Ransomware is nothing new, although it remains a popular cyber attack that continues to deliver devastating results, according to cybersecurity experts who spoke at SecTor 2019 this week in Toronto.
Most commonly delivered through phishing email scams, ransomware is a type of malware that encrypts a victim’s files. Upon encryption, the victim is presented with a set of instructions to transfer monetary funds to the hacker so that they can recover their files via a decryption key.
According to Wilfred Farias, a cyber-risk manager with Deloitte, the average ransom payment is CAD$50,000, which 40 per cent of Canadian companies have opted to pay.
Even that pales in comparison to what it could cost you to get back to where you were before the attack. When adding up all the behind the scenes costs like legal help, public relations, cybersecurity improvements, and loss of data – as even when ransoms are paid, Farias said only about 80 per cent of data is recovered – the true cost adds up to about $713,000, said Farias.
But financial damage is just one of the consequences.
According to Farias, the average downtime for an organization following the enactment of a ransomeware attack is 10 days.
Farias spoke at SecTor 2019 in Toronto this week about ransomware. His tips to protect the business and its data from ransomware boiled down to three key strategies: preparation, being open to asking for help, and being ready to pay up.
Practise fundamentals in preparation
As with much of business – and much of life in general – success often boils down to preparation. And dealing with a ransomware attack is no different.
While Benjamin Franklin died long before the threat of ransomware was even conceived of, his words still ring true: “By failing to prepare, you prepare to fail.”
Or as Farias put it, “it is not just the reactive stuff, it is also the proactive work” that can be the difference between total disaster and saving the day.
That proactive work mostly requires a few basics steps, such as ensuring the latest patches and software updates are installed.
“What we’re referring to is essentially having security hygiene. It’s been said in this conference and many white papers out there… you have to protect yourself,” said Farias. “Just make sure you have a plan… that actually allows you to not expose yourself.”
But while there is plenty that can be done to prepare, like ensuring proper backups exist and that someone is keeping an eye out for malicious activity, at a certain point no more can be done. But once you are the target of a ransomware attack, you really only have two options: pay up or prepare for war.
Get outside help
While many companies employ their own internal IT teams, the chances that their team has enough manpower or the needed skills to properly handle a ransomware attack is likely low.
Farias referenced one situation involving a major transportation company that he was brought in to help with. It required 50 full-time workers around the clock to bring the situation to a positive ending.
And how many companies have that sort of IT manpower at their disposal? Not many.
Even if you have taken all the right steps to prepare for a ransomware attack, and have all your ducks in a row to start tackling the problem, outside help is likely still a necessity.
“When this hits, unless you have a security team or a dedicated Incident Response Team in-house, you’re going to need help,” said Farias. “Very often your IT folks will never have dealt with ransomware. They don’t really know where they’re going.”
Let’s say you simply do not have the wiggle room to have your company without its data for an extended period of time. You cannot even afford to lose the time it would take a dedicated disaster recovery team to do their thing. What do you do?
Let’s say you did not take proper preparation steps like updating software, patching your system, and maintaining proper backups. What do you do?
Although this may sound a little crazy and counterproductive – as it is exactly what the attacker wants – Farias does actually recommend paying the ransom in these types of scenarios.
“A lot of the time we’re seeing that organizations just want to restore as soon as possible, as quick as possible,” said Farias. “If you’re not prepared, if you’re not actively trying to detect malicious activity within your environment, it looks like you may have to be end up paying.”