Ransomware continues to be a hot topic because it continues to cause problems. Damaging attacks such as WannaCry and SamSam provide grim reminders of how prevalent ransomware attacks have become. In fact, PC PitStop has a running list of ransomware attacks for 2018 – at least the publicized attacks. Some entities paid, some did not, many decline to reveal the cost of their attack.
This running lists goes to the core of a growing dilemma: Is it always wrong to pay up when hit by a ransomware attack?
The FBI advises against paying to resolve a ransomware attack as it encourages more criminal activity and funds the adversaries ability to evolve their tools, tactics and procedures. Even worse, there is no guarantee that even if you pay the ransom, that it’s actually going to work.
The decision to pay, however, is not so simple. Whether to pay the ransom or not is a very individual, complicated matter. While backups and recovery plans provide organizations with options, every business must consider their unique business risks and realities and decide for themselves. A hospital, for example, may have different criteria for their decision. I for one would not like to be lying in a hospital bed having my health jeopardized while waiting for backups to be restored.
The hosts of the Defensive Security Podcast made some very interesting points in Episode 210 when they talk about the sheer magnitude of the damages to Maersk, and the strategic decision of a hospital network to pay – even though they had backups! Hancock Health, a health system based in Greenfield, Indiana, was hit with a ransomware attack on January 11, 2018. Despite having backups and an IT recovery plan, the hospital executed a disaster recovery plan that did not involve their backups. Paying the ransom of $55,000 was a better business decision for the hospital.
Contrast the decision of Hancock Health with that of Erie County Medical Center (ECMC). On April 9, 2017, ECMC fell victim to attack. The organization responded quickly, following a pre-arranged script. At no point did ECMC consider paying the $44,000 ransom. The incident took six weeks to resolve, required the meticulous cleaning of file-encrypting malware from more than 6,000 computers, and cost millions of dollars to fix. Unfortunately, sometimes an organization has no choice but to rebuild. Such was the case with Maersk, which suffered very badly from the 2017 NotPetya outbreak. The IT recovery process “forced the IT staff to reinstall ‘4,000 new servers, 45,000 new PCs and 2,500 applications” in TEN days! The business interruption and IT costs contributed to losses between $200 million and $300 million for their quarter.
What these ransomware attacks prove is that every organization has potential vulnerabilities and that attackers are going to find a way in. How much can your business afford to lose and will you be ready when disaster strikes? Industry experts advise organizations to:
- Create a business continuity and disaster recovery plan out of the crisis and validate the plan through testing.
- Perform regular data backups to recover in the event of an attack. Verity the integrity of the backups and store recovery data on media that’s not connected to the computers or network.
- Train employees in how the organization will deal with the loss of information systems as a result of such cybersecurity incidents.
And, of course, prevention is always urged as the first step. Most ransomware attacks happen through email attachments and links. For ransomware originating from emails, Soliton’s SecureShield is an effective block. SecureShield opens a ransomware within the endpoint container. The ransomware will begin to encrypt what it ‘sees’ as the endpoint computer. However, it is a mirror of the endpoint running inside the SecureShield. A user can simply close the SecureShield like closing a browser window and the system is unaffected. They can then log back into their email and delete the email containing the virus. No bitcoin payments, no multi-million dollar or multi-day recovery process. Backups and Disaster Recovery plans are still a must-have for any organization, but Soliton SecureShield allows for proactive protection that prevents attacks.
Continue the conversation with us at RSA! Stop by and visit us at Booth 131 in the South Hall of the Moscone Center in San Francisco from April 16-19, 2018.
Visit us next week for Ransomware Dollars and Sense Part 2.