Cybercriminals are fueling near continuous news coverage of governments, universities, healthcare systems, and businesses brought to a screeching halt by ransomware. Caught unprepared, these organizations are then forced into an uncomfortable cost-benefit analysis: Cough up the ransomware payment or endure the damaging impacts of downtime and data loss.
It’s not always an easy choice.
But it is an important conversation.
As painful as this is, engaging in this dialogue now can ensure you’re prepared to respond in the face of a ransomware infection or—better yet—avoid it altogether.
Because, if you ask us, no one should ever feel compelled to cave to a criminal’s demands. And, with a solid backup and recovery strategy in place, you don’t have to. (More on that later.)
Should you pay the ransom?
The FBI’s position is that no person or organization should ever pay the ransom; those payments simply embolden cybercriminals to escalate their attacks.
However, caught flat-footed, the resulting data loss and downtime could threaten the sustainability of an organization. It could mean lost jobs, financial impacts for customers, and even threaten lives in the case of healthcare systems.
Even with a not-so-robust backup and recovery solution in-place, some organizations find it may be faster and more cost-effective to simply pay up—restoring business operations as quickly as possible.
With so much weighing in the balance, it’s important to consider the reasons you might pay, and how you can swiftly execute that payment.
That said, you should keep in mind that cybercriminals don’t exactly have a sterling customer service record. Whether the result of incompetence or malice, organizations have sometimes decrypted their files to find their data corrupted—or made the payment only to receive a second, higher ransom demand.
These ransomware payment statistics certainly don’t inspire confidence:
- A recent CyberEdge Group survey found that just a little over half of the organizations that paid ransoms actually recovered their data
- A SentinelOne report found that only 26% of organizations that paid up were able to unlock their files
- The same SentinelOne report also found that, of those organizations that executed ransomware payments, 73% were attacked again
How to pay ransomware
If you’re caught without any viable options to recover your data, and you’re faced with frightful consequences, you might be inclined to pay—in spite of the risks.
If so, you’ll need to navigate your way through the process—a stressful situation to be sure.
Here’s how you go about it:
- Confirm the ransomware demands—how much to pay, where to pay, and how much time you have to pay. This information will most likely be present on the ransomware screen or in a decryption instructions text file.
- Secure your bitcoin. Our Ransomware Watch consortium partner, KnowBe4, recommends Coinbase if you have four days to complete your transaction. If your ransomware payment window is tight, they recommend you leverage LocalBitcoins to identify a broker instead.
- Install the TOR browser from TOR Project. Once installed, you’ll be able to navigate to your attacker’s website to complete the payment process.
- Transfer bitcoins to the ransomware attacker. Find the attacker’s bitcoin wallet ID in the payment instructions, login to your bitcoin account, and execute a transfer.
- Confirm the bitcoin transfer. In some instances, though not all, you’ll need to enter the bitcoin transaction confirmation hash into a field on the attacker’s website.
- Decrypt your files. After a waiting period, which can sometimes extend to several hours, you may receive a decryption key that may enable you to recover your files.
To be clear: This is a painful post for us to write.
That’s why we want to shout this from the rooftops:
How to thumb your nose at ransomware payment demands
With proper disaster recovery planning and testing, you can restore your servers, applications, and data without paying out a single bitcoin.
What’s more, if we as a global community are more diligent about backing up our data and testing our recovery, ransomware will cease to be profitable—stripping extortionists of their motivation.
So, how do you get there?
We recommend the following:
- Thoroughly map your servers, applications, and data, establishing RPOs and RTOs for each
- Based on the above insight, establish a backup strategy that cost-effectively meets your SLAs
- Ensure your backup strategy has redundancies in place—ideally with regularly updated copies onsite, offsite, and offline
- Ensure your backup servers don’t live on shared drives
- Protect backup servers with anti-malware/anti-virus—and backup your backup
- Segment your network to limit the damage if your environment is infected
- Shutdown Remote Desktop Protocol on the internet
- Use a VPN before you log into remote machines
- Limit backup server access to necessary IT personnel only
- Don’t surf the web from your backup server except to access updates and patches
- Perform regular disaster recovery testing to ensure your data will be there when you need it
With a robust, redundant backup and recovery solution in place and strict adherence to these best practices, you’ll put yourself in the driver’s seat—and render ransomware nothing more than a speedbump.