This was one of the topics tackled by a recent workshop organized by the United States’ Federal Trade Commission. The Ransomware workshop included several panel discussions focusing on particular aspects of ransomware, including one panel attended by F-Secure’s own Päivi Tynninen discussing whether ransomware victims should pay their extortionists?
So what did the experts say about dealing with a ransomware infection? The choice ultimately comes down to whether businesses should pay or not, and that’s something businesses need to decide for themselves. But here’s a few things the panelists discussed that you can keep in mind when trying to deal with ransomware infections and the online extortionists behind these attacks.
Try and collect some threat intelligence on the infection
Not all ransomware infections are the same. Different families and variants can work differently from one another, and it makes sense to inform yourself before rushing into any decisions. For example, police-themed ransomware, which uses lockscreens to prevent people from using their devices (as opposed to crypto-ransomware, which encrypts data), is notorious for not removing the malware after people pay. Many of these families can also be removed manually by users (or automatically by some security products), making paying an especially bad option in these cases.
So it’s worth trying to learn about what you’re infected with before you try and deal with the infection.
Protect yourself when dealing with extortionists
We recently highlighted how ransoms can often be negotiated. Deadlines can be moved, and ransoms can be lowered if you negotiate correctly.
But keep in mind that if someone infects your device(s) and demands money to remove the problem, they’re extorting you. And in most places, this is illegal. Which means if you need to contact whoever infected you, you’ll be dealing with criminals, and you should protect yourself accordingly.
One way to do this is by controlling information. Don’t disclose anything about yourself that might encourage extortionists to ask for more money (for example, if you’re wealthy or particularly desperate to get your files back). Use anonymous accounts or an intermediary (such as a cyber security company offering incident response services) so they can’t research who you are on their own. And don’t assume that links or information they send you are completely harmless. Cyber criminals won’t necessarily stop at online extortion, and may try to trick you into downloading additional malware or expose yourself to other schemes.
Decide whether or not the data is worth it
Obviously, no company likes paying ransoms. So why do it all? Because data is valuable. It’s intellectual property, information about customers, brand assets, financial records, etc. Many businesses can’t function properly without these resources. And extortionists know this. They know that seizing control of data lets them assert control over businesses. And then they make you pay to get that control back. It’s proven itself to be a successful business model for cyber criminals.
Having good backups is key to making extortion via ransomware ineffective. If you have reliable backups that can be easily restored without losing critical data, paying becomes less important.
However, this is easier said than done. Sometimes companies won’t backup their files often enough. Or lose the backups. And when faced with losing valuable data or paying a ransom, it becomes easy to see why victims choose to pay. In many cases it’s the only way to avoid losing the affected data.
Contacting the authorities can pay off
F-Secure Security Advisor Sean Sullivan says that businesses need to keep in mind they’re victims. And while it’s understandable that businesses want to minimize publicity surrounding these incidents, law enforcement officials are usually focused on simply catching the bad guys, and have ways for information to be submitted inconspicuously or anonymously.
“It’s worth sharing what information you have about these crimes with law enforcement, organizations like CERT, or cyber security companies. That way, any information you have can be put to good use,” says Sean. “And if the extortionists are caught, the information you provide can help with prosecutions, which is indirectly good for everyone’s security.”