IT Security: Ransomware should haunt you all the time

Share This

The problem is much more complex than whether or not to just pay the ransom.

When the ransomware demands come in it is really too late to come up with a good response plan. Deciding beforehand whether to pay or not and under what conditions is a cost benefit decision in the end.

But in the heat of the moment what should be a rational business decision becomes an emotional issue that challenges the morals and pride of decision makers.It just feels wrong to cave in to the demands of criminals who have encrypted machines and will not turn over the keys until payment.

Ultimately those who make the decision must act in the best interest of the company. That means deciding when not paying the cost of the ransom is worth the consequences: lost productivity, missed customer engagements and the cost of replacing devices that are irreversibly encrypted.

When it comes time to pay, try to negotiate down the demand. Earlier this year extortionists demanded $3.6 million from Hollywood Presbyterian MedicalCenter to unlock ransomware. They wound up paying $17,000.

Beyond deciding to pay or not to pay, businesses should do threat and vulnerability analyses to identify how adversaries could get in, what they could infect and what the business impact would be.

Planning be also important because the timeframe for making a decision can be narrow depending on the time limit set by the extortionist.

Once paid, getting the network back to normal is no simple matter. Businesses need to do forensics to see how the attack unfolded so measures can be taken to block the same type of attack in the future. That is because attackers sell lists of businesses that have paid ransom and what methods the attackers used against them so those who buy the lists can use the same attack tool again and again.

Businesses also need to find out where the attackers went within the network to discover where they might have buried malware for use at a later time.Often the ransomware attack is used as a distraction so network security pros don not notice other types of attacks.

One of the best protections against ransomware attacks is effective backup, but it is not foolproof. For example, if it is inserted in machines and lies dormant the ransomware itself can be backed up, so machines restored with the backup will still be infected. That is why forensics are important to determine when and where the malware was placed. And it is important to reimage machines, not just restore data.

If there is a bright side, ransomware extortionists generally do what they say they will do. If the victim pays up, they will send the keys to unlock the encryption.

The problem is not likely to go away any time soon. Over time, these attacks are getting more sophisticated and difficult to prevent. When security researchers reverse engineer a strain of ransomware to find out how to disarm it, the criminals quickly abandon it and come up with something else.