As ransomware attacks continue to cripple networks, most recently forcing medical centres to shut down their systems and turn away patients, the FBI has issued some unambiguous advice for organisations on how they should handle ransom demands:
The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.
In other words, the FBI says that paying up is no guarantee that hackers will unlock the encrypted data on your computer.
And that’s true. There is no guarantee. And you would have to be in a pretty desperate position to place your trust in anonymous cybercriminals who have already proven themselves to have no qualms about breaking the law and exploiting a situation for their financial advantage.
But then, companies and organisations who find themselves in the middle of a hard-hitting ransomware infection are often desperate. This can especially be true if firms did not have a secure backup system in place from which they can restore their precious data or if they determine that recovering from a backup might take a lot longer (and cost them more money) than paying their extortionist.
However, as the FBI points out, there are other major reasons why they advise against paying ransomware demands: you are encouraging criminals to launch more attacks.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals.
If no-one ever paid the ransom, there wouldn’t be any more ransomware attacks. Criminals would look for other ways to make their fortunes, and hacking gangs would dismiss ransomware as a venture worth pursuing.
This feels to me like the best reason of all not to give in to those who have hit your company with ransomware. We all want the internet to be a safer place, and making cybercrime more profitable only encourages more crime to take place.
Of course, we have to be realistic. There’s no sign that ransomware attacks are going to stop anytime soon, and there are some organisations who will feel that they have no choice but to make the painful decision to pay their attacker.
The FBI says that it understands this, and “that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
Whether companies have paid the ransom demand or not, the FBI urges organisations hit by ransomware to report the attack to law enforcement. Options include contacting your local FBI field office and reporting the incident to the FBI’s Internet Crime Complaint Center (IC3).
Cybercrime-fighting agencies are hungry for information about ransomware attacks, as it can help them track those responsible and–hopefully–bring those responsible to justice.
Of course, your organisation should take steps now to reduce the chances that it will find itself having to make the tricky decision of whether a ransomware extortionist should be paid or not. Invest in a layered defence to protect your computer systems, educate staff about how ransomware attacks can enter an organisation, ensure that you have a secure and reliable system for backing up critical data and test that you are able to recover quickly before a ransomware attack occurs.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.