Your company has been hit with ransomware: What’s the best response?


Organizations hit with ransomware must first decide if they are going to pay the ransom.

Although law enforcement adheres to a strict party-line policy of not negotiating with the extortionists, nuances do exist.

Companies need to understand the full spectrum of options, how interactions with the criminals may evolve and how to position the business to withstand an attack. Here’s a checklist that details how to respond:

  1. Understand the context. Ransomware has become big business. Analysts estimate that businesses paid more than a billion dollars in ransoms in 2016. And this year, one organization alone estimated that the Petya ransomware attack cost the company nearly $300 million in losses. WannaCry, another major attack that the NSA connected to North Korea last spring, tied up more than 300,000 machines in 150 countries.
  2. Make quick, but well-informed decisions. When the extortion demand arrives, the company may only have a matter of hours to make a decision. Past experience shows that cybercriminals will negotiate with their victims. For instance, when Nayana Communications was subjected to extortion for its data, the Nayana CEO was able to achieve a reduction from an initial demand of $1.6 million to the eventual $1 million paid. In other examples, discounts and deadline extensions were granted by three out of four separate cybercriminal gangs when researchers contacted them posing as victims. If the company does decide to pay, haggling can work.
  3. Consider if paying the ransom makes sense. If the company decides to pay, there’s no guarantee it will get its data back. The ransomware business model depends on a sense of trust between the victim and the extortionist. If the ransom is lower than the business cost of recovering without paying the attackers, and the victim remains confident that acquiescing will result in file restoration, it makes sense to pay the ransom.
  4. Get the attackers to decrypt your data. From a high-level view, it is in the attackers’ best interest to decrypt their victims’ files. That’s how they make their money. If trust erodes, then the calculation for the victim will change and payments will cease as the victim deduces that capitulation will not result in data restoration.
  5. Deploy optimal backups. The company should have a robust backup process that’s continually generating fresh copies of the organization’s data, providing business continuity against physical and cyber threats. Hopefully, these backups will only be hours old – one day at most – and are continuously tested. While restoring backups remains the optimum solution, many incident response teams report having been called to help organizations recover from a ransomware attack, only to find backups that are out-of-date or not functional. It’s absolutely vital that rigorous and regular tests of backups take place.
  6. Consider a forensic response. For a forensic response, the company must analyze both the compromised machines and, if available, the ransomware itself. The company wants to identify a way of either recovering the data from the machine in the hopes that the encryption has not correctly executed, or identify a flaw in the implementation of the encryption algorithm in the malware. A forensic response takes time and a high level of technical expertise. If the company only has hours – or at best days – to decide between paying the ransom or forever losing critical data, a forensic response won’t succeed. Seek out the No More Ransom Project, a group of experts from academia, law enforcement and industry that formed to help organizations respond to and mitigate ransomware attacks. The alliance’s website hosts one of the best collections of decryption tools available and should be used as a resource in any forensic response.

Beyond backups and forensics, companies can simply accept the data loss and work to implement preventive measures to significantly reduce the probability of a successful attack. Organizations will need a strong mix of awareness training, patching and defense-in-depth to keep extortionists at bay.

Chris Moyer is chief technology officer for Security at DXC Technology. He has spent more than 25 years building business and technology solutions for clients in several industries across multiple geographies. In previous roles, he has led solutioning, transformation projects and delivery assurance. He is also a member of the Institute of Electrical and Electronics Engineers. Connect with him on Twitter and LinkedIn.


Meet ransomware’s equally shady cousin

Lessons learned from the WannaCry ransomware attacks

Cloud-based security services set to soar

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: