Pay up or lose it all. That’s the message from cybercriminals after a ransomware attack, a growing scourge that threatens the finances and reputations of companies everywhere.
Ransomware infects a company’s systems — both informational and operational — and encrypts all data. The attacker may even threaten to go public with private information, doubling the threat. By paying the ransom, companies theoretically receive a key to unlock their information.
Ransomware has been around for decades, but the rise of cryptocurrency and increasing automation is making the scheme an increasingly viable way for cybercriminals to make a fortune. Afflicted companies face tough decisions in compressed timeframes.
“Not paying may mean the end of your business,” warns Michael Tanji, director of cybersecurity for MxD, the National Center for Cybersecurity in Manufacturing as designated by the Department of Defense. “Sometimes ransomware math is easier than you think, even if it’s distasteful.”
But of course, it’s better to prevent an attack than respond to one. Tanji offered insight into the current ransomware environment:
Q: Why is the risk growing?
MT: The more that companies become automated and digitized, the more targets there are to exploit. It’s natural for companies to look for functionality and efficiency, but security might be put on the back burner. The traditional approaches to combating ransomware — law enforcement and our tendency to bolt-on security capabilities after technology is deployed — just cannot operate at the same speed and scale.
Q: Some believe it is simpler to pay if you get hit by a ransomware attack. True?
MT: That depends on who your attacker is. As odd as this sounds, there are “reputable” ransomware actors. They don’t just make it easy to pay, they help make sure you can recover your data. They do this because they’re playing a long game. Word will get out if you don’t give people what they pay for, and your career as a ransomware kingpin is over before it begins. Better to be an honest criminal because that’s where the money is.
Q: Can insurance offer protection?
MT: Insurance may cover the costs of responding to and recovering from a ransomware incident, but if you cannot decrypt your files and don’t have backups, you’re still missing data you need to run your company. You can attempt to recover encrypted data through technical means, but a well-implemented encryption scheme is essentially impossible to break in any meaningful timeframe (or within any company’s budget). Insurance providers are also going to require certain steps to qualify for coverage, like having security policies and defensive technologies in place. In that sense, insurance is leveling up your cybersecurity posture in general, but it’s not a specific defense against ransomware per se.
Tanji offers these tips to manufacturers looking to boost their cybersecurity:
Before an attack
- Two-factor authentication: Ransomware attacks carried out through compromised user accounts can be stifled if two-factor authentication is implemented.
- Regular backups: Daily backups should be the norm. Store copies of those backups off-line. Confirm that backups are working and that your recovery protocols are effective by restoring systems from backup.
- Test incident response plans: Incident response plans should include what to do in the event of a ransomware event. The more you practice the faster and easier (and less costly) your response when things go sideways.
After an attack
- Do-it-yourself: There are resources available to help you decrypt data yourself if you have the technical acumen and the type of ransomware allows it. Resources like No More Ransom, a joint project of law enforcement and IT companies, offer some tools.
- Negotiation: A professional ransomware negotiator may help reduce the ransom amount you have to pay if you decide that’s the course you want to pursue.
MxD has resources to help manufacturers stay vigilant. Recommendations for combating ransomware and other threats can be found at MxD’s Cyber Resource Hub.