To pay or not to pay the ransom?
That has been a major hurdle for organizations across the US. Local governments, manufacturing, accounting, even hospitals—have all ended up concluding that paying the ransom was the only way to get their systems up and running.
This dilemma—the one in which you will have to make a serious decision about whether you pay criminals to give back your data or recover in spite of them and their threats.
While in general, the FBI has stated time and time again to NOT PAY THE RANSOM—because in doing so you are waving a big red target stating that you’re willing to pay—not to mention the fact that you’re filling their coffers and allowing them to grow they cyber crime businesses.
The reality in 2019 is that many folks have succumbed to attacks and now are paying hefty ransoms either because their cyber insurance providers told them that’s all they’d be able to cover or because they had no other options (they simply weren’t prepared for a recovery effort).
Scores of municipalities and businesses caught with their networks frozen and ability to work halted have made the hard decision to pay the ransom.
But is paying the ransom the best option?
This all goes back to your business continuity and disaster recovery preparedness.
I know that prevention is definitely a lot better than having to recover from a ransomware attack, but not being prepared to do so sets you up for only having the option to pay up hard earned dollars to criminals—the ones that just attacked your network! Will they have your best recovery interest at heart?
In a recent study, organizations that have paid ransom demands to recover their data were NOT able to completely recover.
You see, the criminals handing out decryption keys to their sophisticated encryption algorithms have not focused their development on how they decrypt your network after its locked down (they are mainly focused on getting you to pay the ransom in the first place).
When organizations that have been attacked end up paying for the decryption tool, what we’ve found is those tools are so buggy that they fail to decrypt everything. That means that even if you pay the ransom and roll the dice to get a decryption key (which many criminals don’t even hand over), you’re rolling the dice as to what files are recoverable. You may have critical data locked down even after running the decryption and following their process to the T.
Will they have help desk support to help troubleshoot? Think again, these criminals are not going to resolve your problems with recovery.
This scenario has grown ever more common this year. One major reason? Organizations like yours have not updated your disaster recovery and business continuity plans to address various cyberattack scenarios.
In essence, you are not prepared to meet changing and modern risks on your network and your business.
Let’s work through one possible scenario that is increasingly common today:
As you are probably aware, there are a variety of vulnerabilities when using the Windows operating system on your network. In addition, active directory functionality may give your attackers the keys to your entire network—which is involved in over 75% of attacks. Hackers have used Windows-based vulnerabilities involved with active directory to target networks like yours.
The attacker gets inside first by sending an urgent email to one of your employees—informing them of some updates on their Microsoft O365 account—an email from your IT director. Once that employee clicks, the attacker will use common, easy to find tools that stealthily manipulate your Windows administrative tools—such as PowerShell scripts and Windows registry keys—to move across your network and gain elevated privileges in your active directory administrative group (which is a fundamental part of Window’s security framework around active directory.
Next, the attacker logs into your domain controller (DC) and puts himself in the position to essentially switch off your security monitoring. He turns off any auditing and monitoring logging and is free to modify accounts, policies and to create backdoors to exploit later on.
Having gained access to everything, the attacker scopes out the ins and outs of your network and then encrypts all of your data—your personally identifiable information, ERP databases critical to running your day-to-day operations. In essence, the attacker shuts down all of your abilities to use your mission critical data.
Now, there is a chance that someone in IT may be able to detect and shut down the attacker. BUT, that will probably take at least 10, 15, or 30 minutes to detect. How much damage can an attacker do in a half hour? (Quite a lot!).
It’s probably clear just through this example that we are not prepared within our organizations to recover from the gamut of attacks we now are confronted with. Our disaster recovery—especially in the face of increased ransomware attacks, a fire, earthquake, or terrorist attack—that you as a business are able to resolve and recover. Note: nearly 83% of businesses fail within two years of a cyberattack.
My question to you: are you evaluating all of your options? Have you been advised as to how to address current scenarios or know how to reevaluate your plan in the face of a dynamically changing threat landscape?
