Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/15/2016
01:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Ransomware: Putting Companies Between A Rock And A Hard Place

Paying a ransom encourages more attacks, but sometimes not paying could end up being a lot costlier

Ransomware attacks, in which criminals encrypt data on a victim’s computer and then seek a ransom for unlocking it, have risen sharply in recent months prompting growing debate on the best way to respond to the problem.

The consensus?  There isn’t one really, at least not so far.

Incidents like one in February where Hollywood Presbyterian Medical Center announced that it had paid $17,000 in Bitcoin to recover mission-critical data that had been locked in a ransomware attack, are typical of the approach that many victims themselves have taken.

In 2015, victims paid a total of over $24 million in some 2,453 reported ransomware attacks, according to a soon-to-be-released report from the FBI Internet Crime Complaint Center. Victims who have paid up include at least a couple of police departments.

Many believe that it is the success attackers have had in extracting money from victims that is driving more attacks. Others believe that, unsavory as it is, paying up may be the only option that organizations have if they want to recover from an attack. And some believe it all really depends on the situation.

Here’s a closer look at some of the divided opinions on dealing with the ransomware issue.

Paying Up

The FBI took considerable heat last year when the agency’s special agent in change of the CYBER and Counterintelligence Program in Boston was quoted as recommending that victims might sometimes be best off just paying the ransom if they wanted to recover their data.  Since then the agency has walked back some of the comments and said it doesn’t condone the payment of ransom in any situation. But many share the agency’s original sentiment.

"The FBI is right--it's just not worth the fallout,” says Israel Levy, CEO of BufferZone, a vendor of endpoint security products. “We generally advise organizations to pay and protect,” instead of risking data loss following a successful ransomware attack, he says in comments to Dark Reading.

A majority of security researchers agree that in most cases, data locked or encrypted by a ransomware tool is almost impossible to recover without access to the decryption keys.  It is a challenge that is exacerbated by the fact that attackers often give victims only a relatively short period of time to pay the ransom. After that, the ransom amount could double or even triple.  

Importantly, the ransom amounts demanded usually reflect a good understanding of the victim’s ability to pay, security vendor Symantec said in a report last year. Ransoms amounts for individuals can range from $21 to $700 with the average being around $300. For businesses, the amounts are usually higher, with the sweet spot being around $10,000. Though the amount is much higher than the ransom for individual users, it reflects an amount that business seems “willing to pay and what law enforcements are reluctant to investigate,” Symantec had noted in its report

As a result, unless an organization has an up to date copy of all data that might have been encrypted in a ransomware attack, it may be easier just paying up, say some.

“Taking into consideration the full scope of the risk, the ROI and the risk and recovery process, the only option is to pay,” Levy says. “In most cases your data will not be as current as you want it to be and merely a single file lost can make all the difference in the ROI.” By not paying the demanded ransom, an organization could put critical data at risk, he says.

It’s the reasoning that Presbyterian Memorial used in arriving at its decision to pay the attackers off. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” hospital president and CEO Allen Stefanek had noted at the time. “In the best interest of restoring normal operations, we did this.”

Not Budging

The growing numbers of security professionals in this camp argue that the best way to derail ransomware attacks is to stop making it profitable for attackers.

“By paying, you're not only encouraging this behavior, you're also opening yourself up to further attacks,” said Guy Bunker, senior vice president of products at data loss prevention company Clearswift. “Remember that the people who do this are criminals, and they may well re-encrypt your machine two weeks later,” he said in a statement. 

The best option for organizations to reduce their exposure to the threat is to have a good data backup process in place. “Users should also continually test their backups to ensure they are viable and the process works,” said Travis Smith, senior security researcher at Tripwire in a statement. “By having a streamlined backup process in place, the cost of restoring data will be reduced to a lower price point than the ransom.”  

It Really Depends

This is an approach that advocates a more considered response to a ransomware attack. Those who support it say the decision to pay or not to pay a ransom should be based purely on the kind of data that is affected and the organization’s ability to recover or restore it.

Rohyt Belani, CEO of PhishMe, says a prepared organization should never pay a ransom to an attacker. Like many others, he believes it only invites future attacks. “That said, if an organization is unprepared, they [would] be forced into making a fast decision based on the estimated fallout” he says in comments to Dark Reading.

If the loss of data for instance threatens lives, which is what likely happened with Presbyterian Memorial, then the decision to pay or not to pay becomes a critical situational decision, he says.

“If it’s the company accounting system – can you recover without paying?” he asks. “If it’s locked down customer data – can you work from an older copy? If it’s critical data, are you willing to negotiate?”

It is only by taking the effort to understand the importance of each data class beforehand and the extent of recovery possible with each that an organization can be prepared for a ransomware attack, if it happens he says.

“If it’s critical data that hasn’t been backed up, or the organization cannot operate without it, or recover from such a loss, they will have to make some hard decisions,” Belani says.

Related Content:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12868
PUBLISHED: 2019-06-18
app/Model/Server.php in MISP 2.4.109 allows remote command execution by a super administrator because the PHP file_exists function is used with user-controlled entries, and phar:// URLs trigger deserialization.
CVE-2019-12865
PUBLISHED: 2019-06-17
In radare2 through 3.5.1, cmd_mount in libr/core/cmd_mount.c has a double free for the ms command.
CVE-2017-10720
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi name. This application is installed o...
CVE-2017-10721
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the device has Telnet functionality enabled by default. This device acts as an Endoscope camera that allows its users to use it in various industrial systems and settings, car ga...
CVE-2017-10722
PUBLISHED: 2019-06-17
Recently it was discovered as a part of the research on IoT devices in the most recent firmware for Shekar Endoscope that the desktop application used to connect to the device suffers from a stack overflow if more than 26 characters are passed to it as the Wi-Fi password. This application is install...