By: Ryan Meglathery, Senior Consultant, Impact Makers
Over the past year, there have been several high-profile ransomware attacks in which the target paid the ransom.
In May, Colonial Pipeline was hacked with ransomware by DarkSide. This left many on the East Coast without gas and caused panicked gas stockpiling. Eventually, Colonial Pipleline paid the hackers $4.4million and were provided a decryption tool. However, the process took so much time, the pipeline went down anyway.
More recently, JBS USA Holdings Inc. paid $11million following an attack on their meatpacking plants, though payment was made after their plants were up and running again.
In each scenario, the CEOs have attempted to justify their position for paying the ransom. Yet there is no excuse (regardless of whether or not the money was recovered). Paying the ransom is a short-term gain, long-term loss proposition. There are better ways to deal with ransomware. As cyber security professionals, this incident is both alarming and disappointing.
This ought to be a wake-up call for organizations considered to be a part of necessary infrastructure.
What is Ransomware?
According to the Cybersecurity & Infrastructure Security Agency, ransomware is malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.
Why you should NOT pay the ransom:
There are several key reasons why security professionals universally advise against paying the ransom :
- Funding the attackers: By paying the ransom, you are providing funds to the attackers. These funds will be used to create new ransomware and conduct more attacks. In fact, research has shown organizations that pay the ransom are likely to be targeted again by the same organization. Further, it reinforces the notion that ransomware is worth the effort and that targets are vulnerable to attack.
- No Guarantees: There are no guarantees the attackers will give you what you want. There is no guarantee you will be given access to your system. And there is no guarantee they will not attack your organization again.
- Damaging your reputation – Paying a ransom may be more damaging to your reputation than having been breached in the first place as customers, investors, and business partners may question the decision from executive leadership.
How organizations should address the threat of ransomware
The threat of ransomware is real, and unfortunately it is only becoming more prevalent. At Impact Makers, we advise clients to focus on: Prevention, Protection, and Planning.
- Prevention – As the saying goes, “an ounce of prevention is worth a pound of cure.” Unfortunately, it is impossible to snap our fingers and make your systems secure. Security is a process not a state. It needs a robust program with strong leadership and executive support. Organizations need to do their best to prevent the threat of ransomware through the following:
- Robust security awareness training
- Up-to-date antimalware
- Software and firmware patching
- Network segmentation
- Protection – One way to offset the tangible losses and minimize the impact of ransomware is through cyber insurance. Cyber insurance is a growing industry that provides organizations with resources to recover quickly in the event of a breach. Beyond getting everything back up and running, it is critical to understand how/why the breach occurred to prevent it from happening again. Some cyber insurance companies have contracts and agreements with cyber forensics experts that can quickly react, recover, and help prevent recurrence. Note: using cyber insurance as a means to pay the ransom should not even be a consideration.
- Preparation – Organizations must be prepared to respond in the event of a ransomware attack. This will include an incident response plan (IRP), business continuity plan (BCP), and disaster recovery plan (DRP). Being prepared affords both executives and technical staff the time, resources, and lack of pressure to execute the logical, methodical plan rather than being prone to panic or making irrational decisions when forced to react to an unplanned genuine incident. Being prepared for such a contingency can mean the difference between a minor outage of a few hours to being dead in the water.
Ransomware keeps many cyber security professionals and business executives up at night. While it is not something anyone ever wants to deal with, it should not be something that catches anyone off-guard.
Consider the following questions to gauge your organization’s preparedness against the threat of ransomware.
- Do you have a policy against paying ransomware demands?
- Is your security awareness training sufficient?
- Is your antimalware software up-to-date?
- Have you patched all software and firmware?
- Does your organization have adequate network segmentation?
- Does your organization have cybersecurity insurance?
- Do you have an incident response plan?
- Do you have a business continuity plan?
- Do you have a disaster recovery plan?
If you answered “No” or “Unsure” to any of the questions above, reach out to our team of cyber security consultants to see how Impact Makers can help.