loop when opened by tarfile.open, because _proc_pax lacks header validation.
CVE-2020-14174
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to view titles of a private project via an Insecure Direct Object References (IDOR) vulnerability in the Administration Permission Helper. The affected versions are before version 7.13.6, from version 8.0.0 before 8.5....
CVE-2019-20901
PUBLISHED: 2020-07-13
The login.jsp resource in Jira before version 8.5.2, and from version 8.6.0 before version 8.6.1 allows remote attackers to redirect users to a different website which they may use as part of performing a phishing attack via an open redirect in the os_destination parameter.
CVE-2019-20898
PUBLISHED: 2020-07-13
Affected versions of Atlassian Jira Server and Data Center allow remote attackers to access sensitive information without being authenticated in the Global permissions screen. The affected versions are before version 8.8.0.
CVE-2019-20899
PUBLISHED: 2020-07-13
The Gadget API in Atlassian Jira Server and Data Center in affected versions allows remote attackers to make Jira unresponsive via repeated requests to a certain endpoint in the Gadget API. The affected versions are before version 8.5.4, and from version 8.6.0 before 8.6.1.