Held hostage by ransomware? Here's how to respond

No sector or organization is immune to ransomware - malicious software that holds data files hostage while hackers demand payment to restore access. These attacks are on the rise. According to the FBI, an average of 4,000 ransomware incidents occur daily at an annual cost of $1 billion.

This is a far cry from the first known ransomware. In 1989, an evolutionary biologist called Joseph Popp distributed 20,000 floppy disks to fellow AIDS researchers that supposedly contained a software application capable of gauging a person's risk of contracting AIDS. Once activated, malware displayed a ransom note on computer screens demanding up to $378.

Today, ransom demands range from nominal amounts to millions of dollars, and they often come with a deadline that leaves victims with little time to evaluate their options.

Business systems owners have to decide between paying the ransom or recovering their systems on their own - and under time pressure, businesses are often tempted to pay the ransom. Often the amount demanded costs less than the remedy, which can run into millions of dollars.

Today’s ransomware seeks out connected devices and encrypts them, often including backups. Even if viable backups exist, restoring systems from backups is not always an easy option for organizations whose IT departments are understaffed and underfunded. There’s no prohibition, but security experts and the FBI advise never paying so-called ‘datanappers’, because often they do not restore access to data as promised.

It’s ultimately a business risk decision. So - how should your business respond?

When deciding how to respond to a ransomware attack, organizations must consider three factors:

1) Determine the feasibility of recovery. Victims must determine if they have a viable backup - that is, one recent enough to make recovery worthwhile. A general backup best practice is to use the ‘3-2-1 rule’: Maintain at least three copies of all data, storing two on different storage media, one of which should be offsite. Insidious ransomware may also encrypt or corrupt backups, which makes systems recovery even more arduous.

2) Determine the effort required to recover the data.

a) Data volume and location: Large volumes of data will take longer and require more effort to recover. Disparate locations can complicate recovery efforts, especially if the attacker is still lurking somewhere on the network.

b) Setting up business systems: Sometimes, a fresh image of the infected operating system must be loaded onto computers before data can be recovered. Setting up new systems will increase the recovery time.

c) Shifting to manual processes: Business users may need to use pen-and-paper processes during a lockdown, and will need to reconcile manual transactions once the systems are restored. For example, last year a hospital paid ransom after realizing that while recovery was feasible, the costs, amount of effort, downtime and reputational damage involved in doing so would be too high. While in lockdown, the hospital instituted manual pen and paper processes. From start to finish, the ordeal lasted four days.

d) Human resources: Technical personnel will need to help with recovery efforts. Shifting to manual processes may require additional resources. Recovery is a cross-functional effort, including lawyers and communication specialists who need to be in place for the duration of the event.

3) Determine the impact of recovery. What are the effects of lost services on the business’s customers and employees? These may include effort costs, lost revenue and reputational damage. If recovery efforts are prolonged, costs can skyrocket. This year, following a ransomware attack, the US city of Baltimore estimated its impact at more than $18 million - a much higher cost than the approximately $70,000 ransom, which the city refused to pay.

Even when indicators point to paying the ransom, an organization’s ethos plays a key role in deciding whether to pay. For an example, if the victim is a law enforcement organization, the choice can pose a real conundrum - as paying the ransom might send the wrong message to the public but not paying may impact first responders.

A victim that has decided to pay the ransom should note these practical considerations:

Validate full recovery. Don’t send funds until you’ve received proof that the attacker has the keys and the sample decrypted data is authentic. And then validate that files are being safely recovered, encrypted files are being deleted, and information systems being brought back on line. Some victims have paid their ransom and then did not recover all their data. It’s also important to examine the decryption scripts to assess if the attacker hid additional malicious code in the key.

Ask law enforcement to help with a safe transfer of the ransom payment. Law enforcement can provide recommendations on brokers and best ways to safeguard the transaction. Involve law enforcement in investigations and payment tracking as it can give them insight into the criminal organization responsible for the attack.

Investigate whether the ransomware stole sensitive information. During the system lockdown, the ransomware may have exfiltrated sensitive information. The loss of the confidentiality and integrity of sensitive data has serious regulatory implications which can lead to costly fines under local and global data protection regulations.

Consider getting help from recovery intermediaries. These service providers possess the tools and technical expertise to recover your data. Involving law enforcement in this decision is prudent; it has been suggested recently that some recovery intermediaries have simply paid the ransom themselves.

Consider ransomware insurance. Assess if the organization’s cyber insurance covers ransomware attacks, including ransom payment, and inform the insurance company as soon as an attack occurs. Insurance providers may also involve law enforcement where appropriate.

Practicing good cyber hygiene is the best way to prevent an attack. Hackers are not necessarily sophisticated; those lacking expertise can hire ransomware-as-a-service for much less than the amount your organization must pay to protect its assets. The price tag on your data may be incalculable, however: data is the modern currency in the information age and the lifeblood of many organizations.

In truth, there is no one-size-fits-all procedure for dealing with a ransomware attack. There are as many situations and scenarios as there are organizations. Each will need to choose the right response for them - one that weighs costs, reputation and organizational ethos against giving into the hackers’ demands.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.