You invested in strong endpoint detection, conducted robust training on spotting a phishing attempt and conduct a thorough patch management program, but it happens away: your organization is locked out of its systems until you pay a hefty ransom of Bitcoin to an unknown cybercriminal.
Now what do you do?
If your backups were stored properly, scrapping your systems and starting fresh with your backed-up data without having to pay off the criminals will help save you a lot of time, money and headaches.
However, what if the backups are also compromised? This leaves you with few options while you’re bleeding money and losing business since you can’t access your systems.
Do you give into the demands of the ransomware operators or begin the long process of rebuilding your core IT systems from scratch?
Authorities really don’t want you to pay
For the most part, law enforcement agencies try to discourage compromised organizations from paying a ransom because it incentivizes more ransomware operations and funds those malicious groups.
The FBI maintains that organizations should not pay a ransom because it doesn’t guarantee that you’ll get data back and it encourages more ransomware activities.
And, in a recent alert about the Colonial Pipeline ransomware attack, both the FBI and U.S. Cybersecurity and Infrastructure Agency discouraged the payment of ransomware.
“CISA and the FBI do not encourage paying a ransom to criminal actors,” the agencies said in a joint alert. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities. Paying the ransom also does not guarantee that a victim’s files will be recovered.”
The majority of these cyber attacks and ransomware operations are coming from U.S. adversaries like Russia, so these payments also pose a national security threat, agencies say.
It’s a business decision
For most organizations, deciding whether or not to pay a ransom to cybercriminals comes down to a business decision.
Take for example the Colonial Pipeline case from last month in which the DarkSide ransomware group forced the provider of fuel to much of the East Coast offline to prevent the breach from infecting the pipeline system itself.
The company paid $4.4 million in Bitcoin to the hackers shortly after the system was locked.
With the pipeline offline, gas prices skyrocketed due to a shortage of fuel, prompting a state of emergency to be declared by President Joe Biden. In some areas of the southern U.S., gas stations were without fuel for several days.
The ransomware initially impacted the Colonial Pipeline’s billing system, which was ultimately costing the pipeline business due to inability to receive payments. In addition, there were some macroeconomic concerns on the horizon if the shutdown lasted much longer.
“So if you think about it, then it’s not just costing them money, but it’s costing multiple other companies and customers money as well,” says James Carder, chief security officer at LogRhythm. “And so there’s significant downstream ramifications of this. And so, I think all those combined is why they paid that large ransom.”
Indeed, the CEO of Colonial Pipeline Co. Joseph Blount told the Wall Street Journal that it was “the right thing to do for the country” to pay the ransom.
On the flipside, organizations should do a cost analysis of what it would take to rebuild their systems and accept losing revenue for a short period versus paying the ransom, says Danielle Parks, research analyst at Nucleus Research.
“Would it be worth $5 million to pay that ransom, or would it be worth it just scrapping that data and doing a different system?” Parks said.
You can’t trust a criminal
One of the reasons ransomware is proliferating the internet right now is because ransomware operators are changing their tactics and techniques from simply demanding a ransom to threatening to steal data and selling it on the dark web.
Now, organizations hit by ransomware have to assume that their data could be leaked, Katie Nickels, director of intelligence at Red Canary, said during the recent RSA Conference. Exfiltration and extortion is now the “new normal” of a ransomware attack.
This makes it more challenging to figure out how an organization should respond, Nickels said.
“There used to be an old way of thinking, ‘Hey, if I just pay an adversary, I get the decryption key and my data is back.’ Great. Well, except now if the adversary has your data, you don’t know if they’ve really destroyed it.”
In fact, there have been multiple cases in which an organization paid the ransom only to see the ransomware operator come back to further extort the victim with the undeleted data.
At the same conference, Health Mahalik, senior director of threat intelligence at Cellebrite, said IT security professionals can never again trust cybercriminals promising to destroy exfiltrated data.
“You have to realize that these are adversaries or criminals we’re talking about,” Mahalik said. “Don’t trust them because they don’t always do that they say they’ll do.”
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!