'Paying the ransom isn't going to make a difference'
One of those experts was Adam Kujawa, director of MalwareBytes Labs. Kujawa explained that, while refusing to be held hostage by ransomware was good advice in the early days, it doesn't hold up so well in the modern landscape: if you're infected, the damage is done, and the crooks will move on and attack another victim regardless.
"If you go back in time five to seven years, we would tell people never ever pay the ransom because it is going to encourage this behavior to become more popular and it will just keep coming back," he said.
"At this point I don't think paying the ransom is going to make a difference, the point has already been made."
The key thing, whether you pay off a ransomware mastermind or not, is to find out exactly how the software nasty got onto your network, and ensure it doesn't happen again.
Opening the door to payments does not mean companies should immediately cave to every ransom demand, Zelonis notes. Rather, he is advising organizations to bring in consultants or security vendors who are familiar with both the malware infections themselves and the people who operate them.
Brit hacker jailed for strapping ransomware to smut site ad networksREAD MORE
Those advisers, in turn, could help executives decide whether to agreeing to pay a ransom would be a viable alternative to a full-scale wipe and replace operation. Ideally, this would be done while the company's IT staff works to isolate and, where possible, recover data from the infection.
"In parallel you are working with a ransomware expert that is going to have familiarity with the ransomware group, the particular strings, and how to go about discussions," he explained. "The only thing I am trying to accomplish is to show people how to go about the process."
Kujawa's advice is for companies to prioritize what data they most need to back up, and how often it needs to be updated.
For example, would a database need to be stored in a secure cloud every day, or can the business survive with only updating every week or so? This can help companies decide how and what they need to recover and, what, if anything, they may want to try and get back from the ransomware.
There is also the possibility of compromise, Kujawa notes. Companies may not have to cave in to all demands, and recovery doesn't necessarily need to be an all or nothing proposition.
"These guys behind the ransomware are not robots, they are human beings, at the end of the day a criminal is more likely to want to get something than nothing at all," he said.
"If you can't back up the data that is operationally important, negotiate with the cybercriminal."
In the end, it comes down to one simple realization: ransomware is no longer an IT problem, it is a business security consideration, and must be weighed as such. It is business expense versus business expense.
To that end, ego and optics have to take a back seat to keeping the entire operation afloat, and that may mean, when caught with your pants down and recovery unfeasible, making the tough call to swallow pride and cut a deal. ®