city, building, sky

Should you pay up when hit by ransomeware?

I was shocked when I read a story about Lady Gaga’s dog walker (friend) being shot 4 times in the chest while walking her 3 French bull dogs last week. The muggers kidnapped 2 of her dogs while a 3rd one ran away to hide. Lady Gaga gladly paid the $100K medical bill for the dog walker to be treated in hospital and immediately offered a $500K reward with no questions asked if the dogs were returned. To no surprise the dogs were returned the next day by a lady and I am sure a handsome reward was paid. Honestly if you were a criminal this is so much better than robbing a bank with security cards that have guns and shoot back at you, money is labelled and can be traced. Robbing banks was a sport in the 1970’s and people got away with murder, today technology has put an end to that. But human beings haven’t changed for a thousands years so there are still people out there trying to jump over the fence where it is the lowest for a quick buck. And this brings me to ransomeware where there has been some famous attacks over the past 5 years. Some organisations have paid up to get their data back and some haven’t. Here is a list of recommendations provided by EY in a Tech republic article on how to minimize damage from a ransomware attack:

Consider obtaining cybersecurity and business-interruption insurance.
Retain a cybersecurity response team with expertise in responding to ransomware events.
Create corporate policies for paying ransom. Lovejoy suggested internal and/or external counsel and cyberinsurance carriers be consulted.
Determine who should be notified in the event of a ransomware attack, including law enforcement, external counsel, insurance carrier and regulators.
Decide when, how and under what conditions the decision to pay or not pay would be made. Using exercises that simulate potential ransomware incidents, and testing whether decisions made during the exercise would work if an actual ransomware event occurs.
Gain knowledge of how cryptocurrency works, as ransom payments are normally made using Bitcoin.
Test the ability to recover from backup at scale. EY said, “It is best to assume your last known good backups are also compromised.”
The process is not instantaneous. Whether you decide to pay or not, it will take time to return to normal business operations. Lovejoy pointed out the importance of maintaining the company’s essential functions as per the business-continuity portion of the incident-response playbook.” (source: https://www.techrepublic.com/article/should-you-pay-up-when-hit-by-ransomware-there-are-several-things-to-consider-first/)

There is not a right or wrong answer. Every organisation that faces a ransomware attack must quickly assess the risk of not paying the cyber-extortionists. What will be the costs for the lost data, PR publicity damage, build a business case clearly showing benefits vs costs and then make an informed decision back up by data. The more you can prepare the organisation for such an attack the better off you will be in responding in an effective manner. The 6 P’s ring in my ear (proper planning prevents piss poor performance). Your organisation will hopefully never experience this but do prepare for the worst and hope for the best.