At its core, ransomware is simple: threat actors break into a system, encrypts data and then sends an e-mail offering the decryption key for money.
The universal counsel from security professionals and the FBI is that you don’t pay the ransom. While this firm stance against copping to their demands is inspiring, the nuances of the situation surrounding affected organizations and individuals make this one-size-fits-all approach anything but.
At Armor, we recommend a stance of non-payment, however, it’s ultimately up to each affected party to determine the proper course of action.
Both options carry their own variety of risks, which the victim must then weigh when formulating their decision. Of course, this is all under the assumption that the victim’s security program has the necessary
Option A: Don’t pay
As we discussed previously, the FBI has reversed their policy on ransomware, advising victims to not pay the ransom demanded by attackers.
Their argument for non-payment is two-fold:
- Reduced profitability. If enough victims refuse to pay the ransom, the profitability and allure of the tactic will hopefully diminish.
- You can’t trust criminals. Threat actors are thieves. If there is no honor amongst themselves, why would you innately trust that they: A) will actually return your data upon payment, B) won’t just demand more ransom once you’re paid up, or C) even have the capability restore your data.
While admirable and an active step in the right direction, not paying carries a major risk: you may permanently lose the ransomed data. This is where victims must determine how critical that data is and if they can live without it. Also, having proper backups of your data make this the best choice under the circumstances since you can easily restore the data.
Of course, paying the ransom doesn’t carry the guarantee that the data will be returned (as mentioned above), however, by not paying you are essentially saying, “keep the data.”
Option B: Pay the ransomware
This is the knee-jerk reaction of most ransomware victims – pay and hope it all goes away.
There’s no guarantee that your data will be returned, but, aside from restoring the data via backups, paying the ransom (typically paid in bitcoin) is the most direct way to recover your data.
You’re at the threat actor’s mercy – and possibly signaling to other’s that you are susceptible to these types of attacks and willing to pay. This is not the ideal situation to be in, so exercise extreme caution if you decide to give in to their demands.
Looking for more information on ransomware?
> Read the January Armor Threat Intelligence Briefing
Square one: starting with security
Regardless of which way, don’t pay or pay, an organization skews toward in their decision making, at the end of the day, these situations can be mostly avoided through proven security processes and data backup procedures.
Your security program should be built to withstand any variety of cyber threats. This goes beyond the security tools and technologies in your environment to also include user training and awareness of common threat actor tactics, such as phishing.
Backups should be conducted at regular intervals and the data stored offline and offsite, so it doesn’t become compromised by the same malware. Additionally, restoration procedures should also be tested regularly to ensure that data can be recovered post-infection.
While these practices may not help those currently afflicted with ransomware, they must be the foundation for preventing future ransomware attacks.