The threat of ransomware is ever-present – and it’s growing. There have been more than 4,000 ransomware attacks every day since 2016, according to an interagency US Government report. The response to these attacks has varied widely, with the least prepared organisations often paying the ransom demanded.
The potential damage is enormous. According to Coveware, the average cost to pay a ransom is $154,108, with a downtime of 21 days. Organisations of all sizes must put resources into building resilience against ransomware.
Craft a reasoned strategy, put protections in place and test your defences – or you may find that your organisation cannot recover.
To pay or not to pay
The first thorny question that arises in the face of a ransomware attack is whether to pay the ransom. Unfortunately, paying has a lot of downsides and relatively few upsides. For a start, if you pay the ransom, you’re sending out a dangerous message to criminals that you will play ball. The inevitable consequence is that they’re far more likely to target your sector or attack your organisation again in the future.
Ethically, you must consider where the ransom money is going. Is the attacker a criminal gang or even a terrorist organisation? There may even be legal consequences if you are later found to have funded terrorism.
Finally, an issue that’s often missed in this scenario is that paying the ransom usually means you’ll receive a functioning decryption tool. This doesn’t instantly return things to normal, and you will have to allocate more resources for a full recovery. Apart from the risk that the tool doesn’t work, you may face a logistically tricky task in simply entering all the keys on your various devices. Once all this is done, there’s still the pressing concern of tracing and mitigating the original breach that led to ransomware gaining a foothold in your network.
Reporting ransomware attacks
While it may be tempting not to report a ransomware attack to avoid reputational damage, it’s crucial you do so. When organisations quietly pay, perhaps fearing regulatory wrath, they put everyone at greater risk. Threat actors share intelligence and if companies don’t do the same, there’s a tangible risk they can run the same scams and attacks on multiple organisations and partners. Sharing information about ransomware attacks allows the justice department to issue warnings and advise others to better prepare and defend against them.
There are also regulatory requirements to think about, especially if you’re operating in several jurisdictions. It’s best to be open and honest, even if you aren’t sure whether data was exfiltrated. It’s smart to make some provision for reporting and coordinating with regulators because a flood of incoming queries when the news breaks could prove difficult to handle if you don’t have clear plans and responsibilities in place.
Guarding against ransomware
There are several preventive measures and precautions you can take to reduce the risk of a ransomware attack and ensure business continuity should the worst happen. These three are crucial to emerging successfully:
- Maintain a proper back-up: Regular and comprehensive back-ups don’t have to be especially expensive, and they will pay for themselves many times over if an attack breaches your defences. Because there’s often a gap between infection and discovery, multiple historic back-ups from several points in time are the way to go.
- Patch continuously: Known vulnerabilities are low-hanging fruit for attackers, so you must work hard to keep software up to date and systems patched with the latest releases, which will often contain security fixes. Even though it takes time and there will always be some unpatched devices, having a clear picture of what’s patched can also help you trace and remediate after an attack.
- Maintain an up-to-date asset list: Without an accurate asset list, you’ll struggle to prevent or recover from a ransomware attack.
There are many other things to consider, from better security awareness training to phishing filters for email to anti-malware tools, but they should all build on top of these three basic concepts.
To give your workforce the best chance of handling a ransomware attack gracefully and with the minimum of disruption, you must put clear procedures in place and ensure people understand their responsibilities. The only way to build confidence in your plan and expose areas that need to be addressed is to test it. Rehearse as realistically as you dare and then go a bit further. Practice builds confidence and makes it clear that recovery is possible.
Consider cyber insurance
While cyber insurance can be a useful add-on to lower business risk, it should never be seen as an alternative to a comprehensive strategy. Seeking cyber cover has an added benefit that is easily overlooked: the audit and assessment the insurer will invariably carry out. Being motivated to minimise their own risk, carriers will do their utmost to point out systemic weaknesses and vulnerable threat areas that require attention.
Putting all these controls in place, getting the cyber hygiene right and making it difficult for would-be attackers will be aptly reflected in the premium your insurer charges. Though the risk of ransomware is very real, you can reduce it dramatically by considering how best to handle it, building your defences and planning your response.
Find out more at securityforum.org