Ransomware – type of malware which threatens to publish the victim’s data online or prevents the user from accessing their files without paying a ransom. Most commonly utilizes file encryption methods to achieve its goals.
Ransomware – a threat to companies
Ransomware is a lucrative business. Once the malware is made, a single piece of software can roam around the Internet and generate a surprising amount of revenue. If it behaves like a virus – that is, it spreads around automatically – it’s comparable to winning a jackpot almost everyday, albeit with different amounts. Sometimes it’s $100. Other times it can be hundreds of thousands.
In the meantime, all the authors have to do, is to check their BitCoin wallets for newest deposits of the virtual currency and hold up to their end of the deal, which is sending the victim the key (password) to decrypt the data. As long as the hackers scrupulously do their job, the business will continue: all transactions are done by virtual currency and their communication with the victim can be routed through BitTorrent, providing a great deal of anonymity. It’s almost bulletproof, and makers of ransomware rarely get caught.
Given this modus operandi, it’s no wonder that the amount of ransomware on the Internet grows year after year. Moreover, the amount of companies which paid the ransom is also on the rise. According to the CyberEdge 2020 Cyberthreat Defense Report, in 2019, 62 percent of studied companies experienced a ransomware-related problem. This number is up from 2018, when it was 56%, and from 2017 – 55%. Similarly, more companies are paying up: in 2017, only 39% paid ransom, in 2018 – 45% and in 2019 – 58%. In other words, the ransomware business is growing.
The inner workings
In order to answer the main question of this article – whether it’s worth to pay the ransom – it’s important to first examine how ransomware spreads and works.
Most often, ransomware enters the business environment as a result of a human error. In a typical situation, a user receives an e-mail or visits a website, which prompts them to save or open a file. This file is commonly disguised as a PDF, Microsoft Office or any other type of document which may appear legitimate at first sight.
Once the user clicks on the file, ransomware begins to work in the background, without any visible feedback to the user. The goal of the program is to work silently, spread across the network and encrypt as much data as possible, before anyone finds out.
Encrypting large files or entire disks can be a resource-intensive task. This is why ransomware oftentimes cuts corners on encryption, by encrypting only a portion of a file and moving on to the next one (from a technical point of view, even if a file is 10% encrypted, it’s no longer accessible).
Once the malware has reached its data-destroying goal, it will move on to the next step – which is extortion. Just like in Hollywood movies, a window will pop up, informing the user that their computer has been seized and there’s nothing that can be done outside paying the ransom. In order to “motivate” the user to comply, ransomware authors oftentimes employ various psychological tricks, such as displaying a count-down timer. This timer warns the user that with every hour the ransomware amount increases, or threatens to delete the key – which is the only way to recover the data – if the user does not pay up in the appropriate time.
The amount of ransom, as well as the BitCoin address to deposit virtual currency will be clearly displayed. However, the amounts are not always the same and can drastically vary from computer to computer.
Ransomware evaluates the environment in which it got installed and picks an appropriate sum for the data. For example, if ransomware finds out that it infected a Windows Server computer, prices are bound to go up. After all, it’s safe to assume that most likely this is a business machine. On the other hand, if it recognizes a Windows 10 Home or a virtual environment, chances are that the ransom amount will be lower, as this may be a personal computer or a testing VM, without any significant data.
Let’s assume the worst-case scenario: ransomware got installed and it encrypted the hard drive. In essence, there are three choices:
1. Pay the ransom and get the key
Can anyone trust the hackers, who just destroyed their computer? Surprisingly, the answer can be “yes”. The whole point of creating ransomware is revenue generation. Just as any other business, hackers cannot afford to have a bad PR, as it would destroy their business. This is precisely why they tend to be diligent in sending out keys and making sure that those who pay get their data back. In certain publicity stunts, hackers have even organized “amnesty days”, when those who did not pay ransom because of financial difficulties got to receive their keys for free.
Moreover, paying up the ransom can sometimes be the cheapest option. A good example of underestimating the outcomes of a ransomware attack provides the city of Baltimore, which in 2019 refused to pay $76,000 in exchange for data. What ensued was total chaos in IT operations: financial transactions could not be processed, entire departments stopped and for a brief time, the city had to revert to using paper for their day-to-day business. In the end, estimated costs reached more than $18 million.
2. Decrypt the data on your own
Since most ransomware works exactly like a virus – that is, it spreads around the Internet with the desire to infect every computer it can – chances are that someone experienced the same type of ransomware as well. These companies, when faced with exuberant fees to get their data back, may have invested in reverse-engineering a solution of their own.
As such, the Internet is littered with software which can attempt at decrypting the data. Some of these solutions are published for free out of spite, others are paid, from reputable companies. However, if one desires to try this option, there are several things to keep in mind.
First and most importantly, the time. Ransomware will do anything it can to make the victim pay, and that includes dissuading the user from decrypting the data on their own. The ransom amount oftentimes rises as the time goes by. Moreover, ransomware may delete the key (the lifeline), if payment is not received on time.
Secondly, before attempting to do anything with the data, it’s important to separate the computer from any means of communication with the rest of the network. Even with the data decrypted, the malware may lay dormant inside the computer and look for an opportunity to strike again.
Last, but not least, this is a trial-end-error type of method. With ransomware production on the rise, one can be lucky if an online solution worked out of the box. Chances are that several pieces of software will have to be evaluated, before anything gets successfully decrypted, if at all. In the meantime, the passage of time does not work in victim’s favor.
3. Do not pay the ransom
…and forget about the data.
Although this at first may seem like the worst option, it’s not as bad as one would expect. If proper backup solutions are employed, data is stored in a cloud environment or snapshots are used, ransomware is not much more than an annoyance that can cause a delay.
For example, a snapshot recovery to a previous working state of a server can take from minutes to a few hours to accomplish. If data is stored on cloud services (SaaS), it’s most likely unaffected. If cloud storage is used, a deep scan of the files might take some time, but it should not exceed a few hours. A good backup solution, if previously tested, can revert the business to be up and running within a day or two. Of course, this can mean a temporary loss of productivity or data setback, however, if the backups are done on a daily basis, at most a day’s work of the company would be lost.
The prevalence of ransomware underlines the need for C-level executives to take cybersecurity matters into their own hands, rather than outsource the job to the IT department.
Ransomware enters business environments not due to the failure of defensive measures, but rather as a result of human error. Many employees are not aware of good data security practices and receive very little to no cybersecurity training. In the meantime, all it takes is one employee to infect an entire company.
Ransomware also wreaks the most havoc in environments, where IT departments are either underfunded or do not have enough employees. In these situations, CTOs and CIOs tend to focus on keeping the current operations up and running, rather than preparing for a variety of security-related scenarios. In a bid to save time and money, backup processes are automated, rarely checked or verified.
Given the fact that ransomware production in a lucrative business, it’s expected that the number of ransomware attacks will continue to increase in the future. However, there is hope. Similarly to social engineering attacks, ransomware works through the element of surprise, and there is no reason to be unprepared. A properly managed IT department, regular audits and a company-wide culture of personal responsibility for data security is the best line of defense.