By Ryan Francis
Jan. 3, 2017
In what should be a last resort: pay the ransom. If the culprit actually provides the decryption key, then paying the ransom may alleviate the immediate pressure on the organization. Some attackers may release the system after receiving payment because doing otherwise would reduce the likelihood that other victims will pay. If paying the ransom is legitimately being debated, then perform a quick Internet search on the type of ransomware holding your system. Whether or not criminals who use that ransomware are likely to release data after receiving payment is likely to show up online.
Security experts caution about this approach though as there is no guarantee that once the money is paid that the perpetrator would release the data. Also another worry is that once you pay the ransom, the cybercriminal could come back and do the same thing at a later date.
Some attackers recognize this dichotomy of trust. They recognize that if files are never unlocked then no victim will ever pay a ransom. As a result, variants such as CTBLocker (Trojan.Cryptolocker.G) have an option to decrypt a few random files as a gesture of good faith.
Another tact is if the ransom is low, say $300 for a multimillion-dollar organization, then it might make sense to adopt a hybrid approach. This could include simultaneous efforts to pay the ransom, to triage the system, and to attempt to restore from a backup server.
Organizations contemplate if system downtime is more dire than the consequences of the ransom. A hybrid approach ensures that the system will be operational in some amount of time, no matter what. To minimize the expended resources and the impact to the organization, hybrid solutions should only be attempted by a trained and prepared information security team.
The number of ransomware attack variations is limited only by the imagination and motivation of the attackers. A vigilant cybersecurity centric corporate culture that cultivates an environment of awareness is the most effective means to minimize the attack. If you do have an infosec team, it should cover: an immediate companywide vulnerability analysis, a crisis management strategy that takes into consideration all known threats, continuous device and application patching, auditing of third-party vendors and agreements, organizational penetration testing and security centric technological upgrades.