But that’s kind of the point. You’re not a large hospital. You don’t have the responsibilities and huge costs a large hospital has. A hospital needs to be able to track, say, what its patients are allergic to, or they might die. They need to know which organ has the cancer, or they can’t operate (they’re not going to just open up and root around) and if they don’t know in time the operation is scrapped and the patient might die. They need to know which patient has insurance with which insurer, else they won’t get paid and the shareholders might die.
OK, so that last one is probably overly cynical (but still kinda correct, no ?), but you get where I’m going with this. It’s all well and good to say “fuck you, go ahead, shoot the hostages ! I ain’t negociating with no terrist !” to the hostage taker out of “principle”. But that’s not exactly a clearly moral high ground, is it ? Especially from the hostage’s POV. To them, you’re valuing your money over their life, and what kind of scumbag can you be to do that ? What kind of principle is that ?
It’s a perfectly valid suggestion. Yes, ideally, you should have some other way of dealing with it. But, the fact is, if you don’t have backups, and you need the data quickly, paying them off is sometimes the only strategy that works.
What you are doing is like telling people that they should never give criminals their wallets even if they have a gun to the back of their heads, as it would be helping them commit the crime. No, sometimes, the only viable solution is to aid the criminal.
The best solution is prevention. Run good ransomware detection software. Keep your other security up to day. Don’t allow running unauthorized programs on computers that have write access particularly critical data. And keep offsite backups. It’s cheap: Backblaze will do $5 per month per computer (for personal users).
But, if you didn’t do all that, and you must have the data back, paying them off is a valid strategy. These places do in fact give you your code, as they need to for their business to work. Just like, if you give someone your wallet, they usually don’t shoot you.
I’m not sure what you are getting at here. The thing is, for most organizations who fall into this trap it’s a binary solution set. Either they pay or they don’t. If they pay, they MIGHT get their data back. If they don’t, they won’t. It’s as simple as that. If you have alternatives (offsite backup images that aren’t compromised) then you wouldn’t be entertaining even a discussion with the cyber criminals…you’d tell them to pound sand. If you don’t have those backup images, or if those are also encrypted, then you pay up if the data is important to you, or don’t if it’s not. There isn’t any ‘spend money to restore the data’ once it’s encrypted without the encryption key. If you don’t have that, you are fucked. End of story, unless the cyber criminals are using some easy to crack encryption system, which they generally aren’t.
It’s one of those things that you have to assess the cost to benefits in the real world. What’s the cost to your organization if you lose all that data? Is it feasible to rebuild the data from scratch? If the costs are high or it’s really not feasible to rebuild it from scratch then you look at what the extortionists are charging and weigh that against the fact you might get the key anyway. As most of these clowns are charging fairly modest amounts (especially compared to the millions, 10’s of millions or even 100’s of millions in potential loss if the data is not recoverable), most take the risk and pay the fairly modest amount. And most of these black hat types then send the code to unlock the data, since if they don’t then the next one to fall into their trap is unlikely to pay.
As to being a larger target in the future, presumably the folks running the organization aren’t complete idiots and will NOW take cyber security threats more seriously. You can mitigate this sort of thing from happening in the future. Hell, just phishing training for employees and, maybe an email filter system could mitigate a large percentage of hits. The more mitigation you want the more it will cost, but it’s kind of like fire insurance…you don’t need it until you need it, then you need it a lot.
IIRC, the Crytpo-Locker malware was created by and operated by professional members of the Russian Mafia. They were criminal scumbags but not idiots. They knew what they were doing and made sure their “customers” (victims) got what they paid for.
A copycat group came out after them and weren’t as professional or competent. They didn’t provide a valid recovery method after the ransom was paid because they didn’t care about long-term goals and I’m not sure they really knew what they were doing or could fix it afterward.
You don’t know who the person is who is extorting you. It’s a gamble. Like any business you need to evaluate the risk vs reward before making a decision.
Interesting recent book - https://www.amazon.com/Kidnap-Inside-Business-Anja-Shortland/dp/0198815476
It studies the hostage taking “business” in dangerous parts of the world and how the players have worked out the strategy and procedures to eliminate a lot of the risk to human life. You can even insure against ransom. It’s an example of a true free market working to solve a problem.
In many ways, the folks who hold your data for ransom are operating in the same sphere.
My recollection is that they actually had “customer service” hotlines you could call if you were having trouble restoring your files (after having paid up); technicians on the other end of the line would help you through the recovery process. They were in it for the money, and as you noted, they understood that they needed to maintain a solid public reputation of actually following through on their promise to make you whole again.
This. If someone is asking you for $1000 in return for restoring a lifetime of photos, emails, and other documents, well, you have a decision to make. And when it’s all over, make it a point to make more frequent backups of all of your files so you never have to make a decision like that again.
I think they should. If you give someone advice, you should give good advice, not the advice you would want them to follow even if it’s not in their best interest. If paying up is the best choice for them, they definitely should tell them to pay up.
“The survey, carried out by research and marketing firm CyberEdge Group…”
You’re going to trust a marketing firm called “CyberEdge Group?” Anyone who earnestly says “the Cyber” after the 1980s is clearly a stable genius.
Without question. Those that claim, ‘Crime doesn’t pay’ are either bad criminals or hopelessly stupid/optimistic.