Ransomware attacks, in which criminals encrypt data on a victim’s computer and then seek a ransom for unlocking it, have risen sharply in recent months prompting growing debate on the best way to respond to the problem.
The consensus? There isn’t one really, at least not so far.
Incidents like one in February where Hollywood Presbyterian Medical Center announced that it had paid $17,000 in Bitcoin to recover mission-critical data that had been locked in a ransomware attack, are typical of the approach that many victims themselves have taken.
In 2015, victims paid a total of over $24 million in some 2,453 reported ransomware attacks, according to a soon-to-be-released report from the FBI Internet Crime Complaint Center. Victims who have paid up include at least a couple of police departments.
Many believe that it is the success attackers have had in extracting money from victims that is driving more attacks. Others believe that, unsavory as it is, paying up may be the only option that organizations have if they want to recover from an attack. And some believe it all really depends on the situation.
Here’s a closer look at some of the divided opinions on dealing with the ransomware issue.
The FBI took considerable heat last year when the agency’s special agent in change of the CYBER and Counterintelligence Program in Boston was quoted as recommending that victims might sometimes be best off just paying the ransom if they wanted to recover their data. Since then the agency has walked back some of the comments and said it doesn’t condone the payment of ransom in any situation. But many share the agency’s original sentiment.
"The FBI is right--it's just not worth the fallout,” says Israel Levy, CEO of BufferZone, a vendor of endpoint security products. “We generally advise organizations to pay and protect,” instead of risking data loss following a successful ransomware attack, he says in comments to Dark Reading.
A majority of security researchers agree that in most cases, data locked or encrypted by a ransomware tool is almost impossible to recover without access to the decryption keys. It is a challenge that is exacerbated by the fact that attackers often give victims only a relatively short period of time to pay the ransom. After that, the ransom amount could double or even triple.
Importantly, the ransom amounts demanded usually reflect a good understanding of the victim’s ability to pay, security vendor Symantec said in a report last year. Ransoms amounts for individuals can range from $21 to $700 with the average being around $300. For businesses, the amounts are usually higher, with the sweet spot being around $10,000. Though the amount is much higher than the ransom for individual users, it reflects an amount that business seems “willing to pay and what law enforcements are reluctant to investigate,” Symantec had noted in its report
As a result, unless an organization has an up to date copy of all data that might have been encrypted in a ransomware attack, it may be easier just paying up, say some.
“Taking into consideration the full scope of the risk, the ROI and the risk and recovery process, the only option is to pay,” Levy says. “In most cases your data will not be as current as you want it to be and merely a single file lost can make all the difference in the ROI.” By not paying the demanded ransom, an organization could put critical data at risk, he says.
It’s the reasoning that Presbyterian Memorial used in arriving at its decision to pay the attackers off. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” hospital president and CEO Allen Stefanek had noted at the time. “In the best interest of restoring normal operations, we did this.”
The growing numbers of security professionals in this camp argue that the best way to derail ransomware attacks is to stop making it profitable for attackers.
“By paying, you're not only encouraging this behavior, you're also opening yourself up to further attacks,” said Guy Bunker, senior vice president of products at data loss prevention company Clearswift. “Remember that the people who do this are criminals, and they may well re-encrypt your machine two weeks later,” he said in a statement.
The best option for organizations to reduce their exposure to the threat is to have a good data backup process in place. “Users should also continually test their backups to ensure they are viable and the process works,” said Travis Smith, senior security researcher at Tripwire in a statement. “By having a streamlined backup process in place, the cost of restoring data will be reduced to a lower price point than the ransom.”
It Really Depends
This is an approach that advocates a more considered response to a ransomware attack. Those who support it say the decision to pay or not to pay a ransom should be based purely on the kind of data that is affected and the organization’s ability to recover or restore it.
Rohyt Belani, CEO of PhishMe, says a prepared organization should never pay a ransom to an attacker. Like many others, he believes it only invites future attacks. “That said, if an organization is unprepared, they [would] be forced into making a fast decision based on the estimated fallout” he says in comments to Dark Reading.
If the loss of data for instance threatens lives, which is what likely happened with Presbyterian Memorial, then the decision to pay or not to pay becomes a critical situational decision, he says.
“If it’s the company accounting system – can you recover without paying?” he asks. “If it’s locked down customer data – can you work from an older copy? If it’s critical data, are you willing to negotiate?”
It is only by taking the effort to understand the importance of each data class beforehand and the extent of recovery possible with each that an organization can be prepared for a ransomware attack, if it happens he says.
“If it’s critical data that hasn’t been backed up, or the organization cannot operate without it, or recover from such a loss, they will have to make some hard decisions,” Belani says.