Back to top

Ransomware - to Pay or Not to Pay?

Suzanne Gassman

Ransomware has been a hot topic of 2020, as bad actors continue to show there is no honor among thieves. Ransomware attacks have been targeting hospitals, healthcare organizations and other businesses that are in the throes of COVID response. As a result, sensitive data has been put at risk, huge sums of money are in the balance, and organizations have been struggling between expediency and the bottom line. 

To navigate these concerns, our security experts held a Q&A panel on the topic of Ransomware – to Pay or Not to Pay. Our team has provided the questions asked throughout the panel as well as the answers from our experts.

Question: It has been suggested that cyber-insurance may influence hackers to target large organizations, who are more likely to pay ransoms and move on – what are your thoughts?

Answer: Logically does not see a trend to support this apologue.  If anything, the opposite may be true because threat actors see smaller organizations as “low hanging fruit” and more vulnerable to attack.  Everyone is a target, and everyone should have cyber insurance because it pays for other things like incident response, business interruption, and regulatory liability.   

Question: What factors should help me determine whether to pay ransom or to not pay?

Answer: This is really a business case and one answer does not fit all. In addition to considering the Office of Foreign Assets Control (OFAC) advisory, there are a few questions to answer - How valuable is the information to the business? Can you restore the information? Is your business ready to handle future attacks if there were to come? Remember, a threat actor can be in your environment for months before you see an attack. It is safe to assume they will know your environment well enough to come back for repeat “business.”

Question: When recovering from a ransomware attack, what are the key differences between recovering from backup tape versus disk and replication?

Answer: The biggest difference is the recovery point.  Tape/disk backups typically have hours to days between the time of the incident and the time it was backed-up.  A larger delta means a larger loss of data.  Things to consider in both plans are 1) Have you tested the solution to ensure you can successfully restore operations ?2) Are you prepared to ensure the restored systems are clean of attacker footholds before you reintroduce the recovered systems to production?

Question: What makes today’s ransomware attacks different from before?

Answer: Data exfiltration before deploying the ransomware.  Look no further than the techniques used to deploy Maze or Clop or DoppelPayer and you see that this is the trend for the threat actors - building in an alternative to extort you if you have ways, such as good backup, to recover from the cryptovirus infection.

Question: They’ve stolen my info as well as having locked it up— How did they do that?

Answer: This is a popular tactic among practitioners of the Maze, Clop, DoppelPayer-type variants.  The threat actors will typically leverage power-shell scripts and/or simple zip and FTP tools like 7Zip and WinSCP respectively to zip-up files from file shares and FTP them to the attackers FTP server before deploying the crypto locker.  Even simpler techniques have been deployed such as screen prints and email forwarding from a compromised device, with the primary objective to scare and extort you.

If any of these questions are raising even more questions, than it may be time for a time with our security experts. Please contact us today; we’re here to help.