Hindsight is 20-20. The lessons covered in the previous blog posts related to the May WannaCrypt attack, The Lessons to Take From WannaCrypt and Other Ransonware Attacks, would have been nice. But now it’s too late and you’re dealing with the aftermath of a ransomware attack. Critical data is encrypted and despite all the best intentions and attempts, the backup, or lack thereof, isn’t going to help. Now what?
Do you pay?
Well, the answer becomes a simple business decision at that point. How much is the data worth to you? Frankly, even if backups exist would the cost of the time to recover exceed the ransom by an unreasonable order of magnitude?
While every security expert is quick to point out that there is no guarantee that the attacker will give your data back, let’s be honest – if word gets out that they don’t, then nobody is going to pay. And well, that’s just not good for the ransomware industry. Ransomware is big business. According to a report by Herjavec Group and Cybersecurity Ventures, Hackerpocalypse: A Cybercrime Revelation, the Ransomware business eclipsed a $1B industry in 2016. So, for the most part, in all the cases I’ve been involved in or heard about, the attackers will provide decryption keys once paid.
Remember: You don’t have to pay the posted price.
Like any other business transaction, there is an asking price, a selling price and a floor price. Remember any number greater than ZERO is a pay day for the attacker. They often will take less than the asking price, but they aren’t going to devalue their industry too far, either.
It’s also worth noting that, when negotiating, try your best not to tell them how big an organization you are, or how important your data is to you. Telling the attacker, “We’re a hospital and patients could die if we don’t get these systems up,” probably isn’t going to get you a discount. Saying that only offers more intelligence to the attacker about how critical the data is and, therefore, how valuable it is to you. However, stating, “This got a few of my pictures from my last vacation and some stuff I’d like but don’t really need,” is likely to move the price down.
You’re going to feel dirty negotiating with a criminal, but sometimes getting your data back quickly is worth it, especially when your customer service and security are on the line. If you do pay the hacker and recover data, the next step would be to immediately take a step back and evaluate the best way to begin running a best practices environment to avoid ransomware in the future.