The professional advice is never to negotiate; you should never pay a criminal gang who is holding you to ransom. Report them to the authorities who will investigate their activities further. Sound advice and a strong stance to take, however what if there is a clock ticking and you have only 72 hours to comply or you will lose all your data, your companies data, the data held on cloud services, the data on your servers and nobody will be able to recover it for you.
What if the cost of the ransom is less than one tenth of the cost you will incur in lost productivity, in the required downtime to rebuild your data, in reputation damage and lost business? Now the ‘don’t negotiate’ advice isn’t quite as compelling is it? Perhaps if you pay ‘just this once’ then you can resolve all your cyber security issues as a background task and make sure that this never happens again. If you pay nobody actually needs to know that you have had this crisis in the first place it can be an ‘internal matter only’. This is what happens when you suffer from a ransomware attack and more and more businesses are going against the grain of advice and actually paying the ransom.
Ransomware has been around for a while, but is currently a rich seam for cyber criminals to exploit. The software is deployed through a phishing scam, an email attachment, or through a dubious website and then goes about encrypting all of the data on the machine. It will also encrypt any data repositories that the machine is connected to and slowly spread through the organisation. The key to decrypt the data and get a company back to normal is available for a fee, payable in the relatively untraceable internet currency Bitcoin, but the key is only available for 72 hours (or sometimes less), after which the key is destroyed and nobody, including the criminals behind the attack, will be able to recover it. Pay the ransom, receive the key and you are back to normal. This is not a game show; this game of brinkmanship is real.
In perfect world you wouldn’t pay, but we all know that they world, especially in the world if IT is not perfect. Being faced with ransomware attack will put into sharp focus just how strong a company’s disaster recovery procedures actually are. If a company didn’t pay and their data is lost exactly how confident are they in their in-house IT team, or their outsourced provider to get them up and running again? I’m an IT realist and experience tells me that many tasks that ‘should’ be done, checking backups, testing recovery procedures, rarely get to the top of the to do list in IT departments across the business world.
Here’s the rub though, if you do pay and hand over thousands to the criminals they will actually honour their claims and release your data. Why? Because if the individuals behind such ransomware as Cryptolocker, didn’t provide the decryption key to your data then everybody would know it was a scam, nobody would ever pay and the business model of this particular strain of cybercrime would actually break down. Bizarrely enough should a victim pay the ransom there is even an element of customer support provided by the criminals to ensure you do recover your data. One expert I discussed this with stated that the process can be almost pleasurable but just ignoring the fact that it is illegal!
Consider as well, as the ransom clock ticks down, that the criminals also don’t care if you pay or not. They are infecting thousands of machines and networks and like a direct mail campaign, only require a small percentage of them to actually take action in order to make it financially viable for them. They have us all backed into a corner and are holding a cyber gun to our business heads.
The FBI has reported that over $24million was paid in ransom last year, admittedly these are reported figures so it is believed that the figure could be 3-5 times higher as many victims will have kept an attack ‘in house’ and not reported it. Alongside this there are cases in the public domain where healthcare companies, educational providers, have stated that it was in their best interests to actually pay the ransom.
So what would you do? If you receive a notification today (Wednesday) that Cryptolocker is busy encrypting your data and 72 hours from now, by Friday afternoon you could be saying goodbye to all your data. There is precious little room for negotiation, there needs to be cool heads, leadership and a realisation that actually giving in may be the most sensible, cost effective and least disruptive solution. However, like so many issues in the cyber world, it would have been far better to have never gotten into this situation in the first place by actually implementing cyber defences, staff training and other preventative measures, but let’s discuss that another time because right now the clock is ticking. Tick, tock – it’s your move.