Worried ransomware will screw your network? You could consider swallowing your pride, opening your wallet
We know it's controversial – but don't rule out paying the ransom to unscramble your biz files, experts suggest
As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window.
The idea of agreeing to an extortionist's demand, and paying a ransom to restore your company's scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to analyst house Forrester Research.
Josh Zelonis, a senior analyst specializing in security and risk for Forrester, argued this month that while organizations shouldn't just cave in immediately to every demand made, they should at least look into whether agreeing to a criminal's terms may be a better option than a costly wipe and recovery process.
The analyst is not alone, either. Other security professionals agree that, in certain cases, it may be better to negotiate than hold out and face a catastrophic outage and recovery. It may be wise to factor in paying up as a final recovery option, after other mainstream defenses – regular offline backups and security patching, intrusion prevention, and so on – fail.
It shouldn't be the first option to reach for, you should focus on prevention rather than reactive cleanup, and yet the option shouldn't be entirely discarded especially as you prepare to sign off spending seven-figures or more on restoring operations.
The case against bankrolling criminals
When it comes to malware, the advice handed down by government agencies and information security firms alike has been to never pay ransom demands. The FBI's ransomware guidance (PDF) encourages anyone hit with ransomware to contact law enforcement, and tells both home PC owners and enterprises alike not to pay any extortion demands.
Rather, companies are advised to build and maintain regular backups of their data, stored offline separate from networks, and be prepared to wipe and restore any systems that get hit with the file-encrypting extortionware.
The reasoning is not hard to understand. Paying off a ransom only encourages criminals to continue their actions. When a hacker hits pay dirt from a successful ransomware infection, they are almost certain to try the same tactic again, possibly on the same target. By caving in to a ransomware demand, you only strengthen the criminals and put others at risk.
There is another basic truth at work: criminals are not trustworthy people. When you pay a ransomware demand, there is no guarantee the crooks will actually give you a valid unlock code (and in some cases the malware operators don't even know how to actually unencrypt the files their code scrambles, or care at all if it works.)
Steve Piper, CEO with CyberEdge Group, told The Register that his outfit's most recent threat report found only about 60 per cent of companies that pay ransomware demands actually get their data back in the end.
"Even if you pay the ransom there is a two in five chance you are not getting the data back anyway," he explained.
When it comes down to it, the best defense against ransomware is to not get infected in the first place. Barring that, companies should have strong backup and recovery plans. It seems simple enough.
It's not always so simple, however
While the statistics and tough talk about not negotiating with crooks is all well and good, things are a bit different when it's your organization's data that is on the line after you've been solidly defeated. Large companies such as shipping titan Maersk and the US city of Baltimore have incurred massive multi-million-dollar cleanup bills after they resolved not to agree to any ransom demands, and repaired their installations virtually from scratch.
Even if a company is meticulous about backing up their data, the actual recovery process is far easier said than done, particularly when you have to do it with hundreds or thousands of PCs and terminals, and dozens of servers or cabinets of servers.
"A majority of organizations, even those that have backups, don't test their ability to recover," Forrester's Zelonis told El Reg, "and those that do don't test their ability to recover at scale."
This is where Zelonis wants companies to have the tough conversation; should pride and ego take precedence over the financial health of the organization and its ability to function? Baltimore, for example, has seen vital services such as the police force be affected by their ransomware infection, and Maersk's operations hit the rocks hard.
When it comes down to it, the analyst argues, organizations should consider the option that is best for their business. In some cases, that might be to agree to some or all of the ransom demands.
"The decision to pay or not pay a ransom is in fact a business decision, and anyone telling you differently are not serving your interests," Zelonis told El Reg.
"At what point do we make a decision that our ego is second to how do we continue to provide the necessary services?"
Zelonis is not alone in this sentiment. Multiple infosec professionals who spoke with The Register supported the idea that companies should consider at least opening a dialogue with ransomware operators about a possible deal if recovery is non-trivial.
'Paying the ransom isn't going to make a difference'
One of those experts was Adam Kujawa, director of MalwareBytes Labs. Kujawa explained that, while refusing to be held hostage by ransomware was good advice in the early days, it doesn't hold up so well in the modern landscape: if you're infected, the damage is done, and the crooks will move on and attack another victim regardless.
"If you go back in time five to seven years, we would tell people never ever pay the ransom because it is going to encourage this behavior to become more popular and it will just keep coming back," he said.
"At this point I don't think paying the ransom is going to make a difference, the point has already been made."
The key thing, whether you pay off a ransomware mastermind or not, is to find out exactly how the software nasty got onto your network, and ensure it doesn't happen again.
Opening the door to payments does not mean companies should immediately cave to every ransom demand, Zelonis notes. Rather, he is advising organizations to bring in consultants or security vendors who are familiar with both the malware infections themselves and the people who operate them.
Those advisers, in turn, could help executives decide whether to agreeing to pay a ransom would be a viable alternative to a full-scale wipe and replace operation. Ideally, this would be done while the company's IT staff works to isolate and, where possible, recover data from the infection.
"In parallel you are working with a ransomware expert that is going to have familiarity with the ransomware group, the particular strings, and how to go about discussions," he explained. "The only thing I am trying to accomplish is to show people how to go about the process."
Kujawa's advice is for companies to prioritize what data they most need to back up, and how often it needs to be updated.
For example, would a database need to be stored in a secure cloud every day, or can the business survive with only updating every week or so? This can help companies decide how and what they need to recover and, what, if anything, they may want to try and get back from the ransomware.
There is also the possibility of compromise, Kujawa notes. Companies may not have to cave in to all demands, and recovery doesn't necessarily need to be an all or nothing proposition.
"These guys behind the ransomware are not robots, they are human beings, at the end of the day a criminal is more likely to want to get something than nothing at all," he said.
"If you can't back up the data that is operationally important, negotiate with the cybercriminal."
In the end, it comes down to one simple realization: ransomware is no longer an IT problem, it is a business security consideration, and must be weighed as such. It is business expense versus business expense.
To that end, ego and optics have to take a back seat to keeping the entire operation afloat, and that may mean, when caught with your pants down and recovery unfeasible, making the tough call to swallow pride and cut a deal. ®