Paying ransom is not an option. So what should agencies do instead?
- By Ilia Sotnikov
- Mar 24, 2020
Thirty percent of federal agencies have experienced a ransomware attack within the last three years, according to the 2019 study, “Ransomware Threats: Is your Agency Ready?” In one of the most disastrous attacks, a variant called RobinHood hit Baltimore in May 2019. Obeying the instructions of the FBI and law enforcement, the city refused to pay the ransom of $76,000 and ended up spending $10 million on data recovery and losing $8 million because services like bill payments and real estate transactions were shut down for two weeks.
What should agencies do? Pay up and hope for the best, or refuse and risk prolonged downtime and an expensive recovery? Fortunately, there’s a better option: Agencies can take action now that will help them avoid ever having to make this unpleasant choice.
Why not just pay the ransom?
The FBI offers three compelling reasons to never pay ransom. First, there is no guarantee the victim will actually get the decryption key once the money has been handed over. In fact, the FBI report cites multiples cases of organizations that paid the ransom but never received the promised decryption key.
Second, if agencies pay, there’s nothing to prevent hackers from attacking again and forcing them pay repeatedly, with each ransom demand being higher than the last. How much higher? Research from Coveware found that the average ransom payment increased more than 12-fold in 2019, from $12,762 in Q1 to $84,116 in Q4.
Third, by paying a ransom, agencies encourage the ransomware business model and put other governments at increased risk.
How can agencies avoid ransomware attacks?
There are two key ways agencies can minimize the chances they’ll have to consider paying a ransom: Reduce their vulnerabilities to avoid being infected in the first place and ensure they can recover quickly (without an encryption key) to minimize the damage.
The most important strategy for avoiding ransomware is to invest in education. Happily, the Netwrix 2020 IT Trends report reveals that the majority (59%) of government organizations see cybersecurity awareness among employees as their top priority for 2020. The government of Lake City, Fla., for example, plans to invest in training sessions to teach employees how to identify signs of ransomware and how to they should respond.
Of course, even the best training cannot guarantee that everyone will always follow security best practices, and even a single thoughtless click on a link in a phishing email can unleash ransomware across an agency’s environment. Moreover, some ransomware variants don’t rely on human action at all, so training is useless against them; for example, the Sodinokibi ransomware that hit 23 cities in Texas in 2019 exploited a critical flaw in Oracle WebLogic.
Therefore, every agency should assume it will suffer a ransomware infection at some point and develop and test a plan to respond swiftly to limit the damage. An effective plan requires fast detection, response and data recovery. Here are the four key steps:
- Inventory data and who has access to it. To minimize the risk of losing access to sensitive data, such as the personally identifiable information of citizens and employees, agencies must know exactly what types of data they store and secure it according to its value. Automated data classification will help deliver better awareness into what data exists, who has access to it and how sensitive it is so agencies can choose appropriate measures to protect their critical assets. In particular, since ransomware often relies on the access rights of the user account it has compromised, rigorously enforcing least-privilege principles will minimize the amount of data that can be encrypted in an attack.
- Improve anomaly detection and alerting. Agencies should monitor user behavior across all critical systems and data, both on premises and in the cloud, actively looking for abnormal activity that might indicate an attack in progress, such as any change to the list of restricted file extensions or a high number of file modifications. Even better, security teams can get alerts on suspicious activity, so they can respond to an attack before a substantial amount of data is compromised.
- Optimize data recovery. With detailed information on which files were modified or deleted during a ransomware attack, the IT team can restore that data promptly to minimize service disruptions. Agencies should also classify their data to support regular backups of sensitive and critical data and store those backups where ransomware cannot reach them.
- Develop and regularly test an incident response plan. Finally, agencies should document the steps for responding to signs of a ransomware attack, including who is responsible for what. Since the staff, the IT environment and the threat landscape are all constantly changing, they must test the plan regularly and update it as needed.
No organization wants to choose between paying a ransom or suffering serious damage from refusing to pay. Agencies instead can prevent as many ransomware infections as possible through user education and preparing for the ones that might get through. Confident in their ability to restore access to systems and data, agencies won’t ever need to consider paying a ransom.
Ilia Sotnikov is vice president of product management for Netwrix.