Ransomware attacks are on the rise, and in light of the recent attack on MGM International, it's clear that we’ll see even more devastating attacks despite advancements in cybersecurity. Today’s ransomware attackers are no longer just criminals sitting behind a screen: they are savvy businesspeople who have established multi-billion dollar organizations by stealing valuable data from large companies.
As cyberattacks continue to become more sophisticated, just about every organization is vulnerable. However, in the event of an attack, the question of how to respond to a ransomware demand can be complex and require careful consideration of an organization’s infrastructure and data recovery capabilities. Let’s unpack the critical decisions a security team needs to make in the wake of an attack:
The pros and cons of paying the ransom
Generally speaking, it only makes sense to pay the ransom under one circumstance: if the organization has no other means to recover its stolen data. In a perfect world, payment would mean that an organization’s data would be restored and their business operations would continue without any unforeseen challenges or disruptions.
However, that’s rarely the case as decryption tools provided by bad actors are often unreliable and not well-tested. As a result, these tools are often slow — taking extremely long periods of time to recover data — and there are no guarantees that the data will get restored completely. Additionally, an organization’s willingness to pay can also indicate vulnerabilities, which can encourage hackers to attack them again — as well as create legal issues such as compliance suits or other lawsuits which are both costly and time intensive. While these are all important considerations, the risk of not paying the ransom can also mean that the attacked organization may cease to exist. In that case, paying the ransom to attempt to salvage the data where possible may be the only option.
What happens if the company doesn’t pay?
An organization can move forward without paying as long as they have the necessary data recovery capabilities to restore their mission critical applications and core infrastructure. Speed of recovery is critical post-attack, and in most cases, organizations are better off leveraging their resources to kick start their disaster recovery plans as their technology is often more reliable than a bad actor’s decryption tool.
However, not paying the ransom may also come with its own set of risks. For example, bad actors may threaten to post sensitive data, and others may even try to inform the media of the breach if the company refuses to pay up. In addition, the initial attacker may sell additional indicators of compromise they planted in the environment to other attack groups on the dark web. There’s no perfect solution when it comes to responding to an attack, making it more important than ever to stay proactive when it comes to data protection and resilience, so the company can prevent attacks from escalating in the future.
Recovering from an attack
Whether an organization decides to pay the ransom or not, chances are they will still need to restore part of, or all their data. Recovery will always create chaos immediately after an attack. Because recovery often requires a lot of moving pieces, it's critical to establish a tiered resiliency architecture as it will accelerate the time it takes to recover critical data and applications. By letting organizations save their data across different tiers or levels, a tiered resiliency architecture offers a future-proof way to build speed and durability into the recovery strategy. This can benefit the company by allowing it to complete tasks simultaneously, such as investigating the source of attack alongside the immediate recovery of the operational tier.
Additionally, companies need to develop a recovery plan that outlines a clear idea of the recovery path. Modern recovery must not depend solely on backups. Instead, organizations must have a layered approach starting with snapshots for recovery and falling to backup as a last line of recourse. Because restoring concurrently isn’t realistic or likely, it's also important to prioritize specific actions. On that front, consider the most critical application that the company needs to restore first, keeping in mind that they will have to prioritize critical infrastructure like Active Directory above all else. Organizations must also decide on how to acquire new hardware since teams typically quarantine impacted infrastructure treat it like a crime scene. It’s critical to do it quickly or have an offline kit for immediate recovery to get back up and running.
Protecting an organization from the effects and costs of a ransomware attack requires productivity and preparedness. As the year comes to an end, this time offers a critical opportunity for organizations to evaluate their security strategy and response plans, so they can lay the foundation for strong data recovery and resiliency to meet the needs of the ever-changing threat landscape.
Andy Stone, chief technology officer, Americas, Pure Storage
