Attacks/Breaches

1/23/2019
10:30 AM
Jadee Hanson
Jadee Hanson
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Think Twice Before Paying a Ransom

Why stockpiling cryptocurrency or paying cybercriminals is not the best response.

Imagine a scenario in which a financial services firm is hit with a ransomware attack that hijacks its corporate network, rendering systems unavailable to users and effectively grinding business to a halt. Even after officials at the company pay the offending cyber extortionists hundreds of thousands of dollars in ransom, the systems remain unavailable for days.

In such a case, the damages would include not only the ransomware payment itself but the enormous losses related to downtime. That includes uncompleted transactions, lost employee productivity, and unhappy customers — to name a few.

This type of situation unfortunately happens more often than we'd like to think. And it shows why the common practice of stockpiling cryptocurrency for just such an event is often a misguided strategy.

The Prolem with Stockpiling 
We've known for years that organizations are quite willing to pay ransoms to cybercriminals who take their data hostage through ransomware. This year, my company conducted a survey of 1,700 business, security, and IT executives to find out how widespread the trend really is.

Alarmingly, nearly three-quarters of the security executives and 60% of CEOs admitted to stockpiling cryptocurrency to pay cybercriminals in case of a ransomware attack or data breach. And about eight in 10 of the security executives whose companies have stockpiled cryptocurrency have made payments to cybercriminals in the past year.

There are many reasons we discourage the practice of stockpiling cryptocurrency to pay cyber ransoms. Buying cryptocurrency in the first place is risky, if only because of its wildly fluctuating values. Furthermore, paying attackers does not guarantee that they will decrypt the affected files and systems.

It's also important to remember that cryptocurrency transactions can't be reversed. Once the payment has been made, it's gone for good.

Restore Your Data — and Your Peace of Mind
While prevention technologies definitely play a role in helping organizations mitigate the effects of ransomware, security plans that also include data loss protection strategies are actually giving companies a fuller defense. When we shift the lens from prevention to protection, enterprises are able to have access to every file in the event of an attack, which gives them options other than paying ransoms.

Even though the number of ransomware attacks have declined 30% since 2017, according to research from cybersecurity and antivirus provider Kaspersky Lab, the attacks remain particularly lucrative for criminals. For one thing, they're inexpensive to execute, and they're easy to pull off. That explains the recent surge in the popularity of "ransomware as a service."

MIT Technology Review reported last April that in 2015 alone, enterprises infected by ransomware paid millions of dollars in bitcoin, which was also the cryptocurrency of choice in 2017's string of WannaCry attacks. WannaCry attacked more than 250,000 systems in 150 countries across private and public sector organizations, including FedEx, Hitachi, Nissan, the Russian interior ministry, and thousands of enterprises in Spain and India.

Perhaps the most notorious attack crippled the UK's National Health Service (NHS) in May 2017 by bringing its data systems to a halt. This is significant because human lives are on the line when healthcare organizations cannot access medical record data immediately to provide the right patient care. Hospitals and clinics often become prime targets for attackers because it is so crucial that they restore systems and access to medical records as quickly as possible and, as a result, often pay ransoms.

Heed the Warnings
These episodes, combined with analytical and empirical evidence, demonstrate that many organizations still have much work to do in order to better protect themselves against all types of cyberattacks, including ransomware.

Here are some suggested measures:

● Perform regular system updates and patches, so that vulnerable systems are not used to run ransomware exploits.

● Conduct regular external system data backups. This allows you to restore information from prior to the time of the ransomware attack.

● Make sure all users are aware of and educated about the tactics used in ransomware and other attacks. This will make users less likely to click on suspicious links and infect their companies with ransomware.

Organizations need to have full visibility over all of their data. This includes having the ability to search and investigate files across endpoints and cloud services in minutes, rather than over the days and weeks it usually takes following an attack.

By taking these initiatives, organizations can be much better prepared for ransomware attacks. It’s a far more sensible approach than saving up lots of cryptocurrency that organizations might end up throwing away.

Related Content:

 

Jadee Hanson, CISSP, CISA, is the Chief Information Security Officer and Vice President of Information Systems at Code42. Jadee's passion for security started gathering steam with her first role as a security adviser at Deloitte. After five years and a lot of travel, Jadee ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PaulChau
50%
50%
PaulChau,
User Rank: Apprentice
2/13/2019 | 2:37:58 AM
They won't give in
Isn't it the same situation with a physical hostage situation? When your entire database is held hostage, you should always consult the authorities to seek their advice first before you go ahead and let the hackers win. Even if you pay them up, you might not necessarily obtain your entire system back. They could return it to you but definitely not without retaining something behind to blackmail you again later.
Ritu_G
50%
50%
Ritu_G,
User Rank: Apprentice
2/10/2019 | 11:45:10 PM
It could be so much worse
I personally think that if the terrorists or hackers were serious about doing some damage, they wouldn't bother with asking for a ransom at all.  They would just release all of that data in storage to hit where it hurts the most. At the end of the day, the guys that are waiting for cryptocurrency transfers are really just trying their luck to hit a bit of extra money if you ask.
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-9047
PUBLISHED: 2019-02-23
GoRose v1.0.4 has SQL Injection when the order_by or group_by parameter can be controlled.
CVE-2019-9062
PUBLISHED: 2019-02-23
PHP Scripts Mall Online Food Ordering Script 1.0 has Cross-Site Request Forgery (CSRF) in my-account.php.
CVE-2019-9063
PUBLISHED: 2019-02-23
PHP Scripts Mall Auction website script 2.0.4 allows parameter tampering of the payment amount.
CVE-2019-9064
PUBLISHED: 2019-02-23
PHP Scripts Mall Cab Booking Script 1.0.3 allows Directory Traversal into the parent directory of a jpg or png file.
CVE-2019-9065
PUBLISHED: 2019-02-23
PHP Scripts Mall Custom T-Shirt Ecommerce Script 3.1.1 allows parameter tampering of the payment amount.