How much are you willing to pay to get your data back from a ransomware attack? Did you know the average cost for a company to ‘recover’ from a ransomware attack is over $84,000? Keep in mind this average was prior to the global pandemic which forced many of us to be working from home, storing and retrieving data from company servers and clouds more than ever before, and relying on cybersecurity even more than Q1 2020. Recovery is not simply the payment to the cybercriminal but also includes things like the cost of technology replacements, lost revenue, crisis communications, and (even more difficult to calculate) the brand image. Not only are companies falling victim to these crimes, but cities and government agencies are as well. For example, in March 2018, the city of Atlanta, Georgia fell victim to a ransomware attack, where the attackers were demanding roughly $50,000 worth of bitcoin. The city spent $2.6 million to recover from the attack.

Keeping that example in mind, what is your company’s ransomware response plan?  Is it to simply pay the ransom fee? What if the fee is too high? Is the plan to file a cybersecurity policy claim? For many companies this is their plan however, this is not ideal and comes with many assumptions and potential issues including the following.

Faulty assumptions about a ransomware attack

Assuming the attacker can unlock your data.

If for whatever reason the attacker is unavailable to provide you with the key to unlock your data (e.g. they’ve been arrested, are on vacation, or woke up one day and decided to turn their lives around), then no matter what you’re willing to pay, you may not be getting your data back. Some attackers use automated websites to facilitate the payment and key provision process, but again you are making a large bet on its availability.

Assuming the attacker will not take your money and run or worse.

Kaspersky Labs noted that one in five organizations did not receive the promised decryption key after payment. This should not be surprising, we are dealing with criminals. There have also been reports of ransoms being increased after a victimized organization paid an initial ransom amount. For example, the Kansas Heart Hospital was hit with ransomware and the attackers demanded two ransoms. 

Assuming no technical issues prevent the decryption of the data.

While the malware that attackers are using is certainly impressive from an engineering standpoint, it is not without flaws. There is always a chance that even if the attacker provides you with what they believe is the appropriate decryption key, there may be technical issues preventing you from getting your data back.

Potential issue of paying a criminal for committing a crime.

This increases the likelihood of your organization, and others, being victimized in the future. According to the FBI, it is not recommended to pay ransoms because it encourages criminals to target other organizations and provides an incentivized enterprise to other criminals.

In any case, if your strategy is simply to pay the ransom should the unthinkable occur, then you are placing the wellbeing of your organization, customers, employees, and stakeholders, into the hands of a criminal. Now, we sympathize that there will be situations where an organization is left with no other options than to pay a ransom. But there are things that you can do to lower the risk of ending up in that situation.

In a prior article, we provided advice around things organizations can do to harden their “human layer” against attacks, while not discounting the importance of having sound technical systems and controls in place to protect your environment. Indeed, thoughtful preparation of a data resiliency strategy is also critical, such that should an organization become infected, the payment of a ransom may be unnecessary. Properly designed (and tested) systems and controls can enable organizations to quickly contain an infection, recover compromised systems and return to normal operations.

John's Real World Example
In addition to a career in IT Audit and Cybersecurity serving clients for over 17 years now, I have also served in IT leadership roles within several firms that I’ve been a part of, as well as in a Fractional CIO capacity for several clients. This unfortunate situation happened at an organization for which I was responsible for the IT function. Upon taking ownership of the environment, I went about implementing controls and processes to ensure the resiliency of systems, should an unforeseen event occur, and began a rigorous testing schedule to ensure that those items would be operating effectively if called upon. Further, we instituted a hardening program to disable any non-critical services, implemented least privilege user permissions, upped our end-user training, and made numerous other infrastructure improvements.

One morning, my mailbox was flooded with alerts that malware was detected on an end-user’s workstation and had begun spreading to the file servers within seconds. An interesting item of note was that the malware itself was not detected by our antivirus software, but that the software was instead just picking up the “ransom note” that was left with instructions on how to pay to get our data back. It is not uncommon that your antivirus software may have trouble detecting “zero-day” infections such as these, until definitions are created that instruct your software what to be on the lookout for.

Technical details aside, we were able to quickly isolate the impacted systems and stop the spread of the malware. Using a mixture of several technologies (i.e. data replication, back-ups, transaction logs, etc.), we were able to return to normal operations in less than 3 hours and only lost about 9 minutes’ worth of data (i.e. if the infection occurred at 2:00 p.m., we were able to restore the environment to the state in which it existed at 1:51 p.m.). Had we not been properly prepared, our only option may have been to pay the high-five-figure ransom demand.

Obviously, there is a component of right place / right time, as had the infection occurred overnight or if we were not able to quickly respond, both the recovery time and the amount of lost data could have been higher. Also, this was a middle-market organization and not a Fortune 500 company, so our recovery time was commensurate with the size and complexity of our environment. Even so, we had properly prepared and trained for this event, and even in more severe scenarios would not have had a high risk of losing more than a few hours’ worth of data.

There is not a one-size-fits-all solution, systems, processes, and controls to handle these types of incidents must be customized to the unique needs of the organization. It is also a myth that you must break the bank to implement this level of resiliency in your organization. This is simply untrue. While some organizations choose to brute-force their way to solutions through heavy spending, we believe that a thoughtful and thorough approach to planning goes a long way towards achieving this goal in a cost-effective manner. For example, nearly all the technical improvements that prevented the malware from spreading unencumbered did not require the purchase of any additional hardware or software.

Whether it is ransomware, malware, or other event that impacts your organization, it is not a question of if but when it will occur. And just because something hasn’t happened yet, doesn’t mean it won’t. Organizations are oftentimes unable to recover from these events, so don’t be caught unprepared.

We at Calvetti Ferguson are here to help! If there are any questions that you might have, or if you are simply in need of a sounding board, please feel free to contact us.