SecureState Blog

Read SecureState's award winning blog.

Ransomware_Header2

With the rise of ransomware attacks, the panic level is high among executives and their security personnel. Given the lack of preparedness for this type of attack that we often see, that panic is justifiable. The question on many executives’ minds is, if they are infected by ransomware and their data is held hostage, should they pay?

Given the complexities around this issue, we asked SecureState CEO Ken Stasiak and Management Consultant Sr. Associate Matt Franko to discuss the pros and cons of paying the perpetrators of ransomware.

 kenstasiak_cropped
Ken Stasiak
Using the NIST Cybersecurity Framework, SecureState has performed a risk analysis for companies based on potential ransomware attacks and the impact. Focusing on the five areas, I recommend companies evaluate their ability to Identify, Prevent, Detect, Respond and Recover from ransomware. There are only a few ways ransomware is successful, and almost all are either driven by sophisticated phishing attacks or malicious links/attachments. End-users having local admin, along with poor preventive controls, is a recipe for ransomware. Once your files are encrypted with one of these attacks, you often don’t have a good option, and you have to consider…
 mattfranko_cropped
Matt Franko
Don’t negotiate with terrorists!
 kenstasiak_cropped
Ken Stasiak
Really Franko? That’s your opening argument? There is no negotiation. And they aren’t terrorists. They are hackers who found a more direct way to monetize their activities, by literally making these organizations pay for their lacking security measures. 
 mattfranko_cropped
Matt Franko

But the same principle holds. By meeting their demands, you are creating a market for ransomware. If no one paid, this wouldn’t be profitable, and this type of attack would go away. At the very least it would be used much less frequently. Today we’re hearing news of a ransomware attack at least weekly… and those are just the big attacks. 

 
 kenstasiak_cropped
Ken Stasiak
Typically though, the ransom amount has been very low, relative to the value of the data involved. Are you telling me that if you could recover all your data, almost instantly, for a small fee, you wouldn’t at least strongly consider it? Rather than possibly lose weeks recovering or possibly lose millions in IP and records?
 mattfranko_cropped
Matt Franko
But think about the greater good. This type of attack will continue to rise if folks are just paying a ransom… 
 kenstasiak_cropped
Ken Stasiak
It is easy to talk about the greater good or Utilitarianism (not sure if you know what that even means, Franko) when it isn’t your data. A hospital not having access to that data may put people’s lives at risk. Are you willing to take that risk? 
  mattfranko_cropped
Matt Franko
You want to talk about risk? How about the risk that you pay the ransom and they still don’t decrypt your data. These people aren’t exactly members of Local Hacker’s Union that requires ethical business practices.
 kenstasiak_cropped
Ken Stasiak

Of course they will decrypt the data. Hackers have a business reason to decrypt the data… if they don’t do it one time, then people will rethink paying, thus eliminating their revenue stream or cannibalizing their own product offering.

  mattfranko_cropped
Matt Franko
You know what would make the hackers rethink this? Sending in someone with a particular set of skills…
 kenstasiak_cropped
Ken Stasiak

This isn’t a movie, Franko. And the data is still there. 

  mattfranko_cropped
Matt Franko
The organization could just break the encryption…
 kenstasiak_cropped
Ken Stasiak

Then they really would need someone with a particular set of skills. But trying to break the encryption is usually one of the worst options.

  mattfranko_cropped
Matt Franko
So you basically support organized crime? Just pay them off? 
 kenstasiak_cropped
Ken Stasiak

The truth is, the answer has to be “It depends.” Executives have to do a cost/benefit analysis and determine what is best for them. And while a common sentiment is that the FBI tells everyone to Just Pay, their official position is far more nuanced, as you would expect. In fact, much of their advice is very similar to what SecureState recommends.

  mattfranko_cropped
Matt Franko
Clients don’t want to hear “It depends.” They want actionable advice. And executives can’t do a cost/benefit analysis without knowing where their data is and understanding the value of that data. 
 kenstasiak_cropped
Ken Stasiak

Right… Obviously if an organization is in this situation, and can’t answer those questions, they need to bring in outside experts to help them assess the situation and make the best possible decision for their organization.

Interested in bringing in a 3rd party to assess your risk for ransomware?

  • SecureState is offering a complimentary 30-minute consultation either over the phone or in person to discuss your current security program.
  • During this consultation, we will use our quantifiably developed algorithm to rate your risk of falling victim to ransomware on a scale of 0 to 100%.
  • SecureState will provide a specific risk report tailored to ransomware that you can present to directors and officers.

Schedule Your 30-Minute Consultation Today

Privacy Exposed Webinar Slide Download

Search
Subscribe