by Mark Rasch
It’s everyone’s nightmare scenario – the enterprise is hit by a major ransomware attack, and major systems are shut down, and critical data is inaccessible. What do you do? In general, companies facing this scenario have had to choose between two bad alternatives – PTFM or rebuild. PTFM – Pay The [Expletive Deleted] Money or spend time, energy, money and resources in attempting to reconstruct corrupted or inaccessible data, rebuild and revalidate systems or networks, and then re-secure the data to ensure (well try to ensure) that the enterprise is less vulnerable (or at least more resilient) when (and it IS a question of when) they are attacked again.
But is there a better alternative? Maybe.
Of course, the first and best response to ransomware is to not have to respond to it at all – that is, to take precautions against phishing, malware, social engineering and similar attacks that are frequently the vector by which ransomware attacks are propagated. Good luck with that. The problem is that the defender has to be close to 100 percent effective, while the attacker (particularly the opportunistic attacker) only has to be successful once. Moreover, for entities which have time sensitive or time critical data (trading floors, hospitals, municipalities) there is an impact cost to rebuilding data sets which may be more than the cost of paying the ransom. That’s one reason attackers target these kinds of entities. So prevention is a goal, and the best defense, but is not always effective – or at least not as effective as you might want.
The second “response” is to be resilient. Have data backed up and capable of ready (if not easy) restoration. Have alternative hardware systems, software, etc. to “ride out” the attack, rebuild as necessary and survive. That’s great, but again, not always practical as having additional backup data sets and hardware can be expensive, pose logistical problems, and may even create its own security vulnerabilities.
Third, of course is to PTFM. This too has costs. Not just the cost of the ransom itself. But fiat currency has to be converted to cryptocurrency, a wallet established and validated. Crypto currency may need to be tumbled. An escrow agent may need to be used. Communications channels may have to be opened with the attacker. Negotiations may ensue. The key provided may or may not work – or may or may not continue to work. There are legal, regulatory, opportunity and insurance costs associated with paying the ransom. And finally, there is the belief (whether justified or not) that paying the ransom makes an enterprise a target for future attacks. Some entities and municipalities have a hard and fast rule NEVER to pay ransom – even if it is the difference between a $5,000 ransom “loss” and a $20 million recovery cost. So there’s that.
Lock and Key
Remember that the basis of CryptoLocker ransomware attacks is a “lock.” The attacker uses some methodology to access a device or a network, and encrypt access to or the contents of that device or network. But attackers are – or can be – lazy. They may use the same or similar locks on multiple attacks. One potential way to recover from an attack is to simply brute force the lock – try every known key that has worked (or which has been purchased) for that specific “lock” and see if any of them (or modifications thereof) unlock the CryptoLocker. For this, you need access to a repository of known keys, and there are several of them used by security professionals.
Even if the keymaster approach doesn’t work, it’s important to know that threat actors, in addition to being lazy and greedy, are mostly human. Which means that they tend to re-use and repurpose code that has worked for others. Just like everyone else. Which means that malware in general and CryptoLocker malware, like any software, has vulnerabilities in style and execution. Which means it can be broken. Maybe.
Now one proven way for ransomware consultants to crack the code is, well, to not crack the code. In a well-publicized event last year, a company promised customers that it could “crack” the samsam ransomware for a fee. Pretty freakin Bueno, as the attack was costing customers millions. The company’s secret to cracking the code? They were paying the ransom and getting the keys from the attacker! Clever, no?
But diligent, persistent, and incisive security researchers may be able to crack CryptoLocker codes – at least some of the time. It ‘aint perfect… but it’s one more tool in your arsenal, together with education, training, awareness, data backup and recovery, incident response, and a well-timed prayer. Gotta keep all bases covered.
The Last but Not Least Significant Bit
While paying the ransom is an option, it’s one that you should consider only after exhausting all others.
One thought on “Should I Pay or Should I No? How To Respond to Ransomware”
I insist that being resilient is not that hard. Even more, if you are not and ransomware is a real danger for you it means you are doing A LOT of things terribly wrong on the operational level and the ransomware threat is not your only problem.