Worried ransomware will screw your network? You could consider swallowing your pride, opening your wallet

We know it's controversial – but don't rule out paying the ransom to unscramble your biz files, experts suggest

As ransomware infections continue, conventional wisdom on how to respond to threats is going out the window.

The idea of agreeing to an extortionist's demand, and paying a ransom to restore your company's scrambled data, long considered a non-starter, is something businesses should mull over as a viable option, according to analyst house Forrester Research.

Josh Zelonis, a senior analyst specializing in security and risk for Forrester, argued this month that while organizations shouldn't just cave in immediately to every demand made, they should at least look into whether agreeing to a criminal's terms may be a better option than a costly wipe and recovery process.

The analyst is not alone, either. Other security professionals agree that, in certain cases, it may be better to negotiate than hold out and face a catastrophic outage and recovery. It may be wise to factor in paying up as a final recovery option, after other mainstream defenses – regular offline backups and security patching, intrusion prevention, and so on – fail.

It shouldn't be the first option to reach for, you should focus on prevention rather than reactive cleanup, and yet the option shouldn't be entirely discarded especially as you prepare to sign off spending seven-figures or more on restoring operations.

The case against bankrolling criminals

When it comes to malware, the advice handed down by government agencies and information security firms alike has been to never pay ransom demands. The FBI's ransomware guidance (PDF) encourages anyone hit with ransomware to contact law enforcement, and tells both home PC owners and enterprises alike not to pay any extortion demands.

Rather, companies are advised to build and maintain regular backups of their data, stored offline separate from networks, and be prepared to wipe and restore any systems that get hit with the file-encrypting extortionware.

The reasoning is not hard to understand. Paying off a ransom only encourages criminals to continue their actions. When a hacker hits pay dirt from a successful ransomware infection, they are almost certain to try the same tactic again, possibly on the same target. By caving in to a ransomware demand, you only strengthen the criminals and put others at risk.

There is another basic truth at work: criminals are not trustworthy people. When you pay a ransomware demand, there is no guarantee the crooks will actually give you a valid unlock code (and in some cases the malware operators don't even know how to actually unencrypt the files their code scrambles, or care at all if it works.)

Steve Piper, CEO with CyberEdge Group, told The Register that his outfit's most recent threat report found only about 60 per cent of companies that pay ransomware demands actually get their data back in the end.

"Even if you pay the ransom there is a two in five chance you are not getting the data back anyway," he explained.

When it comes down to it, the best defense against ransomware is to not get infected in the first place. Barring that, companies should have strong backup and recovery plans. It seems simple enough.

It's not always so simple, however

While the statistics and tough talk about not negotiating with crooks is all well and good, things are a bit different when it's your organization's data that is on the line after you've been solidly defeated. Large companies such as shipping titan Maersk and the US city of Baltimore have incurred massive multi-million-dollar cleanup bills after they resolved not to agree to any ransom demands, and repaired their installations virtually from scratch.

Even if a company is meticulous about backing up their data, the actual recovery process is far easier said than done, particularly when you have to do it with hundreds or thousands of PCs and terminals, and dozens of servers or cabinets of servers.


It woz ransomware wot did it: ConnectWise spills beans on cause for day-long outage


"A majority of organizations, even those that have backups, don't test their ability to recover," Forrester's Zelonis told El Reg, "and those that do don't test their ability to recover at scale."

This is where Zelonis wants companies to have the tough conversation; should pride and ego take precedence over the financial health of the organization and its ability to function? Baltimore, for example, has seen vital services such as the police force be affected by their ransomware infection, and Maersk's operations hit the rocks hard.

When it comes down to it, the analyst argues, organizations should consider the option that is best for their business. In some cases, that might be to agree to some or all of the ransom demands.

"The decision to pay or not pay a ransom is in fact a business decision, and anyone telling you differently are not serving your interests," Zelonis told El Reg.

"At what point do we make a decision that our ego is second to how do we continue to provide the necessary services?"

Zelonis is not alone in this sentiment. Multiple infosec professionals who spoke with The Register supported the idea that companies should consider at least opening a dialogue with ransomware operators about a possible deal if recovery is non-trivial.

Other stories you might like

  • Microsoft Defender goes cross-platform for the masses
    Redmond's security brand extended to multiple devices without stomping on other solutions

    Microsoft is extending the Defender brand with a version aimed at families and individuals.

    "Defender" has been the company's name of choice for its anti-malware platform for years. Microsoft Defender for individuals, available for Microsoft 365 Personal and Family subscribers, is a cross-platform application, encompassing macOS, iOS, and Android devices and extending "the protection already built into Windows Security beyond your PC."

    The system comprises a dashboard showing the status of linked devices as well as alerts and suggestions.

    Continue reading
  • Emotet malware gang re-emerges with Chrome-based credit card heistware
    Crimeware groups are re-inventing themselves

    The criminals behind the Emotet botnet – which rose to fame as a banking trojan before evolving into spamming and malware delivery – are now using it to target credit card information stored in the Chrome web browser.

    Once the data – including the user's name, the card's numbers and expiration information – is exfiltrated, the malware will send it to command-and-control (C2) servers that are different than the one that the card stealer module uses, according to researchers with cybersecurity vendor Proofpoint's Threat Insight team.

    The new card information module is the latest illustration of Emotet's Lazarus-like return. It's been more than a year since Europol and law enforcement from countries including the United States, the UK and Ukraine tore down the Emotet actors' infrastructure in January 2021 and – they hoped – put the malware threat to rest.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading

Biting the hand that feeds IT © 1998–2022