By Cameron Camp
If you’re a victim of ransomware, cybercriminals
will encrypt your data and documents and demand a fee for them to unlock it.
Once your data is locked, you face a tough choice: whether or not to pay. If
you pay, will you really get your data back anyway? Here, we look at some tips
on what to do if it happens to you.
Who are you paying?
Is there any way to really know if your bitcoin
ransom – increasingly the currency of choice for cybercriminals – will go to
the person with the digital keys? What if they come back and ask you for more
money? What if you pay and then they reveal they don’t have the keys anyway and
your data is still unusable? What if you pay and they don’t get back to you at
all?
How much are you paying?
The amount of the ransom will depend on the size of
your organization, how much data is affected, and how likely, historically, it
is that people in a similar position have paid. Easy targets with deep pockets
are likely to get higher bills; whereas those who don’t pay are typically less
likely to be targeted, and therefore the ransom amounts will be closer to a
nuisance fee, not something that’s higher than a house payment.
“We all can help reduce the
likelihood of a payout, and defund the scammers.”
How bad is the impact?
As revealed in our recent blog about the incorporation of the insidious KillDisk
component into the ransomware mix, you could now not only face having your data
locked, but actually getting your entire hard drive irreversibly scrambled
(short of forensic recovery). If you just have one machine affected, that’s
certainly less of an impact than some modern ransomware attacks which lock up
data across internal networks.
What is your organization’s policy?
Increasingly, organizations are adding ransomware
to the disaster recovery (DR) plans that they practice. If you don’t have a DR,
you may want to use some of the templates or other boilerplate documents from
folks like NIST that give you some general guidelines. Luckily, there are lots
of organizations that have already given it some thought and can advise on the
practical steps to take in case it happens.
How good are your backups?
If they are close at hand, offline, and easy
to restore, you can breathe a sigh of relief; you’ve definitely passed the
test. On the other hand, if you’re restoring bulk data across the network from
the cloud or a remote site, the network pipe can be a significant factor. At
times, it’s easier to send a courier or overnight service to retrieve a box of
hard drives. Still, if you have the data in its original form and a fairly
recent data set, you’ll be miles ahead of those who haven’t.
“If backups are close at
hand, offline and easy to restore, you can breathe a sigh of relief.”
What data is really important?
If you have critical data, it should be far less
easy to access, and therefore much less likely to be affected in a ransomware
attack than, say, a laptop used by salespeople in the field. This means if you
have a laptop that gets compromised, it may be easier to just re-image, restore
your data and get on with your life.
Know how to spot a scam
Many ransomware campaigns use phishing emails as an
entry point, and while user training makes it easier to spot these, the emails
can be very convincing. For this reason, upstream email gateways, or even on
the endpoint (depending on your environment) can spot rogue emails before they get
a chance to act.
As long as it’s profitable, ransomware will
continue to flourish. By taking these steps, we all can help reduce the
likelihood of a payout, and defund the scammers. As soon as the money stops,
they will too.