Interop: Ransomware should haunt you all the time

The problem is much more complex than whether or not to just pay the ransom

When the ransomware demands come in it’s really too late to come up with a good response plan, so do that as soon as you can, an Interop audience was told.

“You need to decide beforehand whether you will pay and under what circumstances,” John Pironti, president of IP Architects, says. “It’s a cost benefit decision in the end.”

+More on Network World: FBI: Ransomware threat at all-time high; how to protect company jewels | See all the stories from Interop +

But in the heat of the moment what should be a rational business decision becomes an emotional issue that challenges the morals and pride of decision makers. “They don’t want to be the ones that paid,” Pironti says, speaking from experience consulting with ransomware victims. It just feels wrong to cave in to the demands of criminals who have encrypted your machines and won’t turn over the keys until you pay.

Ultimately those who make the decision must act in the best interest of the company. That means deciding when not paying the cost of the ransom is worth the consequences: lost productivity, missed customer engagements and the cost of replacing devices that are irreversibly encrypted. “At what point does it cost more to respond to the incident than to pay the ransom?” he says. Businesses need a response playbook.

One company Pironti dealt with was being threatened with a crippling DDoS attack if they didn’t pay $9,000. Rather than do so they spent more than $200,000 on DDoS protection gear and consultants to ward off the attack. And then the attack never came.

When it comes time to pay, try to negotiate down the demand. Earlier this year extortionists demanded $3.6 million from Hollywood Presbyterian MedicalCenter to unlock ransomware. They wound up paying $17,000.

In some cases the negotiations don’t even go through a human being, he says. Automated responses sometimes accept lower amounts, and the keys are delivered also automatically once payments – typically in Bitcoin – are made.

Beyond deciding to pay or not to pay, businesses should do threat and vulnerability analyses to identify how adversaries could get in, what they could infect and what the business impact would be.

Planning be also important because the timeframe for making a decision can be narrow depending on the time limit set by the extortionist.

Once paid, getting the network back to normal is no simple matter. Businesses need to do forensics to see how the attack unfolded so measures can be taken to block the same type of attack in the future. That’s because attackers sell lists of businesses that have paid ransom and what methods the attackers used against them so those who buy the lists can use the same attack tool again and again. “They only work as hard as they have to,” Pironti says. So it may create a long-term problem to pay.

+ MORE ON NETWORK WORLD How to respond to ransomware threats +

Businesses also need to find out where the attackers went within the network to discover where they might have buried malware for use at a later time, he says. Often the ransomware attack is used as a distraction so network security pros don’t notice other types of attacks.

One of the best protections against ransomware attacks is effective backup, but it’s not foolproof. For example, if it is inserted in machines and lies dormant the ransomware itself can be backed up, so machines restored with the backup will still be infected. That’s why forensics are important to determine when and where the malware was placed. And it’s important to reimage machines, not just restore data.

“You have to ask did your backups backup everything? Do so recently enough? Do they have integrity?” he says.

If there is a bright side, ransomware extortionists generally do what they say they will do. If the victim pays up, they’ll send the keys to unlock the encryption.

The problem isn’t likely to go away any time soon. Over time, these attacks are getting more sophisticated and difficult to prevent. When security researchers reverse engineer a strain of ransomware to find out how to disarm it, the criminals quickly abandon it and come up with something else.

The FBI suspects that in the first quarter of 2016 $209 million was collected by ransomware crooks. Pironti says the figure is likely much higher, and so the problem will continue.

“The only way we know to break the cycle is to refuse to pay,” he says, but that option may come at a high cost. “Are you willing to become the sacrificial lamb?”

Join the CSO newsletter!

Error: Please check your email address.

Tags Interop

More about FBIInterop

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts