Ransomware corrupts data, so backups can be faster and cheaper than paying up
Smash and grab raids don’t leave time for careful encryption
Ransomware actors aim to spend the shortest amount of time possible inside your systems, and that means the encryption they employ is shoddy and often corrupts your data. That in turn means restoration after paying ransoms is often a more expensive chore than just deciding not to pay and working from our own backups.
That's the opinion of Richard Addiscott, a senior director analyst at Gartner.
"They encrypt at excessive speed," he told the firm's IT Infrastructure, Operations & Cloud Strategies Conference 2023 in Sydney on Monday. "They encrypt faster than you can run a directory listing."
Ransomware operators therefore encrypt badly and lose some of the data they then try to sell you back.
Restoring from corrupt data dumps delivered by crooks is not easy, Addiscott advised – and that's if ransomware operators deliver all the data they promise. Plenty don't – instead they use a ransom payment to open a new round of negotiations about the price of further releases.
That sort of wretched villainy means just four percent of ransomware victims recover all their data, he said. Only 61 percent recover data at all. And victims typically experience 25 days of disruption to their businesses.
Addiscott suggested that period can be reduced if organizations create ransomware recovery playbooks and practice their use.
"Do you have scripts ready for a cloud rebuild?" he asked. "Don’t build the plane while you are trying to fly it."
To pay or not to pay?
A blanket policy to pay, or not pay, ransoms is not helpful, Addiscott opined. Instead it should be considered a business decision that takes into account risks including payments to offshore players could violate international sanctions and lead to fines.
Paying ransoms is also no guarantee data will be restored, he added.
Ransomware gangs also tend to re-attack those who pay once, making payments a tactic of last resort in Gartner's opinion.
In any case, the decision might not be yours: cyber-risk insurers may decide a ransom is cheaper than funding a restore, and require payment. Addiscott said he's even aware of one ransomware operator that sent a victim the relevant section of their insurance policy to point out any payments would be covered.
Securing the funds to prepare for a rapid post-ransomware recovery means couching the risk in the language of the business, not IT.
Revenue protection, risk minimization, and cost control, are the topics likely to loosen the purse strings, according to Addiscott. Although he also shook his head as he recalled moments in which business leaders authorized large and rapid ransom payments that dwarfed the denied investments that could have made them unnecessary.
He counselled proper preparation, because ransomware scum have figured out one way to accelerate stalled negotiations over a payment: whacking their victims with a DDoS attack so they're fighting two fires at once, and are therefore willing to pay to make at least one problem go away.
- A right Royal pain in the Dallas: City IT systems crippled by ransomware
- Let's take a closer look at these claims of anti-ransomware SSDs
- Medusa ransomware crew brags about spreading Bing, Cortana source code
- LockBit crew cooks up half-baked Mac ransomware
Ransomware operators also like to double-dip by seeking payment from organizations whose data they stole, then mining it to find other targets. Addiscott mentioned an attack on a healthcare provider whose customers were hit with a demand for payments or else their medical records would be released.
Customers named in a stolen data heist may also be targeted with a suggestion they let suppliers know they want payments made – to lessen the risk of their data being exposed.
Addiscott suggested immutable backups, and an isolated recovery environment, are an excellent combination of defences.
But he also pointed out that the folks behind ransomware are smart, ruthless, creative, and persistent, so will find new and even nastier ways to attack.
The analyst did have one good piece of news: a 21 percent drop in ransomware incidents in 2022 compared to 2021. He theorized that drop was caused by sanctions making it harder for ransomware gangs based in Russia to go about their business. ®