Some victims have backups, but still pay ransom
In a recent blog post, David Harley, senior research fellow at ESET, expressed sympathy for some victims, noting that “You can't blame people – or companies – if they decide to pay up rather than commit financial suicide, any more than you can blame them for giving their wallets to people who threaten them with knives.”
However, in that same post, Harley also cited a far more cynical scenario: “We sometimes hear of instances where organisations pay ransomware even though they do have backups because it's the cheaper option,” wrote Harley.
“That's not only irresponsible (because there is no doubt that it encourages criminality) but it suggests something significantly wrong with the backup strategy they have in place. A deterrent that you can't afford to use is of little practical use.”
Asked for more details to support this troubling claim, Harley's colleague Stephen Cobb, senior security researcher at ESET, replied to SCMagazine.com, recalling a recent conference presentation he made in front of 300 managed service providers. According to Cobb, several of the MSPs in attendance told him that they had clients whose system administrators “had paid ransoms even though recovery from backups would have been possible”.
“The risks of doing this extend beyond not getting the data back despite paying. They include – and again, there was actual knowledge of this – getting hit again because you are seen as a soft target,” said Cobb, adding that these companies apparently had no policies to place to “limit the sysadmin response to a ransom demand,” seemingly giving them carte blanche to open up their organisations' wallets.
However, other experts downplayed concerns that this is a common problem among organisations.
“I've never heard of a company explicitly making this decision. However, all security is about risk management: how much you are willing to spend on security is (or should be) determined by how much you have to lose and how likely you are to lose it,” said Sophos' Weinstein. That said, “it wouldn't be surprising if a company did make this kind of decision.”
Trend Micro also could not provide SCMagazine.com with an example of a company forgoing existent back-up protocols in favor of paying the ransom.
In his own emailed responses to SCMagazine.com, Harley stated that other companies are acting irresponsibly by implementing inadequate defenses, often because they are not “security-savvy enough to plug all the holes”.
“If ransomware gets the chance to execute, the amount of damage it can do is limited by access restrictions in the environment in which it is executed. Unfortunately, if backup systems are set for convenience rather than ransomware-specific security, backups may also be compromised by the malware,” said Harley.
“If there are organisations that are missing out steps that would help them survive such circumstances, in the expectation that they can always pay the ransom, they could be in more trouble than they realise."
To avoid missteps in handling a ransomware crisis, experts advise having an incident response plan in place. To that end, the Health Information Trust Alliance (HITRUST), an organisation composed of healthcare, business, technology and information security leaders, is in the process of updating its CyberRX program – a series of free, industry-wide cyberincident exercises – to include a number of ransomware scenarios.
“We are encouraging organisations to look more broadly at cyber resilience which goes beyond cyber defenses and preparedness but response and recover,” said Daniel Nutkis, CEO of HITRUST, in an email interview with SCMagazine.com. Nutkis said that the CyberRX program's exercises include “scenarios targeting information systems, medical devices and other essential technology resources of government and healthcare organisations.”
According to its 2016 first-half report, Trend Micro observed 79 new ransomware families in the first six months of this year, compared to just 29 in all of 2015. Of the 80 million ransomware threats it detected and blocked, 58 percent were distributed via spam email attachments and 40 percent were downloads from URLs. Database-related files were the business files most often encrypted by infections, followed by SQL files, web pages, tax return return files and Mac OS files.
-1.jpg&w=100&c=1&s=0)
.png&w=100&c=1&s=0)
