Ransomware is not the newest form of cyberattack, although its popularity remains relatively high and the results remain quite devastating, according to cybersecurity experts who spoke at SecTor 2019 this week in Toronto.
So, by now, you likely know what ransomware is all about. But just to be sure, let’s run over a quick explanation.
Ransomware is a type of malware whose purpose is to encrypt the victim’s files. Upon encryption, the victim is presented with a set of instructions to transfer monetary funds to the hacker so that they can recover their files via a decryption key. These types of attacks are most commonly administered via phishing email scams.
And just how devastating can these types of attacks be? Extremely. In terms of money, time, and even, reputation.
Let’s start with the money.
According to Wilfred Farias, a cyber-risk manager with Deloitte, the average ransom payment is $50,000 CAD, which 40 per cent of Canadian companies have opted to pay.
Even that pales in comparison to what it could cost you to get back to where you were before the attack. When adding up all the behind the scenes costs like legal help, public relations, cybersecurity improvements, and loss of data (as even when ransoms are paid, Farias said only about 80 per cent of data is recovered), the true cost adds up to about $713,000, said Farias.
So how about time lost?
According to Farias, the average downtime for an organization following the enactment of a ransomware attack is 10 days.
Now that we know what ransomware is and how dangerous it can be, what can you do to prepare yourself for a ransomware attack and what steps can you take once an attack is launched?
Farias spoke at SecTor 2019 in Toronto this week about this topic and his pointers boiled down to three key strategies: preparation, being open to asking for help, and being ready to pay up.
Practice fundamentals in preparation
As with much of business – and much of life in general – success often boils down to preparation. And dealing with a ransomware attack is no different.
While Benjamin Franklin died long before the threat of ransomware was even conceived of, his words still ring true: “By failing to prepare, you prepare to fail.”
Or as Farias put it, “it is not just the reactive stuff, it is also the proactive work” that can be the difference between total disaster and saving the day.
And much of what that involves when it comes to cybersecurity is just practicing the basics, such as simple talks like ensuring you are keeping up to date on patches and software updates, said Farias.
“What we’re referring to is essentially having security hygiene. It’s been said in this conference and many white papers out there… you have to protect yourself,” said Farias. “Just make sure you have a plan… that actually allows you to not expose yourself.”
But while there is plenty that can be done to prepare, like ensuring proper backups exist and that someone is keeping an eye out for malicious activity, at a certain point no more can be done. But once you are the target of a ransomware attack, you really only have two options: pay up or prepare for war.
Get Outside Help
While many companies employ their own internal IT teams, the chances that their team has enough manpower or the needed skills to properly handle a ransomware attack is likely low.
Farias referenced one situation involving a major transportation company that he was brought in to help with. It required 50 full-time workers around the clock to bring the situation to a positive ending.
And how many companies have that sort of IT manpower at their disposal? Not many.
Even if you have taken all the right steps to prepare for a ransomware attack, and have all your ducks in a row to start tackling the problem, outside help is likely still a necessity.
“When this hits, unless you have a security team or a dedicated Incident Response Team and house, you’re going to need help,” said Farias. “Very often your IT folks will never have dealt with ransomware. They don’t really know where they’re going.”
Let’s say you simply do not have the wiggle room to have your company without its data for an extended period of time. You cannot even afford to lose the time it would take a dedicated disaster recovery team to do their thing. What do you do?
Let’s say you did not take proper preparation steps like updating software, patching your system, and maintaining proper backups. What do you do?
Although this may sound a little crazy and counterproductive – as it is exactly what the attacker wants – Farias does actually recommend paying the ransom in these types of scenarios.
“A lot of the time we’re seeing that organizations just want to restore as soon as possible, as quick as possible,” said Farias. “If you’re not prepared, if you’re not actively trying to detect malicious activity within your environment, it looks like you may have to be end up paying.”