Ransomware: To pay or not to pay?

Recent news reports have placed ransomware high up on the boardroom agenda, as well as in the general public. In the last few weeks, NASCAR team Circle Sport-Leavine Family Racing (CSLFR) reported that it had been left with no other choice but to pay a ransom to retrieve £1.5 million of key proprietary information held hostage. To recreate the data it would have taken the team over 1,500 hours of manpower.

And here lies the dilemma. Ransomware is a very real and serious threat and the negative impact on an individual or corporation directly relates to the effort, time and cost associated with restoring systems and devices back to their previous working state. Upon understanding the cost of recovery, both monetary and reputational, victims are left with a decision on whether to cough up or move forward with a recovery plan – if one indeed exists.

Ransomware is evolving

As the ransomware ecosystem began to evolve, ransomware attacks were more of a random nature – perhaps like the CSLFR case. Machines and networks were infected, leaving the victims to decide if the ransom figure represented value for money – was getting the data back worth the amount being requested or could it be retrieved by other means, such as from back-ups or by recreating it? Was the data even important? As the old saying goes, ‘One man's trash is another man's treasure’ – the model in recent times has become a little more targeted with criminals pursuing entities more likely to pay up. This highlights why healthcare organisations are now an all too common target – patient data is essential for business continuity.

Not only has ransomware become more targeted, but the advent of digital cryptocurrencies like Bitcoin and the emergence of the Dark Web has led to an explosion of sorts. It is easier than ever for cybercriminals to collect their ransom, while also preserving their anonymity. Factor into this our ever-increasing reliance on digital technologies and the multitude of connected devices we use and it is far easier for attackers to access and target their victims.

Unfortunately, through the rise of RaaS (ransomware as a service) even the most advanced and sophisticated types of ransomware are in the hands of lesser skilled criminals, many without coding ability or any understanding of the underlying technologies. Skilled developers lease their creations to less skilled criminals in return for a percentage of the ransoms received, reducing their risk of being caught by law enforcement as they move further away from the frontline.

Cybercriminals will always focus on gaining the greatest rewards with the least possible effort. We have already seen cases where file extensions are changed but no encryption takes place. For many years we have seen rogue websites and apps attempt to trick users into paying out money after locking them out of their systems, or asking them to pay ransoms regarding false accusations of unlawful activity – often with the threat of public shaming or criminal proceedings if the victim doesn’t pay up. Ransomware is ransomware, regardless of the level of skill needed to reverse the damage, the shock value is now established – whether it’s as simple as removing a browser lock, to a machine locker or actually encrypting files.

Plan ahead

Individuals and organisations need to plan ahead. User education and risk evaluation are vital – people are the first line of defence. Technology-wise, harness threat intelligence solutions and take regular air-gapped backups. It’s important to create well-defined incident response and disaster recovery for when the worst happens – test these plans regularly, including your file restoration process.

If the cost of recovery exceeds the cost of paying the ransom, victims must consider the implications of paying. One major consequence being that there is absolutely no guarantee that if you do pay the criminals will give back the data they have stolen or indeed if they even can. An example of this is the recently reported Ranscam. Ranscam is ‘ransomware’ that actually deletes files instead of the common encrypting approaching, so even by paying the ransom, the files remain unrecoverable.

Simply put, paying the ransom highlights the current security posture of your business – so if you do pay, it’s now time to improve your security practices as in all probability you will become a target for further cyberattacks attacks in the future.

David Kennerley, Director of Threat Research, Webroot

Photo credit: wsf-s / Shutterstock