When ransomware strikes, should a company pay up?
When ransomware strikes, should a company pay up?

That is the question organizations must quickly decide when they are hit with a ransomware attack, reports Doug Olenick.

The 2 a.m. phone call dreaded by every chief technology officer, school district IT manager or small government official:

“It seems our entire network is inaccessible and someone calling himself TheDarkOverlord is demanding 28 of something called Bitcoin in order to release our data.”

The issue then becomes what is the next step? That is after the victim does a quick Google search to figure out what exactly is a Bitcoin and how much do they cost. Pay the ransom, hope the IT team can figure out a way around the problem or implement the organization's well-thought out contingency plan.

The Federal Bureau of Investigation (FBI), along with many others, recommend against paying the ransom, but the number of companies opting to pay the bad guys before they either make the stolen data public or delete it is growing.

The bottom line is that many times organizations are faced with only poor options from which to choose. Don't pay and deal with the consequences, pay and discover the bad guys did not release the locked data or pay and have the criminal then ask for even more money.

“Normally we recommend not paying when hit with a ransomware attack as this only feeds the flames for cyber criminals to continue the practice. Your payment becomes an incentive for them to continue working on more advanced attacks. Additionally, paying doesn't necessarily mean you're going to get your data back,” says Dave Packer, vice president of corporate and product marketing at Druva.

Types of digital currency

Currency code: BTC
Blockchain is a matter of public record, with transactions viewable on several websites.
Proof-of-work currency, based on SHA-256 algorithm.

Currency code: ETH
Blockchain based on a decentralised virtual machine called ‘EVM'.
EVM is Turing Complete and can run scripts called ‘smart contracts'.
Currently a proof-of-work currency, but moving to proof-of-stake.

Currency code: XRP
A decentralised transaction network based around a fixed quantity of XRP that can be used with any currency or commodity to settle transactions.
Used by international banks as settlement infrastructure: more secure and less expensive than traditional systems.
Closed Source.
Proof-of-work based with no facility for mining.

Currency code: LTC
Technically nearly identical to Bitcoin.
Uses the memory-bound Scrypt algorithm for proof-of-work.

Currency code: XMR
Provides strong privacy, with only approximate transaction values publicly available and sender/recipient details remaining secret.
Adopted by major darknet markets including AlphaBay in 2016 due to the additional privacy offered over BitCoin.
Uses the memory-bound CryptoNote algorithm for proof-of-work.

Currency code: DASH
Another privacy-focused cryptocurrency offering two novel services:
PrivateSend: Similar to Bitcoin laundering services, this obscures transactions by mixing coins from multiple sources into single transactions.
InstantSend: Provides the ability to conduct and confirm transactions near instantaneously

However, Packer points out that a recent consumer survey found more than one in three ransomware victims ultimately pay up, despite the fact that nearly half of the victims don't get their files back anyway.

Israel Barak, Cybereason's CISO, says the delay in bringing a business' systems back online after a ransomware attack is one reason to take a chance and pay up, however this should not be done unless all other avenues of correcting the problem have been explored.

“The key factor should be the alternative ways to restore business operations. If the direct or indirect costs of other alternative ways are significantly higher than paying the ransom, it probably makes more sense to pay the ransom and better prepare for the next attack. In the vast majority of the ransomware cases where data files were encrypted, paying the ransom resulted in restoration of the lost data,” he says.

If the final decision is made to give in to the criminals demand, the victim still may have one more card to play. Perhaps Hollywood can supply an answer.  In the old Clint Eastwood movie Kelly's Heroes, Eastwood, Telly Savalas and their group of wayward soldiers are attempting to remove Nazi gold from a bank. One that is guarded by a massive Tiger tank that they cannot destroy or move.

Savalas as Big Joe asks the wheeler and dealer character Crapgame, played by Don Rickles, what to do.

Crapgame: Try making a DEAL!

Big Joe: What kind of DEAL?

Crapgame: A DEAL, deal! Maybe he's a Republican. You know, "Business is business."

“These criminals are in business to make money, they would rather make something than nothing, so if you do decide you must pay you should not be afraid to negotiate,” says cyber industry veteran John Johnson, adding that there is no set answer and each business must make its own decision and setting a policy of “never paying” is easy to make before there is a problem, but

An example of this happened just last month when in mid-February Bingham County (Idaho) government found itself on the receiving end of a major ransomware attack. The attacker managed to lock up all 28 of the county's servers and demanded a 28 Bitcoin, or $33,000 payment, for the keys to release the data.

Twenty-five of the county's servers were properly backed up and were quickly up and running after some hard work put in by Bingham's third-party IT provider, according to the Idaho Statesman. Of the remaining three, two had corrupted back-up drives and the county simply decided not to back up the third citing expense.

This resulted in the county swung a deal and only had to pay three Bitcoins, or around $3,500, to restore that data.

Not having a plan in place or any clue that there is such a thing as ransomware is bad enough, as NASCAR race team Circle-Sport Leavine Family Racing discovered last year when it was forced to pay $500 to have its crew chief's laptop containing all the team's race data released. This placed them in the unenviable position of having no other choice.

“If your business is not already enforcing a regular backup procedure (which we highly recommend) and the data that's been compromised is critical to business operations or records of the business (e.g., financial, health data, personal identifiable) with no recourse, then paying the ransom might be the only option, Packer says.

Making a payment may not be the end of the trouble. Johnson points out by paying the ransom a business or organization has now labeled itself not only vulnerable to a cyberattack, but as willing to pay.

“Once you pay, unless you truly shore up your security, you become a target for future attacks because they know you have paid in the past,” he says.

The next possibility for a victim to ponder is the data kidnapper may take the ransom payment, release the data, but – unknown to the victim – the content has already been downloaded by the thief who is already busy selling in on the Dark Web.

And the bad news keeps on coming.