Ransomware has fast become the biggest actor in the global threatscape. Attacks such as Petya and WannaCry made global headlines and came at a massive financial cost to organisations not protected against the threat. Whilst there is plenty of advice on how to avoid becoming a victim of the ransomware scourge, the grapevine is much quieter when it comes to answering the question: should you pay ransomware ransoms?
The data on how many companies actually pay a ransom is fairly unreliable, simply because admitting that a ransom was paid is also admitting a network was compromised and that both security and data recovery implementations were inadequate.
That said, when a ransom is typically many orders of magnitude less than employing a specialist recovery outfit to decrypt your data (and with more orders of magnitude more likely to be successful) it's not surprising that paying up can look like an attractive option.
With the cost of business downtime and the resources needed to recover data (if recovery is possible, and the cost of data loss is not) causing the most financial harm, maybe the question we should ask is why wouldn't you pay the ransom if it's the cheapest route to business continuity?
A proper business continuity plan, including a workable data recovery strategy, in place means you should never need to ask whether a ransom ought to be paid or not. Even if you have managed to overlook this essential part of any modern business, there's still hope of recovering data without paying a ransom.
The No More Ransom project has some 50 freely downloadable decryption tools that work with more than 100 ransomware families. If you are unsure of the particular variant that has encrypted your data, there's even a 'Crypto Sheriff' tool that can determine that for you from the encrypted files themselves—as well as the ransom demand texts you see.
Earlier this year, the Telstra cyber security report 2017 revealed that 60% of Australian organisations had experienced at least one ransomware attack, and of those, 57% had paid up. One in three did not successfully recover their data afterwards.
In an ideal world, you would be presented with a decryption key upon dropping the ransom into the cryptocurrency wallet, and your data would be accessible once more. As we all know, the ideal world and the real world do not coexist happily. When you pay a ransom, you are, in effect, tossing a coin as to whether you get your data back or not. It largely depends on who you are dealing with, and there's no way of knowing that until you deal with them.
When I attended a security briefing at the Helsinki HQ of F-Secure last year, the researchers were quite up front about how professional some ransomware actors are. Some had set up technical support lines to hand-hold victims through the decryption process, and even had customer help agents willing to negotiate down ransom amounts where the victim was unable to pay the full amount. This makes sense, because if a ransomware family gets a reputation for taking the money and leaving data encrypted, then word of mouth spreads quickly and nobody pays the ransom.
The popularity of ransomware has boomed amongst the criminal fraternity and plenty of unscrupulous actors have entered the market. For them, the arguments against bothering to deliver decryption keys are strong. These players will usually safeguard their anonymity at all costs, and only care about making a quick and safe profit from any attack before moving to the next. For them, any contact beyond ransomware payment methods of bitcoin dropping into a wallet is a risk not worth taking. Worse, many are opportunists without any technical ability and are simply using ransomware kits purchased or rented on an 'as-a-service' basis. As such, they often unwittingly introduce flaws while 'branding' the attack, making decryption impossible as the keys are corrupted.
So, to sum up, you should only consider paying a ransom as an absolute last resort. If you've exhausted all other avenues when it comes to data recovery, then maybe it is an option you must consider. This is especially true if the ransom requested is a lot less than the cost to your business of losing that data. However, the payment equation doesn't end there; it also needs to take into account the cost to your business in terms of man-hours spent attempting to recover data. However, if you do pay for ransomware, you must be aware that it's a gamble; there is no guarantee that your data will actually be decrypted.
Davey has been writing about IT security for more than two decades, and is a three-time winner of the BT Information Security Journalist of the Year title. An ex-hacker turned security consultant and journalist, Davey was given the prestigious 'Enigma' award for his 'lifetime contribution' to information security journalism in 2011. You can follow Davey on Twitter® at @happygeek.
Want to know more about protecting your networks from a ransomware attack? Check out this article: 7 Steps to Help Limit Your Chances of Getting Hit By a Ransomware Attack
© 2017 SolarWinds MSP UK Ltd. All Rights Reserved.