Features Hub

Before you pay your ransomware read this

Mon 13 May 2019 | Naaman Hart


Speaking to Techerati, Naaman Hart, cloud services architect at cybersecurity company Digital Guardian, explores the pressures to pay ransoms and the rise of the trustworthy attacker

Ransomware is such a popular means of attack that its almost becoming infeasible to report on every single breach. According to recent figures, ransomware accounts for nearly 24 percent of all malware incidents. Companies are yielding to attackers at a staggering rate, turning the ransomware market into a lucrative business.

While in an ideal world we would hope no company would give in to attackers, in the current climate this is an unrealistic ideal, and for many reasons it is entirely rational for a company to pay up. But firms still need to go about the process in an intelligent way: to maximise their chances of getting back their files and ensure they don’t fall victim again. We asked Naaman Hart, cloud services security architect, to outline the best practices.

Why pay

While it is clearly unethical to fund criminal activity, there are many practical and financial reasons companies decide to pay ransomware ransoms. First, the cost of downtime often far outways the price attackers demand, especially in the manufacturing industry. In the most competitive industries, such as instant online services, if users cannot access a firms’ websites they will simply go to a competitor.

On top of these strong impetuses, many companies also have insurance policies with providers pressurising them to pay early before the cost of downtime exceeds the ransom. On the other hand, when ransomware insurance policies cover some or all of the cost of payment, its cost to business decreases. That’s before we consider that the malware itself, such as Ryuk, is becoming more sophisticated and harder to decrypt. Naaman added reputation also weighs heavily in firms’ calculations:

“If you just pay them, then the whole situation goes away and there’s no need to report any data loss or anything like that,” he said. “This is completely against everything. It’s against GDPR, it’s against best practices, it’s ethically questionable. It’s not really what they should be doing, but you can understand the reasoning in that they just want this to go away and they want to keep it quiet.”

While there are basic measures to ensure protection from attacks, such as creating offsite backups segregated from normal day to day systems, and practising the accompanying recovery drills, if companies haven’t made adequate preparations payment quickly becomes the ‘cheapest’ option.

Before paying

If forced into this corner firms must be shrewd in the way they go about it, as there is a significant price tag attached – one rising year-on-year. Coveware research shows that the average ransom organisations are paying per incident has doubled in the past two quarters alone from $6,733 (£5,198 )in Q4 2018 to $12,762 (£9,821) in Q1 2019.

Some say even paying at all is foolish. It is true that there are no guarantees attackers will supply a working decryption tool upon payment. Indeed, a 2018 study claimed that on average less than half of those who handed over the money successfully retrieved their files. However, recent research suggests the tide is turning. Coveware claims 96 percent of companies who pay their ransom receive a working decryption tool, and that the same companies manage to unencrypt 93 percent of their data using it. Naaman said the shift is unsurprising. Attackers are getting savvier; appreciating that improving the trust relationship lands them more cash.

“It’s ironic that you can call them trustworthy, but that is essentially the basis of the business,” Naaman said. “If those companies actually weren’t able to restore your data when they are paid, then that would quickly get around and this industry literally would die overnight. Attackers are putting a lot of time and effort into making sure that they can recover your data and their payment mechanisms.”

In the presence of these incentives, victims can by and large assume that attackers will hold up their end of the deal. Nevertheless, it would be imprudent to simply panic and pay without some proper examination of the breach.

First, analyse what data has been compromised. If it does not comprise information vital to business functionality (for instance only containing employee records) it does not ‘pay to pay’.

A simple calculation is to consider how much it will cost to restore the data manually versus paying up. Next, establish that attackers actually have access to data as they claim. To grease the wheel, Naaman said savvy attackers are incorporating proof mechanisms into their attacks:

“While in an ideal world we would hope no company would give in to attackers, in the current climate this is unrealistic ideal”

“With some attacks, if you browse through the payment page, it will give you an example of a file on your system that could’ve only existed on your system and may have some specific data that’s specific to you, so you can validate, ‘Hang on, this is actually my data and that’s what I’m going to get back’”.

If attackers haven’t incorporated such a mechanism into the attack, always ask them for some form of proof before paying. If they cannot prove they have your data, it increases the odds that they have no intention of holding up their end of the deal.

Once payment has been made

Once the ransom has been paid, businesses need to make sure they do everything they can to future-proof themselves from similar attacks. Aside from creating offsite backups and establishing disaster recovery protocols, Naaman said the first thing they should do is pick up the phone to security experts to understand how they were attacked and then establish the specific tools and practices to ensure it doesn’t happen again. For example, begin the autopsy by identifying the point of entry and what that was.

“Very often that’s going to be an individual and it’s going to be one of the typical ingress methods, whether that’s over email or USB key, something like that. It’s coming in a way that’s most likely predictable and should be locked down in the first place. Finding out how that got in is very important to make sure it doesn’t happen again.”

Only if its the only option

It is important to remember that payment incentivises attackers and in large part accounts for the uptick in attacks. This prisoner’s dilemma is not going to disintegrate any time soon, providing firms are still careless in their protection, and extorters ensure payment is easy and effective. Naaman said, as the practice hangs on trust, perhaps the only way for the practice to be completely eradicated is if trust is forcibly eroded. Although he didn’t defend it, he said a state-sponsored could do the trick.

“You simply release a variant, it goes out and encrypts everyone’s data, and when they attempt to pay there’s no option and that’s it, its all gone,” he said “If a government entity were to release that ransomware and give people no opportunity to get their data back, this industry again would die overnight.”

Experts featured:

Naaman Hart

Cloud Services Architect
Digital Guardian


backup cyber security disaster recovery ransomware
Send us a correction Send us a news tip