Ransomware Response: To Pay or Not to pay

Doug Hudson, Senior Director, Cyber Risk Advisory, Coalfire

Recently, I was speaking with a CISO friend of mine and he mentioned that his company suffered a breach.  I asked if it was a ransomware attack, and sadly, that was the case.  Malware had infected nearly every connected computer.  Clearly there was a breakdown in protective controls,  but I’ll get to that in another post.  Digging deeper, I inquired if the amount was under $2,000.  Another “yes”. Reported to the FBI….” yes” again!

Does this sound familiar? Symantec reports that there is an average of 4,000 ransomware attacks each day, the average payment is around $300.  This equates to over $1 million a day.  So what’s to be done?

In this case, my friend’s company relied on their Incident Response Plan to contain and eradicate the infection, however, the plan only covered malware, not ransomware.  Had they performed annual testing of their IRP, it is likely this inevitability would have been addressed.

Good Incident Response planning can speed eradication and recovery efforts, especially when addressing ransomware attacks.  When addressing ransomware attacks, there are generally two options, to pay or not to pay.  This is where preparation comes in handy.  For example, an organization can set the criteria for making the difficult decision to pay to unlock their encrypted assets. This can reduce the impact on operations and speed recovery, even though paying ransom may be undesirable.  The other option for the organization would be not to pay the ransom, relying on their backups to restore the encrypted systems and data.  This option needs some additional consideration as time to restore may not align with business need, the level of effort may be greater than the demand (remember, time is money), or the data may not be current enough for business use and thus of little or no value to the organization. 

In my colleague’s case, they decided to pay the ransom as the amount requested to decrypt was under 2 bitcoins (approximately $2300).  They were restored within a few hours and considered themselves fortunate to be back to normal business operations.   Going forward, my colleague has committed the organization to updating their Incident Response Plan, conducting more frequent tests, and enhancing their protective controls and detection capabilities to reduce the likelihood of a future occurrence.

Source: https://www.fedscoop.com/ransomware-attacks-up-300-percent-in-first-quarter-of-2016/

Doug Hudson


Doug Hudson — Senior Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS