No sector or organization is immune to ransomware - malicious software that holds data files hostage while hackers demand payment to restore access. These attacks are on the rise. According to the FBI, an average of 4,000 ransomware incidents occur daily at an annual cost of $1 billion.
This is a far cry from the first known ransomware. In 1989, an evolutionary biologist called Joseph Popp distributed 20,000 floppy disks to fellow AIDS researchers that supposedly contained a software application capable of gauging a person's risk of contracting AIDS. Once activated, malware displayed a ransom note on computer screens demanding up to $378.
Today, ransom demands range from nominal amounts to millions of dollars, and they often come with a deadline that leaves victims with little time to evaluate their options.
Business systems owners have to decide between paying the ransom or recovering their systems on their own - and under time pressure, businesses are often tempted to pay the ransom. Often the amount demanded costs less than the remedy, which can run into millions of dollars.
Today’s ransomware seeks out connected devices and encrypts them, often including backups. Even if viable backups exist, restoring systems from backups is not always an easy option for organizations whose IT departments are understaffed and underfunded. There’s no prohibition, but security experts and the FBI advise never paying so-called ‘datanappers’, because often they do not restore access to data as promised.
It’s ultimately a business risk decision. So - how should your business respond?
To pay or not to pay: three things to consider
When deciding how to respond to a ransomware attack, organizations must consider three factors:
1) Determine the feasibility of recovery. Victims must determine if they have a viable backup - that is, one recent enough to make recovery worthwhile. A general backup best practice is to use the ‘3-2-1 rule’: Maintain at least three copies of all data, storing two on different storage media, one of which should be offsite. Insidious ransomware may also encrypt or corrupt backups, which makes systems recovery even more arduous.
2) Determine the effort required to recover the data.
a) Data volume and location: Large volumes of data will take longer and require more effort to recover. Disparate locations can complicate recovery efforts, especially if the attacker is still lurking somewhere on the network.
b) Setting up business systems: Sometimes, a fresh image of the infected operating system must be loaded onto computers before data can be recovered. Setting up new systems will increase the recovery time.
c) Shifting to manual processes: Business users may need to use pen-and-paper processes during a lockdown, and will need to reconcile manual transactions once the systems are restored. For example, last year a hospital paid ransom after realizing that while recovery was feasible, the costs, amount of effort, downtime and reputational damage involved in doing so would be too high. While in lockdown, the hospital instituted manual pen and paper processes. From start to finish, the ordeal lasted four days.
d) Human resources: Technical personnel will need to help with recovery efforts. Shifting to manual processes may require additional resources. Recovery is a cross-functional effort, including lawyers and communication specialists who need to be in place for the duration of the event.
3) Determine the impact of recovery. What are the effects of lost services on the business’s customers and employees? These may include effort costs, lost revenue and reputational damage. If recovery efforts are prolonged, costs can skyrocket. This year, following a ransomware attack, the US city of Baltimore estimated its impact at more than $18 million - a much higher cost than the approximately $70,000 ransom, which the city refused to pay.
Even when indicators point to paying the ransom, an organization’s ethos plays a key role in deciding whether to pay. For an example, if the victim is a law enforcement organization, the choice can pose a real conundrum - as paying the ransom might send the wrong message to the public but not paying may impact first responders.
Paying the ransom: key considerations
A victim that has decided to pay the ransom should note these practical considerations:
Validate full recovery. Don’t send funds until you’ve received proof that the attacker has the keys and the sample decrypted data is authentic. And then validate that files are being safely recovered, encrypted files are being deleted, and information systems being brought back on line. Some victims have paid their ransom and then did not recover all their data. It’s also important to examine the decryption scripts to assess if the attacker hid additional malicious code in the key.
Ask law enforcement to help with a safe transfer of the ransom payment. Law enforcement can provide recommendations on brokers and best ways to safeguard the transaction. Involve law enforcement in investigations and payment tracking as it can give them insight into the criminal organization responsible for the attack.
Investigate whether the ransomware stole sensitive information. During the system lockdown, the ransomware may have exfiltrated sensitive information. The loss of the confidentiality and integrity of sensitive data has serious regulatory implications which can lead to costly fines under local and global data protection regulations.
Consider getting help from recovery intermediaries. These service providers possess the tools and technical expertise to recover your data. Involving law enforcement in this decision is prudent; it has been suggested recently that some recovery intermediaries have simply paid the ransom themselves.
Have you read?
Protecting against ransomware
Consider ransomware insurance. Assess if the organization’s cyber insurance covers ransomware attacks, including ransom payment, and inform the insurance company as soon as an attack occurs. Insurance providers may also involve law enforcement where appropriate.
Practicing good cyber hygiene is the best way to prevent an attack. Hackers are not necessarily sophisticated; those lacking expertise can hire ransomware-as-a-service for much less than the amount your organization must pay to protect its assets. The price tag on your data may be incalculable, however: data is the modern currency in the information age and the lifeblood of many organizations.
In truth, there is no one-size-fits-all procedure for dealing with a ransomware attack. There are as many situations and scenarios as there are organizations. Each will need to choose the right response for them - one that weighs costs, reputation and organizational ethos against giving into the hackers’ demands.
What is the World Economic Forum doing on cybersecurity
The World Economic Forum's Centre for Cybersecurity is leading the global response to address systemic cybersecurity challenges and improve digital trust. We are an independent and impartial global platform committed to fostering international dialogues and collaboration on cybersecurity in the public and private sectors. We bridge the gap between cybersecurity experts and decision makers at the highest levels to reinforce the importance of cybersecurity as a key strategic priority.
Our community has three key priorities:
Strengthening Global Cooperation - to increase global cooperation between public and private stakeholders to foster a collective response to cybercrime and address key security challenges posed by barriers to cooperation.
Understanding Future Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies, and accelerate forward-looking solutions.
Building Cyber Resilience - to develop and amplify scalable solutions to accelerate the adoption of best practices and increase cyber resilience.
Initiatives include building a partnership to address the global cyber enforcement gap through improving the efficiency and effectiveness of public-private collaboration in cybercrime investigations; equipping business decision makers and cybersecurity leaders with the tools necessary to govern cyber risks, protect business assets and investments from the impact of cyber-attacks; and enhancing cyber resilience across key industry sectors such as electricity, aviation and oil & gas. We also promote mission aligned initiatives championed by our partner organizations.
The Forum is also a signatory of the Paris Call for Trust and Security in Cyberspace which aims to ensure digital peace and security which encourages signatories to protect individuals and infrastructure, to protect intellectual property, to cooperate in defense, and refrain from doing harm.
For more information, please contact us.
This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.