Ransomware has exploded over the past decade, extorting organizations into either paying up, or having their files locked up forever. So what should you do if you or your company fall victim to ransomware?
Unfortunately, the answer is complicated.
For those of you that aren't already aware, ransomware involves hackers gaining access to your files, and then encrypting them without your permission. Once the hackers have done this, they will send you a threatening message along the lines of:
We have hacked into your system and locked up your files. If you ever want to access them again, send 5 bitcoins to 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa. Once we have received the bitcoin, we will send you the encryption key so that you can unlock them. You have 24 hours to comply.
If you've been a good infosec practitioner, you should have backups of all your important files, so you can feel free to ignore the threat. Instead, you can spend your time kicking the hackers out of your systems, and then plugging up whatever security holes they used to make their way in.
But not everyone will be so fortunate. In some cases, the files may not have been backed up appropriately, or the hackers may have managed to encrypt the backups as well. If the hacker has locked up mission-critical files and you don't have any other options, should you pay them?
The answer is complicated for two main reasons. The first is that even if you do pay, the hackers may never send you the key. You could end up sending them a significant amount of money and still not have access to the files—not a fun situation to be in.
The second reason is that paying up only incentivizes the hackers further. The more people pay, the more lucrative ransomware attacks become, which means that hackers will be even further incentivized to launch these attacks.
If you do pay up, you are making the plague of ransomware even worse for all of us. If everyone suddenly stopped paying up, ransomware attacks would disappear and we could all live happily ever after.
So, what should you do?
If you’re reading this before you fall victim, your first priority should be to make sure that you never get in this mess in the first place. Backup! Backup! Backup! Your exact strategy will depend on your business and the nature of your files, but you probably want at least two backups of all mission critical files, in addition to the original copies. At least one of these should be offsite, and if possible, you should also regularly make offline backups to ensure that hackers can’t get to them. With the right backup system, you should be resistant to ransomware attacks.
If you find yourself in a situation where all of your copies have been locked up, you may be tempted to give in to the hackers. If the files can't be easily replaced and they are mission critical, you may feel like you have no other option than to at least try paying and hope that they send you the key to the files. You never know, you may just get lucky.
There is quite a strong incentive for the hackers to unlock your files. If it becomes known that the hackers will never unlock your files, even if you pay, then no victims would ever pay the ransom. In a sense, there is a code within the ransomware community that the hackers must unlock the files if paid. If certain groups or individual hackers don’t unlock the files, they can be ostracized from the ransomware community.
But remember, if you do pay, you will be reinforcing the incentives of the hackers and making the situation worse for everyone. It’s not a great situation to be in, but if paying up is your only option, it is understandable.