CBS News recently did an interesting piece on ransomware, and the various reasons that businesses may choose to pay the ransom.
These ransom payments can range from a few thousands – Lees, Alabama negotiated their attacker down from $50,000 to $8,000 – to half a million dollars or more.
On the flip side of the coin, Atlanta, GA decided not to pay a ransom demand of approximately $50,000 – instead spending upwards of $17 million to recover from the attack.
Insurance as impetus for ransomeware payment?
ProPublica recently published a missive on the Extortion Economy – detailing how insurance companies could be seen as viewing ransom payments as more fiscally responsible than recovering from an attack in a more organic fashion. Lake City, FL is one of the affected entities that is discussed in the piece. One quote from the article that caught my eye:
“Our insurance company made [the decision] for us,” city spokesman Michael Lee, a sergeant in the Lake City Police Department, said. “At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom.”
Enhancing the profitability of cybercrime?
In Lake City’s case, payment of the $460k ransom was well below their $1 million cyber insurance limit – whereas a manual recovery could greatly exceed that limit. Lees, AL negotiated the ransom downward, as we mentioned above. Are municipalities – and their insurers – creating an impetus for attackers to keep their ransom affordable? Several small payouts from smaller entities could equal one large payout in a short period of time.
As I researched this issue, and the how’s and why’s…one thing became clear – there is a strong sense of competing priorities. The insurance company’s impetus is to get the business up and running as quickly as possible – and minimize their financial outlay. Their view on the situation involves the short term only. This can, many times, make ransom payment a valid business decision.
The business also wants to get up and running as quickly as possible, prevent impact to the clients, people, or companies that they service, and prevent a repeat occurrence. If security is at the forefront, remediation and prevention will be the priorities…which is a longer term view. In a case like Atlanta’s, the long view towards recovery can have a significant financial impact.
Avoid creating a cyber economy of ransom payments?
So, how do we prevent this? At the end of the day, prevention will have a financial and operational cost. However, both of those costs are likely to be lower than the cost of recovery – whether the ransom is paid or not.
What does prevention look like?
- Guard your assets. Know what the key data, process, or driving force for your business is, then focus your resources on protecting that first.
- Segment, segment, segment. Do not leave your network so flat that ANY point of entry will give an attacker carte blanche to continue anywhere they would like to go. (Consider MachineTruthtm as a way to devise your segmentation scheme.)
- Perform regular backups. TEST those backups regularly – delete and restore control data. Make sure you can recover data in a timely fashion – don’t wait to test until you’re recovering from an attack!
- Protect your backups. We’ve seen many companies who do backups – and store them on a flat network, where they also fall prey to the ransomware attack. Backups that are encrypted by an attacker have no value at all.
- Perform regular phishing tests against your users. There’s a great deal of benefit to leaning more towards carrot than stick here – reward those who report, rather than punishing those who fail. Consider these as opportunities for improvement.