As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window.
The idea of agreeing to an extortionist's demand, and paying a ransom to restore your company's scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to analyst house Forrester Research.
Josh Zelonis, a senior analyst specializing in security and risk for Forrester, argued this month that while organizations shouldn't just cave in immediately to every demand made, they should at least look into whether agreeing to a criminal's terms may be a better option than a costly wipe and recovery process.
The analyst is not alone, either. Other security professionals agree that, in certain cases, it may be better to negotiate than hold out and face a catastrophic outage and recovery. It may be wise to factor in paying up as a final recovery option, after other mainstream defenses – regular offline backups and security patching, intrusion prevention, and so on – fail.
It shouldn't be the first option to reach for, you should focus on prevention rather than reactive cleanup, and yet the option shouldn't be entirely discarded especially as you prepare to sign off spending seven-figures or more on restoring operations.
The case against bankrolling criminals
When it comes to malware, the advice handed down by government agencies and information security firms alike has been to never pay ransom demands. The FBI's ransomware guidance (PDF) encourages anyone hit with ransomware to contact law enforcement, and tells both home PC owners and enterprises alike not to pay any extortion demands.
Rather, companies are advised to build and maintain regular backups of their data, stored offline separate from networks, and be prepared to wipe and restore any systems that get hit with the file-encrypting extortionware.
The reasoning is not hard to understand. Paying off a ransom only encourages criminals to continue their actions. When a hacker hits pay dirt from a successful ransomware infection, they are almost certain to try the same tactic again, possibly on the same target. By caving in to a ransomware demand, you only strengthen the criminals and put others at risk.
There is another basic truth at work: criminals are not trustworthy people. When you pay a ransomware demand, there is no guarantee the crooks will actually give you a valid unlock code (and in some cases the malware operators don't even know how to actually unencrypt the files their code scrambles, or care at all if it works.)
Steve Piper, CEO with CyberEdge Group, told The Register that his outfit's most recent threat report found only about 60 per cent of companies that pay ransomware demands actually get their data back in the end.
"Even if you pay the ransom there is a two in five chance you are not getting the data back anyway," he explained.
When it comes down to it, the best defense against ransomware is to not get infected in the first place. Barring that, companies should have strong backup and recovery plans. It seems simple enough.
It's not always so simple, however
While the statistics and tough talk about not negotiating with crooks is all well and good, things are a bit different when it's your organization's data that is on the line after you've been solidly defeated. Large companies such as shipping titan Maersk and the US city of Baltimore have incurred massive multi-million-dollar cleanup bills after they resolved not to agree to any ransom demands, and repaired their installations virtually from scratch.
Even if a company is meticulous about backing up their data, the actual recovery process is far easier said than done, particularly when you have to do it with hundreds or thousands of PCs and terminals, and dozens of servers or cabinets of servers.
It woz ransomware wot did it: ConnectWise spills beans on cause for day-long outageREAD MORE
"A majority of organizations, even those that have backups, don't test their ability to recover," Forrester's Zelonis told El Reg, "and those that do don't test their ability to recover at scale."
This is where Zelonis wants companies to have the tough conversation; should pride and ego take precedence over the financial health of the organization and its ability to function? Baltimore, for example, has seen vital services such as the police force be affected by their ransomware infection, and Maersk's operations hit the rocks hard.
When it comes down to it, the analyst argues, organizations should consider the option that is best for their business. In some cases, that might be to agree to some or all of the ransom demands.
"The decision to pay or not pay a ransom is in fact a business decision, and anyone telling you differently are not serving your interests," Zelonis told El Reg.
"At what point do we make a decision that our ego is second to how do we continue to provide the necessary services?"
Zelonis is not alone in this sentiment. Multiple infosec professionals who spoke with The Register supported the idea that companies should consider at least opening a dialogue with ransomware operators about a possible deal if recovery is non-trivial.