Ransomware: Should you pay?
Ransomware is quickly becoming one of the largest threats to organisations of all shapes and sizes, and the stuff of nightmares for both IT professionals and business owners.
McAfee reports that ransomware attacks have doubled in 2019 and the reality is it’s a threat you’ve likely already experienced before or will in in the future in some form or another. If you’ve experienced ransomware before, the first thoughts are often denial, shock, helplessness, followed by anger. By the time you find out your network is infected by ransomware, it’s probably too late to stop it and you’ve been presented with a “pay up, or lose it” screen.
Before continuing, if your experiencing an active ransomware attack make sure you have completed the following steps:
- Isolate the network to stop the attack spreading. Shutdown network switches, routers and modems
- Call your IT Provider and executive manager, you may need to start your disaster plans.
- Check your backups are intact, if they are secure the servers and start copying them onto an offline storage device (ie USB hard disk)
- Start anti-virus scans, file search to identify how far the infection has spread
- Identify ‘patient zero’ (source of the infection) and how it entered the system, ie clicking on an infected email
If you successfully caught the infection in time, cleaned up the infection with your anti-virus and restored lost files from backups, well done.
If your not so lucky your in for a rough ride.
One of the first objectives ransomware attacks when targeting your network is destroying your backups and restore points saved on both the local computer, and saved on network shares/devices.
If you’ve signed on and found everything gone, I’ll save you the ‘pep talk’ and leave it at your not the first and certainly won’t be the last.
Moving forward with no backups you have only 3 options;
- Kiss your data goodbye and start wiping disks
- Attempt to decrypt your data
- Pay the ransom
The official rule is “never pay a ransom”, the funds will most likely be used to fund crime or terrorism and you have no guarantee the data will actually be decrypted. This is all high and mighty, but not when it’s your irreplaceable data!
How to proceed; (This is general advice)
- Identify the type of type of ransomware that has infected your network.
You might be able to restore the files for free.
Some variants may have weaknesses that can be exploited to unlock the files and their may be notes from other unlucky individuals that have been successful/unsuccessful at recovering their files by paying the ransom.
Online Ransomware Detection Tools:
- Determine what files are missing and calculate the value/disruption of business for each file in dollars.
If the files are only low value reference material that can be recreated or re-downloaded you might be able to write it off. On the other hand it’s irreplaceable or costly to reproduce you might want to consider paying the ransom
- Call a local ‘Ransomware Recovery specialist’. Once you know the type of ransomware, damage and have determined you need recovery you are best off contacting a specialist for assistance. They may be able to recover lost files without resorting to paying the ransomware or assist you through recovery process.
- Consult with business owners, legal team and insurers on the legalities on paying the ransom. This is a very high risk transaction and may be against company policy or local laws to complete. Your insurer may refuse to reimburse you or might be able to provide additional resources.
- Try to establish a dialogue with the attacker. Many attackers will decrypt a file as proof that they have the decryption key.
If possible try to decrypt a single file for a smaller amount before paying the full amount.
Paying an attacker does not guarantee the files will be decrypted, you are gambling and the odds are quiet literally 50/50.
- Calculate and obtain the required bitcoin. Take note of the currency they expect it in. ie $5000usd of bitcoin.
When transferring the money take extreme care that the transaction address is 100% correct, it’s impossible to reverse an incorrect transaction.
- Wait. Automated schemes may send you the decrypt tool instantly, other days, weeks, months or not at all.
Don’t trust the attacker not to re-infect your network. Take lessons learned from the attack immediately to secure your network. ie Implement mail scanning, reducing access permissions, re-evaluating AV vendor, improving backup
Do you need help securing your network or recovering from a malware event?
Give us a call on 1300 733 240 or by sending us a message.