Ransomware Response: To Pay or Not to pay

April 17, 2017, Doug Hudson, Senior Director, Cyber Risk Advisory, Coalfire

Recently, I was speaking with a CISO friend of mine and he mentioned that his company suffered a breach.  I asked if it was a ransomware attack, and sadly, that was the case.  Malware had infected nearly every connected computer.  Clearly there was a breakdown in protective controls,  but I’ll get to that in another post.  Digging deeper, I inquired if the amount was under $2,000.  Another “yes”. Reported to the FBI….” yes” again!

Does this sound familiar? Symantec reports that there is an average of 4,000 ransomware attacks each day, the average payment is around $300.  This equates to over $1 million a day.  So what’s to be done?

In this case, my friend’s company relied on their Incident Response Plan to contain and eradicate the infection, however, the plan only covered malware, not ransomware.  Had they performed annual testing of their IRP, it is likely this inevitability would have been addressed.

Good Incident Response planning can speed eradication and recovery efforts, especially when addressing ransomware attacks.  When addressing ransomware attacks, there are generally two options, to pay or not to pay.  This is where preparation comes in handy.  For example, an organization can set the criteria for making the difficult decision to pay to unlock their encrypted assets. This can reduce the impact on operations and speed recovery, even though paying ransom may be undesirable.  The other option for the organization would be not to pay the ransom, relying on their backups to restore the encrypted systems and data.  This option needs some additional consideration as time to restore may not align with business need, the level of effort may be greater than the demand (remember, time is money), or the data may not be current enough for business use and thus of little or no value to the organization. 

In my colleague’s case, they decided to pay the ransom as the amount requested to decrypt was under 2 bitcoins (approximately $2300).  They were restored within a few hours and considered themselves fortunate to be back to normal business operations.   Going forward, my colleague has committed the organization to updating their Incident Response Plan, conducting more frequent tests, and enhancing their protective controls and detection capabilities to reduce the likelihood of a future occurrence.

Source: https://www.fedscoop.com/ransomware-attacks-up-300-percent-in-first-quarter-of-2016/

Doug Hudson


Doug Hudson — Senior Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics