When a Florida town of 35,000 paid a $600,000 ransom to regain control of its computer systems and critical services — from e-mail access to management of a water-pumping station — critics immediately warned that paying ransomware operators would only lead to more attacks.
Yet businesses and city governments need to stay operational. While risk analysts and security experts continue to recommend that companies keep focused on securing their systems and speeding incident response to minimize the impact of crypto-locking ransomware, they are now also recommending that companies be prepared to capitulate.
In a June 5 report, for example, Forrester Research published a guide to paying ransomware, advising its audience to consider third-party firms that negotiate with cybercriminals to ensure the best outcome.
"Our recommendation is to work with someone who is essentially a specialized breach coach for ransomware," says Josh Zelonis, senior analyst for cybersecurity and risk at Forrester. Companies need to "go through a staged process to make sure that you are building a rapport with the actor and ensuring that they are able, and willing, to decrypt the data — to essentially deliver a 'proof of life.'"
The list of municipalities that have been hit with ransomware is growing. Baltimore, Maryland; Atlanta, Georgia; Riviera Beach, Florida; and Albany, New York, have all faced the decision of whether or not to pay. Some, such as Riviera Beach, decided they had no other choice but to meet the ransomers' demands. Others, such as Atlanta, reportedly refused and faced massive clean-up bills.
The list of companies that have had to deal with crypto-locking ransomware is even longer. Large companies, from Merck to Fedex to Renault, wrote down hundreds of millions of dollars from the WannaCry and NotPetya attacks. Now, clients of some managed service providers are facing ransom demands after attackers gained control of their administrative portals. Paying $17,000 in 2016, Hollywood Presbyterian Medical Center got off fairly lightly.
"I don't think you can make a blanket statement of 'pay the ransom' or 'don't pay the ransom,'" says Adam Kujawa, director of the research labs at security firms Malwarebytes. "If you have failed to segment your data or your network, or failed to check your backups or other measures to get your company back on track quickly, then you will have to deal with the fallout."
One problem for companies: Ransomware operators have shifted away from blanketing consumers and businesses with opportunistic ransomware attacks and now almost exclusively target business and municipalities. Along with that shift, the cost of ransoms has quickly grown because such organizations can afford to pay. Now, many organizations are faced with seven-digit ransom demands, Zelonis says. "That's a heck of a payday," he adds.
The increase in ransom demands is driven by attackers' targeting and research on victims, he says.
"It is interesting because the other thing we are seeing is that these actors are not just looking at your infrastructure and where your backups are to make sure that you cannot recover from backups," he says. "A lot of the actors are looking at a company's annual revenue to figure out what they can afford to pay."
For companies that want to stick to their pledge to never pay ransomware operators, that intent needs to start before an incident — with preparation. Organizations need to focus on security, incident response, and recovery to minimize the cost of a ransomware attack. Incident response exercises are key, Zelonis says.
Yet cybercriminals have become more savvy. They will often spend time in a target's network looking for the most sensitive data and making sure they can compromise the backups, as well, he says.
"The ransomware market from two or three years ago has totally evolved," Zelonis says. "[Cybercriminals] are understanding where you are backing things up and going after those systems. This is a full-scale breach."
The Forrester report advises companies to invest in cyber insurance as a way to offset at least some business risk. Organizations should also test their ability to recover from a massive data loss event using their backups.
"A harsh reality is that a majority of organizations aren't testing their ability to recover a single system from backups, much less validating they have the ability to recover potentially hundreds of systems at the same time," the report states.
To be most responsive in the case of a ransomware incident, companies need to have a plan for acquiring cryptocurrency or have a fund already in place, as well as have an incident response provider on retainer and select a ransomware specialist, the report stated.
The focus for companies is to stay in business, so even for companies that could recover all of their data, it is often easier — and cheaper — to just work with the attacker to restore the data.
"If you are losing data, that will cost you more to recover or to deal with the fallout of losing it, and you are dealing with the cybercriminal and they are willing to negotiate, then you are in a situation where paying might not be the worst idea in the world," Malwarebytes' Kujawa says. "It's not what we like to do, but at the end of the day, a business needs to stay in operation."
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio