Before you shell out some virtual currency to unencrypt your data, consider the fact that there's no guarantee that ransomware attackers will proceed to unlock it.
“While some companies have created Bitcoin wallets in order to have ransom money on hand, it is important to note that the FBI strongly discourages extortion payments, and that recovery either may not be forthcoming or even possible,” says Kenneth Geers, senior research scientist at New Jersey-based Comodo and ambassador at the NATO Cyber Centre. “In short, once your network is compromised, nothing is guaranteed.”
Whether there's any other option than to pay depends on what backup and contingency plans are in place, experts say. A fully backed up system that takes hours or days to recreate may be intolerable if the time lag means the loss of business-critical applications or puts lives in danger. And a clean backup won't prevent attackers from using the data they've stolen for extortion.
“I believe medical information and other PIN data will be prime targets for [ransomware] attacks,” says Robert Liscouski, president of Implant Sciences Corp. and a former official at the Department of Homeland Security. “Small businesses and doctors can least afford a ransomware attack, but are likely the most vulnerable since they often don't invest the necessary resources to protect themselves,” he says.
Some of the most important preventative measures depend less on the amount of money spent than cybersecurity best practices. “If an attacker really wants to get to a target, and is willing to put whatever resources to persist through, it is almost impossible to defend against,” says Lillian Ablon, a data scientist at the Rand Corp. in Santa Monica, Calif. The goal, she adds, is “to become less of a juicy target that might make the attacker move on to someone more vulnerable-looking.”
Ablon's anti-ransomware to-do list includes multifactor authentication, encrypting data both in transit and at rest and “air-gapping” critical sections of the network. She also advocates conducting mock ransomware attacks as part of user awareness training and simulating the high-pressure tactics of extortionists rather than a simple data breach drill.
Those defensive measures should be supplemented with a hunt for ransomware before it latches on to your data, says Andrew Plato, CEO of Anitian, an Oregon-based cybersecurity consulting firm. “Ransomware does not just show up one day and immediately cause problems,” he says. That means you must spot the attack while it's in its infancy, while the malware is just taking hold in the environment. “You need more than just firewalls and anti-virus software. You must coordinate and unify those technologies into some form of security analytics platform.”
If that fails, Plato adds, you should be prepared to pull the plug on the infected systems and start anew. By moving data to the cloud, Plato says, organizations can create a disposable infrastructure with virtual machines that can be rebuilt on a daily or hourly basis.
“If you cannot affect change quickly,” he says, “when confronted with a potential threat, then you cannot stop the next attack.”