Paying a Ransom is Not an Option - So What Should Be Done Instead?

According to the 2019 study, Ransomware threats: is your agency ready?, 30% of federal agencies have experienced a ransomware attack within the last three years. In one of the most disastrous attacks, a variant called RobinHood hit Baltimore, USA, in May 2019. Obeying the instructions of the FBI and law enforcement, the city refused to pay the ransom of $76,000 and ended up spending $10m on data recovery and losing $8m because of loss of services, including bill payments. 

Therefore, with attacks like this becoming increasingly frequent, what should organizations do if they fall victim? Pay up and hope for the best, or refuse and risk prolonged issues? There is a better option — organizations can act now and take steps that will help them avoid ever having to make this choice. 

Just Pay the Ransom? 

The FBI offers three compelling reasons never to pay a ransom. Firstly, there is no guarantee the victim will get the decryption key once the money has been paid. In fact, there are multiple cases of organizations that have paid the ransom but never received the promised decryption key. Another concern is: even if you receive the key, there is no guarantee you will restore operations overnight. 

Secondly, if agencies do pay, there’s nothing to prevent hackers from attacking again and forcing them to pay repeatedly, with each ransom demand being higher than the last. Indeed, research from Coveware found that the average ransom payment increased 43% from $154,108 in Q4 2020 to $220,000 in Q1 2021.  

Thirdly, agencies encourage the ransomware business model and put other organizations at increased risk by paying a ransom. 

Ways to Avoid Ransomware Attacks 

There are two key ways that agencies can minimize the chances of paying a ransom. Firstly, by reducing their vulnerabilities to avoid being infected in the first place and secondly, ensure they can recover quickly to minimize the damage. 

Additionally, an essential strategy for avoiding ransomware — and a significant way organizations can minimize the chances of being targeted — is to invest in education. Recent research has revealed that the majority (59%) of government organizations saw cybersecurity awareness among employees as their top priority for 2020.

Of course, even the best training cannot guarantee that everyone will always follow security best practices. Even a single thoughtless click on a link in a phishing email can unleash ransomware across an agency’s environment. Therefore, every organization should assume it will suffer a ransomware infection at some point and develop and test a plan to respond swiftly to limit the damage. An effective plan requires fast detection, response and data recovery: 

Inventory Data and Who has Access to It

To minimize the risk of losing access to sensitive data, such as the personally identifiable information of citizens and employees, organizations must know exactly what types of data they store and secure it according to its value. Automated data classification will help deliver better awareness into what data exists, who has access to it and how sensitive it is so agencies can implement measures to protect critical assets. In particular, since ransomware often relies on the access rights of the user account it has compromised, rigorously enforcing least-privilege principles will minimize the amount of data that can be encrypted in an attack. 

Improve Anomaly Detection and Alerting

Organizations should monitor user behavior across all critical systems and data, both on-premises and in the cloud, actively looking for abnormal activity that might indicate an attack in progress, such as any change to the list of restricted file extensions or a high number of file modifications. Encryption or data exfiltration doesn't happen instantly; both require time, especially in environments with distributed data sources and large amounts of data. Timely detection allows organizations to take action at the early stage of attacks and minimize the damage. 

Develop and Regularly Test an Incident Response Plan

Finally, organizations should document the steps for responding to signs of a ransomware attack, including who is responsible for what. Since the staff, the IT environment and the threat landscape are all constantly changing, they must test the plan regularly and update it as needed. 

Align Backup and Recovery to Organizational Priorities

First, you need to optimize your backups to ensure that the most critical data and services can be restored faster. Second, with detailed information on which files were modified or deleted during a ransomware attack, IT teams can only restore what needs to be restored. Thus, reducing the scope, IT teams can run this process faster and minimize service disruptions. 

No organization wants to choose between paying a ransom or suffering serious damage after refusing to pay. Agencies instead can prevent as many ransomware infections as possible through user education and preparing for the ones that might get through. Confident in their ability to restore access to systems and data, agencies won’t ever need to consider paying a ransom again. 

What’s Hot on Infosecurity Magazine?