The past week we show an intensive Ransomware attack on the global scale. Assume your organization was a victim of such attack? Would you pay the ransom, Why or Why Not?
Ransomware has become more popular in recent years. The reason for this is because of the Dark-Net. Hacking as a service is now offered and people can go on the Dark-net and purchase malicious code and attack whoever they please without being a sophisticated hacker. In this instance, it appeared whoever was running the ransomware attacks targeted hospitals who did not keep their Windows machines up to date. Windows was aware of a vulnerability back in February, and released a patch for this vulnerability. Patching is the easiest way to prevent these kind of attacks, and a WSUS server would allow for managed global system updating throughout an organization.
Depending on the data that was encrypted, and depending of the classification, and whether or not we have a back-up of the data would determine whether or not I would pay the ransom. If the data that was encrypted was irrelevant, I would remove all infected machines from the network to stop the ransomware from spreading, and re-image the machines. Also, if there was a back-up of the data available, I would follow the same procedure. If the data was not backed up and included confidential, or classified data, I would recommend paying the ransom, and have every machine checked for updates, and apply all updates. I have seen similar instances in the past where California hospitals were hit with ransomware attacks multiple times a week. A better employee security awareness policy needs to be put in place, explaining that employees should not open e-mails from anyone they do not know, or recognize the subject, etc.
A strange hack was the Google Docs hack from last week. You received what looked to be a legitmate e-mail from one of your contacts, stating that they shared a doc with you. This was definitely a phishing e-mail that was easier to fall for.
Hello Shain, I would agree that Patching is one of critical preventative measures to take for this and other types of malware. Backups would also be critical to have in order to restore data that might be encrypted by a ransomware. I would also add that Offsite replica of on-premise backups are important to have as part of backup strategy in order to recover from a complete disaster in case if ransomware encrypt all “live” data as well as backup data within an organization.
Also, regarding paying ransom, I believe there is huge risk of doing so as it is never guarantee that decryption key would be provided. Actually, it might be worse if after paying first ransom, there would be another demand for paying more in order to fully decrypt all files versus partially.
I think that in modern threat landscape, companies and even home users should always stay proactive in terms of protecting valuable assets. Backups (onsite/offsite), Anti-malware software and OS/HardwareFirmware patching are minimum controls. More advanced controls would include access controls, logical network segregation using vlans, firewalls, network/host based IDS/IPS systems.
Another high-end advanced threat detection and mitigation client-server end-point software such as CarbonBlack would be very beneficial to have in order to react to ANY abnormality even zero-day attacks and prevent any execution unless whitelisted by server and/or approved by administrator.
I agree with you and Ruslan that updated patching is the easiest way to protect organizations. But there are many steps should be performed regularly to prevent ransomware. For examples, regularly update anti-virus and anti-malware systems, mitigate risk exposure with data backup systems, confirm critical systems are not unnecessarily connected to or accessible from the internet, etc.
I agree with you all the patching is one of the most critical steps in protecting agaisnt Ransomware and other threats, then why don’t all business’s do it automatically?
Good point! All the organizations should encourage patching automatically for every computer. Also, using anti-virus software and updated automatically is critical as well. It should be a good start to protect computer information. But for cell phones, should they all install security applications? The hard part is to control personal devices using in workplace. So I think training employees to improve security awareness of personal devices is important, if company has enough budget, they should purchase security applications that can be used on phone for employees too.
I have similar automated patch update functions incorporated in a anti-virus software “360 Anquanweishi (i.e. safeguard), but I am not quite sure why company does not use automated patch management to keep their operation systems updated. One reason I can think of is that they do not find the incentive to do that, or give way to more value-added tasks in security domains.
One solution to enforce the patch management, with or without automated tool, is to add the responsibility of reporting the status of patch management periodically by security employees and reviewed by security management. Periodic reports (at least weekly) of current patch installation versus standardized or industry baselines must be sent at specified time and will not be signed-off until all patches are installed!
It is difficult for many organizations to manage every computer on their network now because of BYOD. BYOD is a trend that is growing in the tech field, and when employees use their own personal device as their work device, it makes it harder for organizations to manage.
I believe many organizations does have policies that require or encourage their employees to automatically update their systems, but many employees turn off the automatic updates and or refuse to install updates when they pop up due to many reason, such as too much down time, or slowdown of computers’ processing speed. This is probably because organizations does not enforce their policy. Therefore, I think employee security education is very important for policy enforcement. Employee should be aware of the consequences of their behaviors and what they should do or not to do to protect their data. Another possible solution is to set up a group policy to turn on the automatic updates for all computers on the organization’s network through a hypervisor.
I myself usually close the pup-up windows of updates alerts. even it is for my own computer. That said, it sounds understandable why patch engagement eventually fails in the organization. Maybe mandatory procedures applicable to all end-point devices should be initiated by the console center,
Step one is awareness of the importance of regular patching. Even assuming an organization is aware of the importance and has a policy in place to mandate it, there are other reasons why it might not happen in a timely manner.
In my experience, IT organizations are sometimes reluctant (or simply slow) to patch mission critical systems. They want to make sure the patches will not impact their daily operations. For example, a new version of a widely used software library could introduce a bug that breaks the code that sends credit card transactions to a payment processor. Literally overnight, the business can no longer accept credit cards. This in turn may make the business stakeholders averse to future patching.
One solution is to have a clearly defined process for vetting patches on staging systems, prior to their installation in your production environment. What this process looks like will vary, depending on the application.
Since last Friday, the “WannaCry” ransomware attack has infected over two hundred thousand of computers and ten thousand of organizations across 150 countries in only four days by now. Most of affected targets are computers with out-of-date software or systems on the network of large organizations or institutions. Personal computers on family network were less affected. The cybercriminals demanded the equivalent of around $300 in bitcoin to release the encrypted data, and only about $50,000 has been paid so far.
For either organizations or individuals, I recommend not paying the ransom because there was no guarantee that the cybercriminals can release the encrypted data and access to your files can be restored. Cybercriminals are not trustworthy people and never trust them. They usually just leave you there after they get the ransom. Paying the ransom will only encourage them to rise the ransom or conduct new attacks.
For those affected computers, there was still was no effective solution. Data recovery software may be used to recover some data, but it’s not sure how much can be restored. Affected organizations should isolate affected computers as soon as possible to prevent further spread of the ransomware over their network. For those computers not affected yet, there are still something to do to defend. Microsoft has issued a patch to fix the vulnerability that allowed the ransomware to spread on the network. Organizations should do the following things as soon as possible: pull the plug of all unaffected computers; isolate all affected computers; install the patch and update their systems and software; close ports 135/137/138/139/445 for all unaffected computers; and backup important data and files to a secure place, such as hard disks, cloud, or a backup data center. WannaCry is not over yet and we don’t know when it would be over. This attack was an alert to everyone, and organizations should have learnt lessons from it. Organizations should have an information security architecture, a disaster recovery plan (DRP), and a business continuity plan.
Hi Mengqi, it would really be interesting when ransomware “WannaCry” is going to stop spreading. At least, it has been slowed down by one security researcher named Marcus Hutchins who analyzed ransomware code and revealed encoded reference to domain name that was used for tracking spread of WannaCry. Once domain name was registered, the spread has slowed down due to redirecting the spread to other domain servers that actually stop the spread. However, in this case, it has not been fully stopped, but just slowed down because this ransomware will keep trying to check its own hardcoded domain.
So, at this point, perhaps the real solution is to patch systems as soon as possible to prevent from this attack
Ruslan, you are right. The spread of WannaCry was indeed slowed down through activating the “kill switch” in the malware by accident, but this is not over. The attackers will soon realize what happened and change the code to resume the attack. This malware was originally designed as a cyber weapon from National Security Agency (NSA), but it was stolen and published online by a group called Shadow Broker. Therefore, I don’t think it’s easy to figure out a remediation plan for the malware. Encrypted data probably never comes back. The only thing we can and should do for uninfected computers is to patch, update, and backup important data asap.
As you all might have heard about recent ransomware attack knows as “WannaCry” that triggered on Friday, it was spreading at Global Scale affecting thousands of computers around the world negatively impacting public services such as healthcare, transportation and others.
This type of ransomeware is of a new variant which exploited Windows vulnerability and prompting users that their important files had been encrypted followed by demanding to pay a ransom in order to decrypt the files. Most importantly, the payment method would have to be made using BitCoins so that payments are not tracked down to a receiver.
Luckily, our organization was not a victim of this attack; however, our security team has taken immediate actions to patch all Windows systems. Keeping Windows Updates up-to-date is critical to avoid these type of attacks. Had our organization been infected with “WannaCry”, we would not have paid a penny! First of all, never pay ransom to criminals! Second, if a ransom was made, there would have been demand for more! Moreover, since a ransom in this case would need to be paid via BitCoins, a payment destination would not be traceable. So, never pay ransom!
There is no doubt that one should not fall to the prey of paying ransom.There had been in past lot of cases reported where the data was not recovered even after payment .Thus ransom doesnt ensure 100% that data will be received back..A lot of earlier studies do reveal that less than 4% people usually land up paying the ransomware in such cases but since few yrs this number has seen in rise to upto 50%.
So organizations which do not have backup of critical data and have risk of loosing data if they try different decryption techniques usually now risk paying up the ransom amount https://www.gizmodo.com.au/2017/05/hackers-behind-massive-ransomware-attack-have-made-an-embarrassingly-small-amount-of-money/
I am also interested in whether victims do get their data back after paying the ransom. Here is what I found and cited the situation 1, which applied to most cases:
“You don’t get your data despite paying the ransom
Several victims have claimed that they have been unable to access their files despite paying the full amount. Europol, White House, police agencies and cybersecurity experts have all strongly recommended users to not pay the ransom amount.
Tom Bossert, assistant to the US president for homeland security and counterterrorism, has said that less than $70,000 has been paid to the hackers, and that he was not aware of any payments that led to data recovery. Security researchers, however, have said there have been some recoveries.
In case you have paid the ransom and still do not have access to your files, it is highly advisable that you do not make a second attempt to pay the ransom. It is possible that the hackers may release the data after some days of the payment, but no such indication has come forward so far.”
In short, always keep you OS updated to stay safe from the attacks.
Hi Ruslan,
I agree never to pay the ransom is generally the best option, but in a small organization without a large IT budget, depending on how critical the data is and whether or not they have a backup of the data could factor in to whether or not they pay. I was reading an article that almost 80% of small businesses fail after suffering a data breach or ransomware attack. Going with what Vaibhav stated, I have also read in the past that even after ransom payment was made, they were still unable to recover their data. Also keeping Windows Systems patching up to date is critical. Windows generally finds these vulnerabilities before a hacker can exploit them and releases updates to prevent future attacks.
Ransomware is a sophisticated type of malware that locks or encrypts computer files, making them inaccessible to users. Cyber criminals then demand users pay a ransom to regain access to the data. The identity of hackers remain anonymous as the money demanded is in the form of bitcoins to return back the data. Because ransomware does not require administrative credentials to run, it is more difficult to control than other types of malware.
WannaCry is also a type of ransomware computer worm targeting the Microsoft Windows operating system and affected more than 150 countries recently in a scale of attack on 12th May 2017.
I think the type of data could be important in judging out whether to pay or not pay the ransom.The money demanded as ransom should not exceed the costs associated with data loss .The organization before paying the ransomware should try best available decrypter tools in the market to get back the data.The paying of ransomware should be the last step in the process of getting back the data.
I do agree that payment should be the last resort, but even with that, theirs is no guarantee that the attacker would give the company the decryption key. I liked how you use cost of ransom vs. value of data to help make the determination if the ransom should be paid, but once again companies are at the will of the attacker. I don’t think there is a good answer when dealing with data that is infected by ransomware. The best thing that a company could do is to ensure they have preventative controls in place; remote backups, IDS/IPS, system logs, training, etc.,
I agree that organizations who are victims of ransomware should not pay for it because they are not sure if they can get the fully data back even they pay. If the security department has done the job, but it still happens, it can still lower the damage to the organization. The best way to against ransomware is to protect yourself between it happens. Once it happens, unless your security expert can decrypt data, the organization is very passive. But paying the criminals should be the last step they take.
In the event the company I was working for was affected by ransomware and I was in the position to decide whether or not to pay to get the data back, my decision would depend on the nature of business we perform as a company and our security strategy. I would first work with our Security Operations/IT teams to determine how long systems had been infected. If the systems had been infected for longer than we had been capturing backups of the environment, the decision to pay the attackers the ransom would lean towards “yes”. If we had full backups that we determined to be clean, the decision would lean towards “no”. Again, this all hinges on what type of business we are conducting. Say, for example. we were a healthcare organization like one of the institutions affected last week, I would have seriously consider paying the ransom to get patient healthcare records back. If we were a digital marketing company, I would likely not pay the ransom. Ultimately, however, no matter the type of business or data, there is no guarantee the attackers will release your data nor is there a guarantee they did not leave a back door open to get back in. With this in mind, I would rather take loss rather than taking the loss plus the cost to attempt to get my data back.
Ryan,
You made some great points here. Organizations really need to think whether or not they’ll be able to recover the data that is encrypted. It also depends on the organization. If a hospital is infected with ransomware, and a patient’s life is on the line because they need a medical record of what medicine a patient can and cannot have, an organization may be more tempted to pay. Also, I agree that there is no guarantee that your data will be released if you pay the ransom.
Great analysis, Ryan. I agree that whether paying the ransom depends on what kind of affected organizations you were in and what kind of data was encrypted. In this case, patients’ personal information in healthcare organizations should be regarded as extremely important data that should get back as soon as possible. This was not all about data, this was more about people’ life. Patients cannot get treatment as long as those healthcare organizations didn’t get get their healthcare records. However, I also agree that organizations should understand that there was no guarantee that the cybercriminals would decrypt the data even if they got ransom. Never trust criminals, especially in such a large scale attack. Paying ransom was like a gambling whose control in the cybercriminals hands. For me, I would prefer to put the money on recovering systems and data with the help from external IT experts.
Ransomware first started 27 years ago. In 1989, the first ransomware virus used by a Harvard biologist Ph.D. named Joseph L. Popp. He sent about 20,000 disks to health researchers around the work in pretexting of a survey about the risk of contracting AIDS. The disks contained a virus that locked the computer after after several reboots and users got a print from the printer to pay $189 to a P.O box in Panama in exchange for a decryption key.
The FBI were able to track Popp who lived in Ohio with his parents, and it turned out that he was an eccentric mentally unfit for trial. His motive was not money but some anger towards WHO, the World Health Organization, which is base in Geneva, Switzerland.
The virus was ineffective and free decryption software was shortly made available for the victims.
Today ransomware is nearly a billion-dollar-a-year business. IBM said 40% of victims are willing to pay more than $100 to get data back.
Joseph,
That is a very interesting article you posted. That is interesting that ransomware can be traced back to 1989. If my personal computer were to be infected with ransomware, I don’t think I’d be willing to pay any amount of money to get the data back. I would just format the hard drive and start out with a fresh operating system. I generally keep backups of my most important files, either through e-mail or on USB. 40% willing to pay more than $100 is higher than I expected. This goes to show how many people only have their critical files in one location without backups.
I think the question of to pay or not to pay ransomware is interesting, I think there are two attitude toward pay ransomware. The first one is never pay it because they won’t give you the fully decryption, organizations will need to pay several times to fully get data back. The second attitude is depending on what the data is, if organizations have backup data etc.
There are some interesting statistics related to the question, according to CNN, $209 million was paid to ransomware criminal in Q1 2016. The average ransom demand is now $679. The news didn’t mention how much the attackers was demanding, but since many hospitals experienced disruption and ambulances diverted. I believe the amount of ransomware will be high. Prior to an attack, 4 out of 5 organizations are confident backup can provide them with complete recovery. However, less than half of ransomware victims fully recover their data, even with backup. Only 5 percent ever consider paying the ransom an option which means 95% people or organizations don’t consider paying at all. The reason is paying would not always result in getting their data back, criminals don’t always follow through with their promises to decrypt the data. Therefore, the answer to the question is not to pay ransomware unless you must.
Ransomware is growing rapidly, 600% growth in new ransomware families since December 2015. The good news we can take actions to protect organizations from ransomware. Although, there is no one method or tool that will completely protect you or your organization from a ransomware attack. But contingence and remediation planning is crucial to business recovery and continuity-and these plans should be tested regularly.
As many have already mentioned, ransomware is pervasive and can lock out users from critical data unless a payment is made to the attacker in exchange for a decryption key, usually in the form of bitcoins. Bitcoins are electronic currency that makes it impossible to track the source and destination of payments. Any organization infected by ransomware is faced with the decision of whether they should pay to decrypt their data.
If my organization was infected by ransomware, I think the determination will be made based on what was affected, if there is uninfected back-up, if eradication is possible, and how long it would take to recover. The prudent thing to do would pay and hope that the criminal keep his word in providing the decryption. Another problem will still exist if the malware was persistent and continue to encrypt files after the ransom was paid. Lastly, the organization must identify how the malware got into the network in the first place, which requires system and network logs. If you can’t identify how it happened, then you are at risk for being exposed to ransomware again.
Loi, good points. Especially where you mentioned how it’s tough, if not impossible, to trust the criminal who infected your systems to decrypt after payment is received. If an organization is in fact putting that trust in the attacker, they should definitely reconsider. The only way this should be considered is if the organization determines that they do not have an uncompromised backup of the data, that there is no way to remediate, and that the data itself is mission-critical and cannot be lost.
I do not support paying ransom even for the following reasons:
Firstly, paying a ransom does not guarantee an organization that it will get its data back. There are many cases where organizations never got a decryption key after having paid the ransom.
Secondly, paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.
Finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
If my organization fell victim to a ransomware attack whether or not I would pay the ransom would be determined by a couple of different factors. First and foremost, it would be important to asses how much value the compromised data is to the organization. If it’s mission critical, I need to take that into consideration. If its of no or little value, we can start moving forward with remediation and learning how our systems were compromised. Second, whether the data is of value or not, do we have an uncompromised backup of the data? Having an uncompromised backup would be best case scenario. If this is in fact the case, resources can then be focused on analyzing how the systems were breached.
As people have already mentioned I think there a lot of factors that would have to be considered before I’m in a position to say if I would pay the ransom or not. I would start with how critical the data is to the organization. If it is something that is widely available or can be recreated without impacting the business I would be less likely to pay the ransom (There have also been groups that are dedicated to getting these encryption algorithms posted online to help victim organizations). However there are always going to be worst case scenarios where there is data that ultimately has to be recovered or it can jeopardize the business going forward. I think in this case you have to look at the possibility of paying the ransom. Best case scenario is that cost is lower compared to the alternative cost of losing that data. Even after paying the ransom I would be concerned with additional things as are they really going to release the data or ask for more money? Are they going to continue to target the organization due to the fact that they did pay? No matter how you look at it, this is a difficult decision with several high stake decisions to make rather quickly.
Under most circumstances, I would recommend against paying the ransom. It will only encourage other attackers to come after your organization with ransomware. Furthermore, there’s no guarantee that the attacker will actually decrypt your data after receiving the ransom.
The only circumstances in which I would consider paying would be if an uncompromised copy of the data could not be recovered from a backup and/or if so much data was compromised that it would take an unacceptable amount of time to restore normal operations. Even then, depending on the importance of the data, it may still be a better option to accept its loss.
Very good point about paying a ransom will instigate other attackers to come after your company. Yet the data and how sensitive it is may entice company to pay ransom. Hence even if the data was backed up, the data is of confidential nature. But i do agree with your point of the time it may take to restore data.
There are very few scenarios where I would pay a ransom. In most cases, the data that is inaccessible as a result of the attack should be backed up. If this is the case, then there’s no need to pay the ransom because the company can restore a new copy of the data from a backup. However, if the data was stored and contaminated in a short time frame and no backup was made, then I might be willing to pay the ransom. In this scenario, I would have to consider the business value of the data, the dollar amount of the demanded ransom, and the potential repercussions of paying the random (hackers would be less likely to target a company with ransomware if that company had a reputation of not paying the ransoms and vice versa). If the value of the data exceeds the associated costs, then I would pay the ransom.
Paying a ransom is all about how you value the information stolen. Also how sensitive is the data? The data maybe backed up, yet the data stolen maybe so sensitive that know one outside the company should know what is on it. That is a decision management needs to make and if the business can swallow the costs of paying a high ransom request.
Regardless of the ransom, the company needs to focus on how their network\systems were breached. If the data was backed up, it may take time to restore but that is time. Time is now compared against the value of the data taken. Since the time to recover the data may halt business operations. Either way the company needs to move forward with patching, backups, and regular updates and scans.
Shain R. Amzovski says
Ransomware has become more popular in recent years. The reason for this is because of the Dark-Net. Hacking as a service is now offered and people can go on the Dark-net and purchase malicious code and attack whoever they please without being a sophisticated hacker. In this instance, it appeared whoever was running the ransomware attacks targeted hospitals who did not keep their Windows machines up to date. Windows was aware of a vulnerability back in February, and released a patch for this vulnerability. Patching is the easiest way to prevent these kind of attacks, and a WSUS server would allow for managed global system updating throughout an organization.
Depending on the data that was encrypted, and depending of the classification, and whether or not we have a back-up of the data would determine whether or not I would pay the ransom. If the data that was encrypted was irrelevant, I would remove all infected machines from the network to stop the ransomware from spreading, and re-image the machines. Also, if there was a back-up of the data available, I would follow the same procedure. If the data was not backed up and included confidential, or classified data, I would recommend paying the ransom, and have every machine checked for updates, and apply all updates. I have seen similar instances in the past where California hospitals were hit with ransomware attacks multiple times a week. A better employee security awareness policy needs to be put in place, explaining that employees should not open e-mails from anyone they do not know, or recognize the subject, etc.
A strange hack was the Google Docs hack from last week. You received what looked to be a legitmate e-mail from one of your contacts, stating that they shared a doc with you. This was definitely a phishing e-mail that was easier to fall for.
Ruslan Yakush says
Hello Shain, I would agree that Patching is one of critical preventative measures to take for this and other types of malware. Backups would also be critical to have in order to restore data that might be encrypted by a ransomware. I would also add that Offsite replica of on-premise backups are important to have as part of backup strategy in order to recover from a complete disaster in case if ransomware encrypt all “live” data as well as backup data within an organization.
Also, regarding paying ransom, I believe there is huge risk of doing so as it is never guarantee that decryption key would be provided. Actually, it might be worse if after paying first ransom, there would be another demand for paying more in order to fully decrypt all files versus partially.
I think that in modern threat landscape, companies and even home users should always stay proactive in terms of protecting valuable assets. Backups (onsite/offsite), Anti-malware software and OS/HardwareFirmware patching are minimum controls. More advanced controls would include access controls, logical network segregation using vlans, firewalls, network/host based IDS/IPS systems.
Another high-end advanced threat detection and mitigation client-server end-point software such as CarbonBlack would be very beneficial to have in order to react to ANY abnormality even zero-day attacks and prevent any execution unless whitelisted by server and/or approved by administrator.
Mengxue Ni says
Shain, great post!
I agree with you and Ruslan that updated patching is the easiest way to protect organizations. But there are many steps should be performed regularly to prevent ransomware. For examples, regularly update anti-virus and anti-malware systems, mitigate risk exposure with data backup systems, confirm critical systems are not unnecessarily connected to or accessible from the internet, etc.
Deval Shah says
I agree with you all the patching is one of the most critical steps in protecting agaisnt Ransomware and other threats, then why don’t all business’s do it automatically?
Mengxue Ni says
Good point! All the organizations should encourage patching automatically for every computer. Also, using anti-virus software and updated automatically is critical as well. It should be a good start to protect computer information. But for cell phones, should they all install security applications? The hard part is to control personal devices using in workplace. So I think training employees to improve security awareness of personal devices is important, if company has enough budget, they should purchase security applications that can be used on phone for employees too.
Zhengshu Wu says
I have similar automated patch update functions incorporated in a anti-virus software “360 Anquanweishi (i.e. safeguard), but I am not quite sure why company does not use automated patch management to keep their operation systems updated. One reason I can think of is that they do not find the incentive to do that, or give way to more value-added tasks in security domains.
One solution to enforce the patch management, with or without automated tool, is to add the responsibility of reporting the status of patch management periodically by security employees and reviewed by security management. Periodic reports (at least weekly) of current patch installation versus standardized or industry baselines must be sent at specified time and will not be signed-off until all patches are installed!
Shain R. Amzovski says
It is difficult for many organizations to manage every computer on their network now because of BYOD. BYOD is a trend that is growing in the tech field, and when employees use their own personal device as their work device, it makes it harder for organizations to manage.
Mengqi He says
I believe many organizations does have policies that require or encourage their employees to automatically update their systems, but many employees turn off the automatic updates and or refuse to install updates when they pop up due to many reason, such as too much down time, or slowdown of computers’ processing speed. This is probably because organizations does not enforce their policy. Therefore, I think employee security education is very important for policy enforcement. Employee should be aware of the consequences of their behaviors and what they should do or not to do to protect their data. Another possible solution is to set up a group policy to turn on the automatic updates for all computers on the organization’s network through a hypervisor.
Zhengshu Wu says
Mengqi,
I myself usually close the pup-up windows of updates alerts. even it is for my own computer. That said, it sounds understandable why patch engagement eventually fails in the organization. Maybe mandatory procedures applicable to all end-point devices should be initiated by the console center,
Josh Zenker says
Step one is awareness of the importance of regular patching. Even assuming an organization is aware of the importance and has a policy in place to mandate it, there are other reasons why it might not happen in a timely manner.
In my experience, IT organizations are sometimes reluctant (or simply slow) to patch mission critical systems. They want to make sure the patches will not impact their daily operations. For example, a new version of a widely used software library could introduce a bug that breaks the code that sends credit card transactions to a payment processor. Literally overnight, the business can no longer accept credit cards. This in turn may make the business stakeholders averse to future patching.
One solution is to have a clearly defined process for vetting patches on staging systems, prior to their installation in your production environment. What this process looks like will vary, depending on the application.
Mengqi He says
Since last Friday, the “WannaCry” ransomware attack has infected over two hundred thousand of computers and ten thousand of organizations across 150 countries in only four days by now. Most of affected targets are computers with out-of-date software or systems on the network of large organizations or institutions. Personal computers on family network were less affected. The cybercriminals demanded the equivalent of around $300 in bitcoin to release the encrypted data, and only about $50,000 has been paid so far.
For either organizations or individuals, I recommend not paying the ransom because there was no guarantee that the cybercriminals can release the encrypted data and access to your files can be restored. Cybercriminals are not trustworthy people and never trust them. They usually just leave you there after they get the ransom. Paying the ransom will only encourage them to rise the ransom or conduct new attacks.
For those affected computers, there was still was no effective solution. Data recovery software may be used to recover some data, but it’s not sure how much can be restored. Affected organizations should isolate affected computers as soon as possible to prevent further spread of the ransomware over their network. For those computers not affected yet, there are still something to do to defend. Microsoft has issued a patch to fix the vulnerability that allowed the ransomware to spread on the network. Organizations should do the following things as soon as possible: pull the plug of all unaffected computers; isolate all affected computers; install the patch and update their systems and software; close ports 135/137/138/139/445 for all unaffected computers; and backup important data and files to a secure place, such as hard disks, cloud, or a backup data center. WannaCry is not over yet and we don’t know when it would be over. This attack was an alert to everyone, and organizations should have learnt lessons from it. Organizations should have an information security architecture, a disaster recovery plan (DRP), and a business continuity plan.
Ruslan Yakush says
Hi Mengqi, it would really be interesting when ransomware “WannaCry” is going to stop spreading. At least, it has been slowed down by one security researcher named Marcus Hutchins who analyzed ransomware code and revealed encoded reference to domain name that was used for tracking spread of WannaCry. Once domain name was registered, the spread has slowed down due to redirecting the spread to other domain servers that actually stop the spread. However, in this case, it has not been fully stopped, but just slowed down because this ransomware will keep trying to check its own hardcoded domain.
So, at this point, perhaps the real solution is to patch systems as soon as possible to prevent from this attack
Mengqi He says
Ruslan, you are right. The spread of WannaCry was indeed slowed down through activating the “kill switch” in the malware by accident, but this is not over. The attackers will soon realize what happened and change the code to resume the attack. This malware was originally designed as a cyber weapon from National Security Agency (NSA), but it was stolen and published online by a group called Shadow Broker. Therefore, I don’t think it’s easy to figure out a remediation plan for the malware. Encrypted data probably never comes back. The only thing we can and should do for uninfected computers is to patch, update, and backup important data asap.
Ruslan Yakush says
As you all might have heard about recent ransomware attack knows as “WannaCry” that triggered on Friday, it was spreading at Global Scale affecting thousands of computers around the world negatively impacting public services such as healthcare, transportation and others.
This type of ransomeware is of a new variant which exploited Windows vulnerability and prompting users that their important files had been encrypted followed by demanding to pay a ransom in order to decrypt the files. Most importantly, the payment method would have to be made using BitCoins so that payments are not tracked down to a receiver.
Luckily, our organization was not a victim of this attack; however, our security team has taken immediate actions to patch all Windows systems. Keeping Windows Updates up-to-date is critical to avoid these type of attacks. Had our organization been infected with “WannaCry”, we would not have paid a penny! First of all, never pay ransom to criminals! Second, if a ransom was made, there would have been demand for more! Moreover, since a ransom in this case would need to be paid via BitCoins, a payment destination would not be traceable. So, never pay ransom!
Vaibhav Shukla says
There is no doubt that one should not fall to the prey of paying ransom.There had been in past lot of cases reported where the data was not recovered even after payment .Thus ransom doesnt ensure 100% that data will be received back..A lot of earlier studies do reveal that less than 4% people usually land up paying the ransomware in such cases but since few yrs this number has seen in rise to upto 50%.
So organizations which do not have backup of critical data and have risk of loosing data if they try different decryption techniques usually now risk paying up the ransom amount
https://www.gizmodo.com.au/2017/05/hackers-behind-massive-ransomware-attack-have-made-an-embarrassingly-small-amount-of-money/
Zhengshu Wu says
Ruslan, I agree with you on never paying.
I am also interested in whether victims do get their data back after paying the ransom. Here is what I found and cited the situation 1, which applied to most cases:
“You don’t get your data despite paying the ransom
Several victims have claimed that they have been unable to access their files despite paying the full amount. Europol, White House, police agencies and cybersecurity experts have all strongly recommended users to not pay the ransom amount.
Tom Bossert, assistant to the US president for homeland security and counterterrorism, has said that less than $70,000 has been paid to the hackers, and that he was not aware of any payments that led to data recovery. Security researchers, however, have said there have been some recoveries.
In case you have paid the ransom and still do not have access to your files, it is highly advisable that you do not make a second attempt to pay the ransom. It is possible that the hackers may release the data after some days of the payment, but no such indication has come forward so far.”
In short, always keep you OS updated to stay safe from the attacks.
Sources: http://www.ibtimes.co.uk/wannacry-what-happens-when-you-pay-ransom-1621757
Shain R. Amzovski says
Hi Ruslan,
I agree never to pay the ransom is generally the best option, but in a small organization without a large IT budget, depending on how critical the data is and whether or not they have a backup of the data could factor in to whether or not they pay. I was reading an article that almost 80% of small businesses fail after suffering a data breach or ransomware attack. Going with what Vaibhav stated, I have also read in the past that even after ransom payment was made, they were still unable to recover their data. Also keeping Windows Systems patching up to date is critical. Windows generally finds these vulnerabilities before a hacker can exploit them and releases updates to prevent future attacks.
Vaibhav Shukla says
Ransomware is a sophisticated type of malware that locks or encrypts computer files, making them inaccessible to users. Cyber criminals then demand users pay a ransom to regain access to the data. The identity of hackers remain anonymous as the money demanded is in the form of bitcoins to return back the data. Because ransomware does not require administrative credentials to run, it is more difficult to control than other types of malware.
WannaCry is also a type of ransomware computer worm targeting the Microsoft Windows operating system and affected more than 150 countries recently in a scale of attack on 12th May 2017.
I think the type of data could be important in judging out whether to pay or not pay the ransom.The money demanded as ransom should not exceed the costs associated with data loss .The organization before paying the ransomware should try best available decrypter tools in the market to get back the data.The paying of ransomware should be the last step in the process of getting back the data.
Loi Van Tran says
Vaibhav,
I do agree that payment should be the last resort, but even with that, theirs is no guarantee that the attacker would give the company the decryption key. I liked how you use cost of ransom vs. value of data to help make the determination if the ransom should be paid, but once again companies are at the will of the attacker. I don’t think there is a good answer when dealing with data that is infected by ransomware. The best thing that a company could do is to ensure they have preventative controls in place; remote backups, IDS/IPS, system logs, training, etc.,
Mengxue Ni says
I agree that organizations who are victims of ransomware should not pay for it because they are not sure if they can get the fully data back even they pay. If the security department has done the job, but it still happens, it can still lower the damage to the organization. The best way to against ransomware is to protect yourself between it happens. Once it happens, unless your security expert can decrypt data, the organization is very passive. But paying the criminals should be the last step they take.
Ryan P Boyce says
In the event the company I was working for was affected by ransomware and I was in the position to decide whether or not to pay to get the data back, my decision would depend on the nature of business we perform as a company and our security strategy. I would first work with our Security Operations/IT teams to determine how long systems had been infected. If the systems had been infected for longer than we had been capturing backups of the environment, the decision to pay the attackers the ransom would lean towards “yes”. If we had full backups that we determined to be clean, the decision would lean towards “no”. Again, this all hinges on what type of business we are conducting. Say, for example. we were a healthcare organization like one of the institutions affected last week, I would have seriously consider paying the ransom to get patient healthcare records back. If we were a digital marketing company, I would likely not pay the ransom. Ultimately, however, no matter the type of business or data, there is no guarantee the attackers will release your data nor is there a guarantee they did not leave a back door open to get back in. With this in mind, I would rather take loss rather than taking the loss plus the cost to attempt to get my data back.
Shain R. Amzovski says
Ryan,
You made some great points here. Organizations really need to think whether or not they’ll be able to recover the data that is encrypted. It also depends on the organization. If a hospital is infected with ransomware, and a patient’s life is on the line because they need a medical record of what medicine a patient can and cannot have, an organization may be more tempted to pay. Also, I agree that there is no guarantee that your data will be released if you pay the ransom.
Mengqi He says
Great analysis, Ryan. I agree that whether paying the ransom depends on what kind of affected organizations you were in and what kind of data was encrypted. In this case, patients’ personal information in healthcare organizations should be regarded as extremely important data that should get back as soon as possible. This was not all about data, this was more about people’ life. Patients cannot get treatment as long as those healthcare organizations didn’t get get their healthcare records. However, I also agree that organizations should understand that there was no guarantee that the cybercriminals would decrypt the data even if they got ransom. Never trust criminals, especially in such a large scale attack. Paying ransom was like a gambling whose control in the cybercriminals hands. For me, I would prefer to put the money on recovering systems and data with the help from external IT experts.
Joseph Nguyen says
Ransomware first started 27 years ago. In 1989, the first ransomware virus used by a Harvard biologist Ph.D. named Joseph L. Popp. He sent about 20,000 disks to health researchers around the work in pretexting of a survey about the risk of contracting AIDS. The disks contained a virus that locked the computer after after several reboots and users got a print from the printer to pay $189 to a P.O box in Panama in exchange for a decryption key.
The FBI were able to track Popp who lived in Ohio with his parents, and it turned out that he was an eccentric mentally unfit for trial. His motive was not money but some anger towards WHO, the World Health Organization, which is base in Geneva, Switzerland.
The virus was ineffective and free decryption software was shortly made available for the victims.
Today ransomware is nearly a billion-dollar-a-year business. IBM said 40% of victims are willing to pay more than $100 to get data back.
https://en.wikipedia.org/wiki/AIDS_(Trojan_horse)
http://www.cnbc.com/2016/12/13/ransomware-spiked-6000-in-2016-and-most-victims-paid-the-hackers-ibm-finds.html
Shain R. Amzovski says
Joseph,
That is a very interesting article you posted. That is interesting that ransomware can be traced back to 1989. If my personal computer were to be infected with ransomware, I don’t think I’d be willing to pay any amount of money to get the data back. I would just format the hard drive and start out with a fresh operating system. I generally keep backups of my most important files, either through e-mail or on USB. 40% willing to pay more than $100 is higher than I expected. This goes to show how many people only have their critical files in one location without backups.
Mengxue Ni says
I think the question of to pay or not to pay ransomware is interesting, I think there are two attitude toward pay ransomware. The first one is never pay it because they won’t give you the fully decryption, organizations will need to pay several times to fully get data back. The second attitude is depending on what the data is, if organizations have backup data etc.
There are some interesting statistics related to the question, according to CNN, $209 million was paid to ransomware criminal in Q1 2016. The average ransom demand is now $679. The news didn’t mention how much the attackers was demanding, but since many hospitals experienced disruption and ambulances diverted. I believe the amount of ransomware will be high. Prior to an attack, 4 out of 5 organizations are confident backup can provide them with complete recovery. However, less than half of ransomware victims fully recover their data, even with backup. Only 5 percent ever consider paying the ransom an option which means 95% people or organizations don’t consider paying at all. The reason is paying would not always result in getting their data back, criminals don’t always follow through with their promises to decrypt the data. Therefore, the answer to the question is not to pay ransomware unless you must.
Ransomware is growing rapidly, 600% growth in new ransomware families since December 2015. The good news we can take actions to protect organizations from ransomware. Although, there is no one method or tool that will completely protect you or your organization from a ransomware attack. But contingence and remediation planning is crucial to business recovery and continuity-and these plans should be tested regularly.
Helpful link:
https://advisory.ey.com/cybersecurity/should-you-pay-the-ransom
https://blog.barkly.com/ransomware-statistics-2016
https://www.barkly.com/ransomware-protection-and-prevention#section-three
Loi Van Tran says
As many have already mentioned, ransomware is pervasive and can lock out users from critical data unless a payment is made to the attacker in exchange for a decryption key, usually in the form of bitcoins. Bitcoins are electronic currency that makes it impossible to track the source and destination of payments. Any organization infected by ransomware is faced with the decision of whether they should pay to decrypt their data.
If my organization was infected by ransomware, I think the determination will be made based on what was affected, if there is uninfected back-up, if eradication is possible, and how long it would take to recover. The prudent thing to do would pay and hope that the criminal keep his word in providing the decryption. Another problem will still exist if the malware was persistent and continue to encrypt files after the ransom was paid. Lastly, the organization must identify how the malware got into the network in the first place, which requires system and network logs. If you can’t identify how it happened, then you are at risk for being exposed to ransomware again.
Julien Rossow-Greenberg says
Loi, good points. Especially where you mentioned how it’s tough, if not impossible, to trust the criminal who infected your systems to decrypt after payment is received. If an organization is in fact putting that trust in the attacker, they should definitely reconsider. The only way this should be considered is if the organization determines that they do not have an uncompromised backup of the data, that there is no way to remediate, and that the data itself is mission-critical and cannot be lost.
Zhengshu Wu says
I do not support paying ransom even for the following reasons:
Firstly, paying a ransom does not guarantee an organization that it will get its data back. There are many cases where organizations never got a decryption key after having paid the ransom.
Secondly, paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity.
Finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
Sources: https://www.welivesecurity.com/2016/05/09/fbi-ransomware-extortionists/
Julien Rossow-Greenberg says
If my organization fell victim to a ransomware attack whether or not I would pay the ransom would be determined by a couple of different factors. First and foremost, it would be important to asses how much value the compromised data is to the organization. If it’s mission critical, I need to take that into consideration. If its of no or little value, we can start moving forward with remediation and learning how our systems were compromised. Second, whether the data is of value or not, do we have an uncompromised backup of the data? Having an uncompromised backup would be best case scenario. If this is in fact the case, resources can then be focused on analyzing how the systems were breached.
Marcus A. Wilson says
As people have already mentioned I think there a lot of factors that would have to be considered before I’m in a position to say if I would pay the ransom or not. I would start with how critical the data is to the organization. If it is something that is widely available or can be recreated without impacting the business I would be less likely to pay the ransom (There have also been groups that are dedicated to getting these encryption algorithms posted online to help victim organizations). However there are always going to be worst case scenarios where there is data that ultimately has to be recovered or it can jeopardize the business going forward. I think in this case you have to look at the possibility of paying the ransom. Best case scenario is that cost is lower compared to the alternative cost of losing that data. Even after paying the ransom I would be concerned with additional things as are they really going to release the data or ask for more money? Are they going to continue to target the organization due to the fact that they did pay? No matter how you look at it, this is a difficult decision with several high stake decisions to make rather quickly.
Josh Zenker says
Under most circumstances, I would recommend against paying the ransom. It will only encourage other attackers to come after your organization with ransomware. Furthermore, there’s no guarantee that the attacker will actually decrypt your data after receiving the ransom.
The only circumstances in which I would consider paying would be if an uncompromised copy of the data could not be recovered from a backup and/or if so much data was compromised that it would take an unacceptable amount of time to restore normal operations. Even then, depending on the importance of the data, it may still be a better option to accept its loss.
Sachin Shah says
Very good point about paying a ransom will instigate other attackers to come after your company. Yet the data and how sensitive it is may entice company to pay ransom. Hence even if the data was backed up, the data is of confidential nature. But i do agree with your point of the time it may take to restore data.
Anthony Clayton Fecondo says
There are very few scenarios where I would pay a ransom. In most cases, the data that is inaccessible as a result of the attack should be backed up. If this is the case, then there’s no need to pay the ransom because the company can restore a new copy of the data from a backup. However, if the data was stored and contaminated in a short time frame and no backup was made, then I might be willing to pay the ransom. In this scenario, I would have to consider the business value of the data, the dollar amount of the demanded ransom, and the potential repercussions of paying the random (hackers would be less likely to target a company with ransomware if that company had a reputation of not paying the ransoms and vice versa). If the value of the data exceeds the associated costs, then I would pay the ransom.
Sachin Shah says
Paying a ransom is all about how you value the information stolen. Also how sensitive is the data? The data maybe backed up, yet the data stolen maybe so sensitive that know one outside the company should know what is on it. That is a decision management needs to make and if the business can swallow the costs of paying a high ransom request.
Regardless of the ransom, the company needs to focus on how their network\systems were breached. If the data was backed up, it may take time to restore but that is time. Time is now compared against the value of the data taken. Since the time to recover the data may halt business operations. Either way the company needs to move forward with patching, backups, and regular updates and scans.