Ransomware: Would You Pay?

Would you pay $1 million to recover customer data, continue operations, and salvage revenue and reputation? Would you pay more, negotiate for less?

Ransomware attacks are becoming all too common. It was just last month that a massive, global attack hit hospitals, major companies and government organizations. This month, we're learning a South Korean Web host, Nayana, "has paid over $1 million to a ransomware operation, called Erebus, that encrypted customer data related to 3,400 customer websites" ( source). 

Terry Ray, chief product strategist of Imperva anticipates that if a company is willing to pay $1 million, the industry can assume bigger ransoms will be paid in the future. 
 
"Paying the ransoms simply gets the data back to a usable format so the attacked company's business can operate again, said Ray. "While this million-dollar ransom may seem like a huge sum of money for a Web hosting provider to pay, just imagine if it was an investment bank on the cusp of a deal the size of hundreds of millions of dollars - to them it could be a justified expense. Or an airline reservation system preventing existing reservations from being used and shutting the airline down or knocking them back to manual processes. How much would they pay to get back to normal operations quickly especially considering they are categorized as national infrastructure?

"Delta and British Airways both had outages unrelated to ransomware but likely have an idea of the costs associated with such events and could quickly determine what they would pay to prevent or stop an outage." 
 
What, however, is a company to do if they are hit with ransomware. Should they pay like this Web host reportedly did?

"It's a business decision at the end of the day," said Ray. "It's easy to say 'we don't deal with extortionists,' but if it's less expensive to pay with some guarantee of getting your systems back quickly, the cost analysis may suggest paying. In a best-case scenario, every company would have a current backup and be able to restore that immediately.

"Not everyone has a backup, not all backups have been tested to in fact work or contain what companies planned for them to do, and in this specific case, more than 150 systems were affected, which makes restoring possibly complex. I'm sure all of these thoughts were part of the discussion as to whether they should pay or not."

While an unknown entity holding data hostage seems like a scene out of a movie, attacks on business increased three-fold between January 2016 and the end of September 2016: the difference between an attack every 2 minutes and one every 40 seconds ( source). We asked Ray of Imperva to provide some "first steps" for enterprises to take to prevent ransomware. He said there are two schools of thought:  

1. Protect the end points (laptops and desktops)
2. Protect the file servers and databases where the data lives.  In my opinion, the easiest strategy is to put controls to prevent this where you have the fewest systems to protect, yet the most critical assets closest to your protective control at the database and file server themselves. This minimizes the overall effort and focuses the controls on what matters most.