That awful moment…You’re working away, getting tasks ticked off left and right…
And then it happens. A terrible sinking feeling grips your stomach, and you know immediately what’s happened.
You’ve been infected with ransomware. The screen in front of you is filled with demands about Bitcoins, Tor, and encryption keys.
So what now?
You’ll have to tell your boss, of course. But once that’s done, there are some important tasks for you to complete.
Check the Damage
A lot of the time, people and organizations that have been infected with ransomware jump straight in at the deep end. “Should we pay?” they want to know.
But there are other things to consider first.
For instance, do you know what you’re missing? The ransomware claims to have encrypted your files, but have you lost anything important?
Before you start panicking, make sure the claims being made are legitimate, and that the files you’ve lost are actually important to you or your organization. If they aren’t, it probably isn’t going to be worth your while to pay the ransom.
If possible, you’ll also want to identify the ransomware family you’ve been infected with. The chances are low, but you may have been infected with a trojan that has already been tackled by law enforcement or cyber security experts. The FBI locking trojan, for instance, can be removed without paying a ransom, as can the LeChiffre encrypting trojan. New ransomware decryption tools are published frequently and often available for free.
The important thing to remember is that before you start planning your response, you need to make sure a response is actually necessary. Since modern ransomware makes use of application whitelists to prioritize the most valuable file types and powerful encryption standards to prevent you gaining access via brute force, you probably will find that your situation is less than ideal… but it doesn’t hurt to check.
Restore From Backups
If you’ve been following this article series for a while, you’ll probably recall that we’re strong advocates of a thorough backup plan. This is one case where investing the time and resources upfront to implement such a plan will pay dividends.
If you have recent backups of the encrypted files, there’s almost certainly no need to pay the ransom.
Sure, you might lose work completed in the last day or two, but in ransomware terms that’s getting off very lightly.
If, on the other hand, you don’t have recent backups, I’m afraid you’re out of luck. Instead, it’s time to have that discussion…
To Pay, or Not to Pay… That is the Question
“But what if we pay… and they don’t give us the decryption key?”
This is perhaps the most common question we’re asked about ransomware, so it makes sense to get it out of the way early. The ransomware business model, which has been tremendously successful for cyber criminals, relies on organizations trusting that a decryption key will be provided if they’re willing to pay up. Consequently, organizations that choose to pay their ransoms do regain access to their files…
…most of the time.
Yep, you guessed it, there are some real scammers out there who won’t give up the decryption key even if you decide to pay them. Naturally, that poses a conundrum for organizations infected with ransomware.
And it doesn’t stop there.
If you do decide to pay, and you’re granted access to your files, you’ve just given the game away. The group of threat actors who targeted you now know that you’re willing to engage with them. They might just choose to attack you again, or even pass on this knowledge to other groups. It’s these factors combined that led the FBI to actively discourage the payment of cyber ransoms. FBI Cyber Division Assistant Director James Trainor sums it up like this:
“Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom.”
“Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Ultimately, of course, it’s your decision. If you can’t restore from backups, and you can’t do without the files, you may feel your only option is to pay the ransom and put your trust in the ‘honor’ of these threat actors.
What’s Everybody Else Doing?
Whether or not you choose to pay the ransom, you’re far from alone. Plenty of organizations have been victimized by ransomware attacks. And even though many organizations choose not to pay, victims in the US paid over $24 million in ransoms in 2015 alone.
Methodist Hospital in Kentucky recently received demands for approximately $1,600 in Bitcoins, leading them to declare an internal state of emergency. So far, they claim, they have opted not to pay the ransom. Hollywood Presbyterian Hospital in California, on the other hand, opted to pay a $17,000 ransom earlier this year to regain access to their files.
Hospitals naturally make excellent targets for threat actors of particularly dubious morals, and there has been a spate of high profile ransomware attacks in the healthcare industry in recent months. Regardless of your industry, though, a quick Google search will demonstrate that nobody is truly safe from the clutches of ransomware.
But of course, precise statistics are hard to come by. Many attacks go unreported by the media, mainly because the organizations affected simply don’t want the bad publicity that comes with admitting they’ve been breached (especially if they’ve opted to pay the ransom).
Ultimately, though, there are plenty of high profile examples to go around, and they bring us no closer to deciding whether or not to pay up. I’m afraid you’ll have to make that decision for yourself.
Stay current on ransomware threats and events, and know what’s driving so many threat actors to use this particular style of cybercrime. Attend the webinar Trends in Ransomware and How to Fight Back.
Operation Clean Up
One thing that is clear, though, is that once you’ve been hit with ransomware you need to make sure it’s really gone.
Your files are encrypted (or your computer locked), but you’ll also need to investigate exactly what happened. How were you compromised? Can you prevent it from happening again? And what happened to the trojan?!
In short, a detailed postmortem is required, and you’ll likely find plenty of ways to enhance your security program in order to prevent this happening again.
If you don’t have a dedicated security team, you may need to enlist the help of a vendor to get this job done. Whether you choose the pay the ransom or not, it doesn’t take much to guess that you’d rather this didn’t happen again.
The Sad Truth About Ransomware
Here’s the thing. There’s a reason why we covered prevention before recovery in this series of articles.
Once you’ve been infected, unless you’re very lucky, your options are extremely limited: Restore from backups, pay, or suck it up.
But whatever you do, make sure you learn from your mistakes.
Conduct a full postmortem to identify what went wrong, and how it can be prevented in future. Make sure you have sensible cyber hygiene programs in place, such as vulnerability and patch management, security awareness training focused on phishing, strict email scanning protocols, and a comprehensive off-site backup plan.
If you don’t have the resources to build a permanent security team, give serious consideration to partnering with a specialized security vendor. At PhishLabs we offer specialized spear phishing protection and employee defense training, and we’d love to help secure your organization against future ransomware attacks.
After all, it’s happened once. It can always happen again.