Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

1/23/2019
10:30 AM
Jadee Hanson
Jadee Hanson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Think Twice Before Paying a Ransom

Why stockpiling cryptocurrency or paying cybercriminals is not the best response.

Imagine a scenario in which a financial services firm is hit with a ransomware attack that hijacks its corporate network, rendering systems unavailable to users and effectively grinding business to a halt. Even after officials at the company pay the offending cyber extortionists hundreds of thousands of dollars in ransom, the systems remain unavailable for days.

In such a case, the damages would include not only the ransomware payment itself but the enormous losses related to downtime. That includes uncompleted transactions, lost employee productivity, and unhappy customers — to name a few.

This type of situation unfortunately happens more often than we'd like to think. And it shows why the common practice of stockpiling cryptocurrency for just such an event is often a misguided strategy.

The Prolem with Stockpiling 
We've known for years that organizations are quite willing to pay ransoms to cybercriminals who take their data hostage through ransomware. This year, my company conducted a survey of 1,700 business, security, and IT executives to find out how widespread the trend really is.

Alarmingly, nearly three-quarters of the security executives and 60% of CEOs admitted to stockpiling cryptocurrency to pay cybercriminals in case of a ransomware attack or data breach. And about eight in 10 of the security executives whose companies have stockpiled cryptocurrency have made payments to cybercriminals in the past year.

There are many reasons we discourage the practice of stockpiling cryptocurrency to pay cyber ransoms. Buying cryptocurrency in the first place is risky, if only because of its wildly fluctuating values. Furthermore, paying attackers does not guarantee that they will decrypt the affected files and systems.

It's also important to remember that cryptocurrency transactions can't be reversed. Once the payment has been made, it's gone for good.

Restore Your Data — and Your Peace of Mind
While prevention technologies definitely play a role in helping organizations mitigate the effects of ransomware, security plans that also include data loss protection strategies are actually giving companies a fuller defense. When we shift the lens from prevention to protection, enterprises are able to have access to every file in the event of an attack, which gives them options other than paying ransoms.

Even though the number of ransomware attacks have declined 30% since 2017, according to research from cybersecurity and antivirus provider Kaspersky Lab, the attacks remain particularly lucrative for criminals. For one thing, they're inexpensive to execute, and they're easy to pull off. That explains the recent surge in the popularity of "ransomware as a service."

MIT Technology Review reported last April that in 2015 alone, enterprises infected by ransomware paid millions of dollars in bitcoin, which was also the cryptocurrency of choice in 2017's string of WannaCry attacks. WannaCry attacked more than 250,000 systems in 150 countries across private and public sector organizations, including FedEx, Hitachi, Nissan, the Russian interior ministry, and thousands of enterprises in Spain and India.

Perhaps the most notorious attack crippled the UK's National Health Service (NHS) in May 2017 by bringing its data systems to a halt. This is significant because human lives are on the line when healthcare organizations cannot access medical record data immediately to provide the right patient care. Hospitals and clinics often become prime targets for attackers because it is so crucial that they restore systems and access to medical records as quickly as possible and, as a result, often pay ransoms.

Heed the Warnings
These episodes, combined with analytical and empirical evidence, demonstrate that many organizations still have much work to do in order to better protect themselves against all types of cyberattacks, including ransomware.

Here are some suggested measures:

● Perform regular system updates and patches, so that vulnerable systems are not used to run ransomware exploits.

● Conduct regular external system data backups. This allows you to restore information from prior to the time of the ransomware attack.

● Make sure all users are aware of and educated about the tactics used in ransomware and other attacks. This will make users less likely to click on suspicious links and infect their companies with ransomware.

Organizations need to have full visibility over all of their data. This includes having the ability to search and investigate files across endpoints and cloud services in minutes, rather than over the days and weeks it usually takes following an attack.

By taking these initiatives, organizations can be much better prepared for ransomware attacks. It’s a far more sensible approach than saving up lots of cryptocurrency that organizations might end up throwing away.

Related Content:

 

Jadee Hanson, CISSP, CISA, is the Chief Information Security Officer and Vice President of Information Systems at Code42. Jadee's passion for security started gathering steam with her first role as a security adviser at Deloitte. After five years and a lot of travel, Jadee ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PaulChau
50%
50%
PaulChau,
User Rank: Apprentice
2/13/2019 | 2:37:58 AM
They won't give in
Isn't it the same situation with a physical hostage situation? When your entire database is held hostage, you should always consult the authorities to seek their advice first before you go ahead and let the hackers win. Even if you pay them up, you might not necessarily obtain your entire system back. They could return it to you but definitely not without retaining something behind to blackmail you again later.
Ritu_G
50%
50%
Ritu_G,
User Rank: Apprentice
2/10/2019 | 11:45:10 PM
It could be so much worse
I personally think that if the terrorists or hackers were serious about doing some damage, they wouldn't bother with asking for a ransom at all.  They would just release all of that data in storage to hit where it hurts the most. At the end of the day, the guys that are waiting for cryptocurrency transfers are really just trying their luck to hit a bit of extra money if you ask.
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...