Earlier this year, Colonial Pipeline paid hackers USD4.4 million in ransom for a decryption tool that restored oil operations, despite FBI and Department of Homeland Security recommendations that companies avoid paying ransoms. The CEO later testified before the U.S. Congress that the debilitating impact on the country’s fuel supply drove the decision, but it remains a controversial solution.
It begs the question: What would your organization do if it was hit by a ransomware attack? Would — and should — you pay to get back data or restore systems?
Deciding whether to pay the ransom is a difficult decision and one that must be made carefully at the board level, not by security and risk leaders. Understanding what happens if you pay is key to making that decision.
What happens if you pay?
Theoretically, if organizations pay the ransom, the attackers will provide a decryption tool and withdraw the threat to publish stolen data. However, payment doesn’t guarantee all data will be restored. Executives need to carefully consider the realities of ransomware, including:
The realities of ransomware
Ransomware is a sustainable and lucrative business model for cybercriminals, and it puts every organization that uses technology at risk. In many cases, it is easier and cheaper to pay the ransom than to recover from backup. But supporting the attackers’ business model will only lead to more ransomware.
Law enforcement agencies recommend not paying, because doing so encourages continued criminal activity. In some cases, paying the ransom could even be illegal, because it provides funding for criminal activity.
We recommend engaging with a professional incident response team, law enforcement, and regulatory bodies before negotiating with attackers.
Organizations cannot 100% prevent ransomware attacks. The best thing you can do is assume you will be hit, and have plans in place that enable a quick response.
This includes running through exercises about what happens when an attack occurs. Doing so may reveal unexpected problem areas. For example, one organization found that it took much longer than anticipated to write a press release about an attack, highlighting the need for a pre-written statement.
It’s also important to strengthen backups and test restores on all critical businesses. Assuming the backups work, assuming the cost of recovery will always be less than paying the ransom for an uncertain outcome.
Unfortunately, the first time most organizations test restore is after they’ve been hit by ransomware.
Furthermore, make sure executives are fully briefed on the topic and involved in decisions. The more they understand the risks, the better prepared they will be to make a decision and justify it in the face of scrutiny.
Treat ransomware as a business decision. If the problem is visible across the organization, there will be fewer surprises if you do get hit. This will smooth all actions in the response, including deciding whether or not you should pay.
The original article by Mark Harris, senior director analyst at Gartner, is here.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends. Image credit: iStockphoto/vchal