With two US organisations paying over $1m to cyber extortionists in a week, maybe ransomware has finally found its feet in the cyber-crime directory of how to make lots of easy money.
When WannaCry hit the world in a blind attack that crippled corporates across the globe, it should have been a time to look at the likely logical extensions and permutations of that attack.
What WannaCry (and others) showed was that there were still many organisations worldwide, who did not apply basic security controls properly across their estate.
“Go back to your latest backups” is easy to say and actually very difficult to do.
What has gone unmentioned as part of these attacks is “How long would it take a large organisation, with good security hygiene, to recover from a targeted ransomware attack?”.
Time and effort
The time and effort required to go back through the backup cycle and recover >1,000 assets is significant. And this is just the beginning of the problem for an organisation that has been specifically targeted.
If you have different frequencies for your backups, just recovering your latest backup on every device will give you data integrity issues. Data recovered on one system may be a 2hrs old, and another devices’ backup data may be a day old. The two may not synchronise.
Can a human effectively figure out this jigsaw?
Backups are asset recovery systems. They assume that a single asset has expires in some way and requires recovery to whatever the latest state available. The data integrity issue is minimal because we know which assets have precedence. The ones that were not broken. The broken asset has ready-made references for data integrity from its neighbours. If something is not the same, we know where the error is.
Backup and recovery solutions do not assume that you will lose all of your data simultaneously across all of your assets. Even if you recover all of your assets, how can you check you still have data integrity?
Under such circumstances, you can see why it is tempting to pay the ransom. Even with fully tested backups, you still have the potential for data integrity issues as part of the recovery process.
It will never happen to us
There are many organisations who have felt safe behind their corporate firewall, knowing that they have outsourced any Internet related activity to some secure third party. They don’t need to worry about payment card transactions, or website vulnerabilities exposing customer data. They have hired help on that cyber front-line.
But this corporate still communicates with the outside world and is therefore vulnerable to anyone with the skill and patience to expose any cracks in the corporate network armour.
Historically, this corporate thought they had nothing of value to a cyber-criminal. No credit card data to steal means no-one would be interested in targeting them. Well that’s true to an extent. The problem is the cyber extortionists know that the data is worth a whole lot to that corporate. It is highly likely that they cannot function as a corporate without it. And that is all the cyber extortionists need to know when asking for the money.
A new wave of cyber threat
Remember all that risk assessment methodology stuff that says you need to identify your critical assets and protect them. Well, part of your critical assets are the processes you use to operate. These are all usually left in the un-sexy security pile of stuff that we will get around to eventually. Given the budget and the headcount.
A $500K ransom in bitcoin pays for some significant patience. It looks likely that these two events are connected in the US. But that does not mean that other vultures will not be drawn to the prey on offer. Once it can be shown that this is a lucrative business, many copycats will emerge with better tools, more skill and more patience.
Adding ransom payment options to your cyber incident plan
Adding ransomware payment options as part of your cyber incident plan makes a lot of sense. Paying a ransom or holding out is not purely a financial decision. It will always be cheaper to pay the ransom, because that is how ransoms work. They charge you less than the amount they think the data is worth to you. There are many other aspects that need to be considered.
What would it do to your brand and reputation if the ransom payment was made public?
It makes sense to prepare for the scenario, even if it doesn’t feel morally right. Being prepared doesn’t mean you have to take the action. Being prepared means that the board will have as much information as possible before they make a decision.
UPDATED: 7th July 2019: And maybe there are other considerations you need to make as a Director of IT before you make a decision to pay a ransom.