We can say it until we are blue in the face, “Do not pay the ransom, ever. Period." Even when your small or medium-sized business (SMB) is the victim of a ransomware attack, do not pay the hackers.
Paying the ransom only leads to more problems for your organization in the long term. It is a short-sighted strategy that does not guarantee you will get your data back and encourages hackers to attack you again. Yet, despite these warnings, cyber insurance companies and others have encouraged companies to pay the ransom, as a quick means to restore operations. We need to cover the consequences again and help victims avoid paying a ransom twice.
Federal Bureau of Investigation (FBI) Ransomware Recommendation
"The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all their data even with a valid decryption key. Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals." – FBI, Internet Crime Compliance Center
Even if the bad guys were to give you a key that actually unlocks your systems (which is not guaranteed—criminals are not the most trustworthy people), you do not know what copies of the data exist or who might now have access to it. Your systems might still harbor latent malware or other infections that make you vulnerable to repeated attacks. Because the hackers know you will pay up, you are going to get hacked again. Like any business, ransomware hackers love repeat customers. Do not listen to insurance providers who think they can save money when you pay a ransom.
It helps to think of this as a kind of business model that hackers are using. They identify their best customers (i.e., people who pay them ransoms) and then work to garner a greater share of that customer’s wallet. When you pay up, you are going to get hacked again.
Already Paid A Ransom, What Should You Do Next?
Avoid paying ransoms again. Start by admitting you have an ongoing cybersecurity problem. The hackers are coming back. 95% of the time when you get robbed, you get hit again after you have replaced all your stuff. Ransomware is not like some one-and-done art theft. After you have paid a ransom, the hackers will be back for more money.
So, get ready for the bad guys’ return; find out how they got into your information technology (IT) network system. Do a root cause analysis, including:
- Is your business cybersecurity lax?
- Does the firewall have vulnerabilities?
- Did an employee fall victim to a phishing email?
Next, identify where the hackers originate by tracking the Internet Protocol (IP) address used to launch the attack. Close that loop by blocking said IP. As an added precaution, set your firewall to block IPs from any geographies where you are not doing business. Test these new defenses to make sure they work and will prevent the bad guys from coming back.
When it comes time to validate these steps work, you need to have business interruption (BI) / disaster recovery (DR) plans in place. BI/DR plans ensure business continuity and your ability to replace lost data from backups.
Prepare a well-defined incident response (IR) plan that enable you identify attacks, minimize the damage, and reduce the cost of a cyberattack. Train your people what to do and what not to do in the event of a cyberattack. Then, test them regularly (like in a fire drill). Think carefully about whether your organization can implement these steps. Are you sufficiently staffed to do this on your own? You probably need outside help to defend your business.
Check out our white paper, The Rise of Ransomware-as-a-Service for more information on steps to mitigate ransomware.
End Ransom Demands Now
Have you suffered ransomware infections in the past, or are you facing a ransom demand right now? Then call ActZero today at 1-855-917-4981. We offer incident response services to our small and medium-sized clients. In addition, our managed detection and response (MDR) service proactively protects against ransomware attacks. Stop suffering and call now!
For more information on the latest ransomware threats, check out our white paper.