Ransomware: to pay or not to pay
-
One of our threat researchers wrote a blog about the FBI's recent recommendation to pay the ransom:
http://www.webroot.com/blog/2015/10/28/fbi-says-just-pay-ransom/Your thoughts? How much money would they have to charge for you to not pay them if you didn't have a backup?
-
That's a pretty simple answer.
As much as it takes to get back to a running state. You're basically asking us "Do you pay the ransom or go out of business?"
-
Can't you just get a fresh copy of your data from the NSA?
-
I'd kind of correlate this to this family guy joke.
-
Does not compute - have backups of all my garbage.
-
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
-
@RojoLoco the point is that if you do not have a backup paying is the most cost effective means of recovering your business.
Paying will have other consequences as you have pointed out. But that does not detract form the fact that paying could very much be a more cost effective way of recovering.
Assuming that someone paid, and changed nothing in their process to then prevent a recurrence, I would not feel sorry for that business if they fall victim to some other phishing attempts.
-
@JaredBusch said:
@RojoLoco the point is that if you do not have a backup paying is the most cost effective means of recovering your business.
I'm sorely tempted to say something about "survival of the fittest" - let them go away. A very poor business IT intelligence / fitness test? It seems so cruel but this is pretty basic stuff.
Grandma's computer? Different story.
-
@RojoLoco said:
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
That is a good point and not one I've seen brought up a lot. If you don't take steps to stop it happening again then you're just going to get bled dry.
-
@DustinB3403 said:
That's a pretty simple answer.
As much as it takes to get back to a running state. You're basically asking us "Do you pay the ransom or go out of business?"
Yes but how much would you pay versus going out of business? 50% of your net profit? 99% of it?
-
As much as it takes.
Going out of business isn't an option for a business, since businesses do what they must to make money.
That could easily be 10 Million.
-
@JaredBusch said:
@RojoLoco the point is that if you do not have a backup paying is the most cost effective means of recovering your business.
Paying will have other consequences as you have pointed out. But that does not detract form the fact that paying could very much be a more cost effective way of recovering.
Maybe, maybe not. We have discussed it internally, and even if we lost everything (data) we would never pay because management and the dev team would just redo all that proprietary code, and we would be back online in a few weeks, morals and principles intact. We have backups, maybe not the best and most current of everything, but the most important parts exist in triplicate in various offsite locations. I have no sympathy for a company with no backups... they likely laid off their IT person or staff, then outsourced it (at a minimal level), or just said "we don't need no stinking backups!".
-
@DustinB3403 said:
That's a pretty simple answer.
As much as it takes to get back to a running state. You're basically asking us "Do you pay the ransom or go out of business?"
Not really. 1) It doesn't necessarily mean going out of business and 2) it might be cheaper to go out of business than to pay.
-
@RojoLoco said:
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
Being hit and not having backups makes you a target too, I'm sure.
-
@DustinB3403 said:
Going out of business isn't an option for a business, since businesses do what they must to make money.
Going out of business is always an option. A very, very real one.
-
@scottalanmiller that's the point though.
Paying the ransom is definitely going to hurt, but not paying could put you out of business which would hurt more.
You'd literally lose your form of income.
Depending on the business size you could say "10M is the cost of business because our pencil-heads figured it's cheaper to risk it"
-
@DustinB3403 said:
@scottalanmiller that's the point though.
Paying the ransom is definitely going to hurt, but not paying could put you out of business which would hurt more.
Nope, the idea that going out of business would always hurt more is what is wrong. In many cases, going out of business is the far less painful options.
Many businesses just close all the time voluntarily. If going out of business was never an option, that would never happen.
-
@DustinB3403 said:
You'd literally lose your form of income.
That's less painful than going into more debt than your income could cover!
This "business at any cost" mentality is the same one that causes people to go to college against all logic. "College at any cost", even more than the value of the degree is what is going on today in America. In both cases, there is a number value to put on college or the ransom, you just have to determine what it is.
-
@scottalanmiller a profitable business never "wants" to go out of business.
That's like saying you want to cut off your left arm because you're tired of the occasional itch that it has.
-
@DustinB3403 said:
Depending on the business size you could say "10M is the cost of business because our pencil-heads figured it's cheaper to risk it"
Don't trivialize the people who understand the value of the business. Acting emotionally is what ransomware makers count on. Use math, not emotions, to determine the value of your business.
