When it comes to ransomware infection, doing the right thing is not always possible.
Everybody knows that if you are infected with ransomware, you should not pay as it only encourages crooks to keep on with their “business” and attack more users. You also know that paying guarantees you nothing and you are only relying on hackers` word. However, at the RSA Conference this year, facts show the reality. Despite being strongly advised not to pay the ransom demanded, it turns out that many businesses and individuals do it anyway. Actually, according to a survey by IBM conducted in the end of 2016, approximately 70% of companies, infected with ransomware, have decided to pay up in order to get their lost data back. The payments, it total, reached $1 million that year.
The question is: Why do businesses pay despite being advised the exact opposite? And the answer is: Because sometimes it is cheaper to simply pay that it is to hold out against the crooks.
“You may say ‘look, we have a business principle here, we’re not going to pay the bad guys’. But if you’re confronted with the business reality of paying the bad guys a few Bitcoins versus being offline or losing millions of dollars worth of data, your business principle might give way to the business reality of having to pay the ransom.” – said the instructor at the SANS Institute, Ed Skoudis, during the Seven Most Dangerous New Attack Techniques panel.
The CEO of Malwarebytes, Marcin Kleczynski, gave an example of a DDoS-based ransom attack instead of cryptorasnomware. This kind of attack takes businesses offline until they pay the ransom. Kleczynski said to IT Pro: “Imagine a botnet being pointed at an airline’s ticketing website, which produces tens-of-millions of dollars in revenue per hour. I [as the botnet controller] say ‘this will continue unless you pay me $1 million now. $1 million is much less than the $10 million it makes per hour, so why not extort that kind of money?”
Furthermore, the fact that the company has backups of their data as well as a good recovery plan doesn’t guarantee that they won`t pay. Yes, in theory this sounds like enough, but this is reality.
“What we find in [our] research, of those who pay the ransom around 50% actually have backups. So the backups aren’t a panacea. What happens is, say you have the backups but the bad guys have encrypted 1,000 of your machines. IT says ‘yeah, we’ll recover, no problem – in a week’.” – said Jeremiah Grossman, chief of security strategy at SentinelOne, speaking to IT Pro. Grossman also added that if the ransom is “only $50,000”, they simply “write a cheque” because it is more expedient and, possibly, less expensive.
However, at least businesses, attacked by ransomware, may find some consolation in cyber insurance. After all, in the US alone, the industry is currently raking in an estimated $3 billion and it can afford the best backup and recovery and antimalware tools. For the individual victims, things are much bleaker.
“[They’re] going to get left out for a while.” – said Grossman – “There’s nothing out there for the consumer yet. It’s going to be unfortunate – while the enterprise can leverage cyber insurance, crisis management teams to negotiate, high-end, really next-gen antivirus, there’s no equivalent for the home user. They’re really going to be on their own and that’s really going to be pretty nasty.”
Aside from being nasty, for consumers, being attacked with ransomware could also be very pricey. Now, with the IoT attacks drastically increasing, people have much more to worry about besides just their computers and phones. What is even worse it that they may not have other option but to comply with the hackers blackmailing demands.
“If ransomware were to reconfigure or encrypt the control architecture of Internet of Things devices, we have a big problem.” – said Skoudis – “What would you pay to turn your lights back on? What would you pay to turn your heat back on? Or your car – you want to drive your car to work today? You’re going to have to pay ransomware for that.”