If you’re a victim of ransomware, cybercriminals will encrypt your data and documents and demand a fee for them to unlock it. Once your data is locked, you face a tough choice: whether or not to pay. If you pay, will you really get your data back anyway? Here, we look at some tips on what to do if it happens to you.
Who are you paying?
Is there any way to really know if your bitcoin ransom – increasingly the currency of choice for cybercriminals – will go to the person with the digital keys? What if they come back and ask you for more money? What if you pay and then they reveal they don’t have the keys anyway and your data is still unusable? What if you pay and they don’t get back to you at all?
How much are you paying?
The amount of the ransom will depend on the size of your organisation, how much data is affected, and how likely, historically, it is that people in a similar position have paid. Easy targets with deep pockets are likely to get higher bills; whereas those who don’t pay are typically less likely to be targeted, and therefore the ransom amounts will be closer to a nuisance fee, not something that’s higher than a house payment.
“WE ALL CAN HELP REDUCE THE LIKELIHOOD OF A PAYOUT, AND DEFUND THE SCAMMERS.”
How bad is the impact?
As revealed in our recent blog about the incorporation of the insidious KillDisk component into the ransomware mix, you could now not only face having your data locked, but actually getting your entire hard drive irreversibly scrambled (short of forensic recovery). If you just have one machine affected, that’s certainly less of an impact than some modern ransomware attacks which lock up data across whole internal networks.
What is your organisation’s policy?
Increasingly, organisations are adding ransomware to the disaster recovery (DR) plans that they practice. If you don’t have a DR, you may want to use some of the templates or other boilerplate documents from folks like NIST that give you some general guidelines. Luckily, there are lots of organisations that have already given it some thought and can advise on the practical steps to take in case it happens.
How good are your backups?
If they are close at hand, offline, and easy to restore, you can breathe a sigh of relief; you’ve definitely passed the test. On the other hand, if you’re restoring bulk data across the network from the cloud or a remote site, the network pipe can be a significant factor. At times, it’s easier to send a courier or overnight service to retrieve a box of hard drives. Still, if you have the data in its original form and a fairly recent data set, you’ll be miles ahead of those who haven’t.
“IF BACKUPS ARE CLOSE AT HAND, OFFLINE AND EASY TO RESTORE, YOU CAN BREATHE A SIGH OF RELIEF.”
What data is really important?
If you have critical data, it should be far less easy to access, and therefore much less likely to be affected in a ransomware attack than, say, a laptop used by salespeople in the field. This means if you have a laptop that gets compromised, it may be easier to just re-image, restore your data and get on with your life.
Know how to spot a scam
Many ransomware campaigns use phishing emails as an entry point, and while user training makes it easier to spot these, the emails can be very convincing. For this reason, upstream email gateways, or even on the endpoint (depending on your environment) can spot rogue emails before they get a chance to act.
As long as it’s profitable, ransomware will continue to flourish. By taking these steps, we all can help reduce the likelihood of a payout, and defund the scammers. As soon as the money stops, they will too.
by Cameron Camp, ESET We Live Security