RANSOMWARE: The 48 Hour Decision

Ransomware is a form of malware launched from websites or phishing emails, which encrypts or locks out apps, data files, hard drives, devices and other computing systems or networks.  The ease of attack is prompting some cyber criminals to offer Ransomware-as-a-Service.  

Cyber criminals focus on organizations that can quickly pay to decrypt or unlock their systems claiming they offer essential services or manage personal data. Organizations usually consider within 48 hours to either pay the ransom or not.   For example:  

  • City of Atlanta, Georgia elected to not pay the ransom but spent over $10 million to recover from a ransomware attack in March of 2018. 
  • City of Baltimore, Maryland elected to not pay the ransom but spent over $18 million to recover from a ransomware attack in May 2019.
  • City of Lake, Florida elected to pay the $450,000 ransom in 2019.

Statista (German online portal statistic collection ) states 29% of the 204 million ransomware attacks occurred in the United States last year. This percentage will increase, no doubt due to the ever evolving  internet and inventions that will make our devices smarter but also targets for malware/ransomware attacks. Imagine your connected vehicle being locked or sensitive data being leaked or “doxed” unless a ransom is paid. 

To Pay or Not

Depends upon the cost and ability to restore data and services. Federal Bureau of Investigation advises organizations to avoid paying any ransom, for two reasons: (1) Avoid becoming a repeat target and (2) Ransom payments are no guarantee for a successful recovery. In addition, decrypting data and files is a slow process.

Did You Know  

  1. Ransomware attack averages $ 36,000 per attack.
  2. Average downtime is 10 days.
  3. 96% of organizations receives a working decryption tool when paying ransom.
  4. 8% of decrypted data is lost.

Source: Knowbe4 Blog

Consider a nuanced approach dependent upon type of ransomware attack and organizational circumstances.   For example, WannaCry targeted thousands of Windows OS systems worldwide; whereas Robinhood targeted City of Baltimore systems. 

If You Cannot Definitively Answer A Few Questions Within 48 hours…. Pay The Ransom

  1. Determine practicality for restoring data, files and systems with your organization’s most recent cloud-based or offline backups.  Do this by answering a few questions. How many computers and systems are affected?  How long in terms of time and resources will it take for a partial or full restoration? 
  2. Decide if a public key restoration service can both remove the malware/ransomware and recover your data and files or restore access.  
  3. Determine extent of the impact on your brand, reputation and revenues.  For example, the San Francisco Municipal Rail System may not pay a ransom whereas healthcare providers may not be able to wait beyond 48 hours. 
  4. Develop metrics. For example, if a ransomware attack requires more than 2 weeks and 50 additional personnel (temporary staff and security consultants) to restore, then paying a ransom is defensible.
  5. Determine applicability for appropriate cyber insurance (ransomware) coverages. 

Action Items: 

  1. Regularly update all security software and operating systems.
  2. Quarterly train all staff on all types of ransomware attacks, such as phishing emails and attachments.
  3. Regularly back up all your data and files to cloud-based services or external hard drives. This allows for rolling back to unencrypted forms.
  4. Revise cyber security practices, personnel and appropriate commercial risk insurance policies.

Further reading: 

www.cybereason.com

www.sentinelone.com 

What Do You Think?

Author Disclosure

I am the author of this article and it expresses my own opinions. I have no vested interest in any of the products, firms or institutions mentioned in this post. Nor does the Analyst Syndicate. This is not a sponsored post.

 

 

 

 

 

 

 

Disclosure

The views and opinions in this analysis are my own and do not represent positions or opinions of The Analyst Syndicate. Read more on the Disclosure Policy.