The recent global ransomware attack affected thousands of organisations of varying sizes, including the NHS, Nissan, FedEx and many small businesses. This has highlighted the growing threat and massive effects ransomware can have, whilst emphasising the importance of employing good cyber security practice in order to reduce the risk of attack and the impact of successful attacks.
Recently, I was asked for advice by someone I know who runs a small business. Her company provides HR and payroll services and has 4 employees.
One of her employees downloaded what he thought was a ‘new starter’ form from an email. The email appeared to be from one of the company’s clients and didn’t look overly suspicious or out of the ordinary. Unfortunately, the file contained malicious software, which was not stopped by the, now out-of-date antivirus software that had been nagging to be renewed for the last 6 months.
The desktop background of the computer was changed to a red background with white writing, informing the user that their files had been encrypted and that they must pay a ransom to get their files back. The files on the infected computer were indeed, encrypted, and so were all the files on a shared drive which the team use to store crucial data.
The business did not have back-ups of most of the files and it would really hit them hard were they to be without them for any period of time. Critical business functions would not have been possible and recreating the data would have cost a lot of time and money and possibly lost the company some of their clients.
The business owner was cornered. Her business, which she had poured years of her life into, countless hours of hard work, risk and most of her savings into could not afford to lose clients or be unable to operate. Her livelihood as well as that of her staff was at stake.
The ransom demand was 0.2 Bitcoin. Bitcoin is a digital currency which is decentralised and due to lack of regulation, is favoured by cyber criminals. At the time of the incident, 0.2 bitcoin was around £160.
Given the situation, after consulting with her IT supplier and asking my advice about recovering or decrypting the files, she decided that the cost of a technical solution was likely to be prohibitive and was unlikely to work.
This left her with a moral and ethical dilemma. Does she pay the ransom of £160 and hope to get her files back, or take the hit, grovel to her clients and hope she still has a business at the other side?
Paying the Ransom
There are definitely moral and logistical questions here. Paying the ransom is funding organised crime and encouraging cyber criminals. They only do this because they can make a profit from it, so by paying it, she’s contributing to that.
Also, how do you know they’ll keep their word and decrypt your files. In fact, how do you even know they can decrypt them? Well, in this case, as a ‘proof’ or show of ‘good faith’, they offered to decrypt 10 files for free, to prove they could and would. In many reported cases of ransomware where people pay the ransom, the files are decrypted as promised.
As strange as it sounds, the criminals have a reputation to protect. If word got out that they didn’t keep their word and didn’t decrypt the files, then it’s likely people would rarely pay. A report recently found that around 65% of businesses do pay the ransom when hit by ransomware.
This particular ‘brand’ of ransomware has a lot of reports of being decrypted as promised, with, amazingly, some great reviews for the cyber criminals customer service support desk, which raved about how clear and helpful they were.
It’s also likely that in this case, the company was not specifically targeted, but was part of a large, ‘scatter-gun’ approach using hacked contact lists. This might be reassuring that perhaps they won’t be specifically targeted a second time, however there are many ‘sucker lists’ or ‘pwned lists’ on the dark web, sharing which companies paid the ransom. This actually helps cyber criminals make business decisions about sectors and profiles to specifically target for future ‘campaigns’.
Not Paying the Ransom
Most people would agree that this option is the moral and ethical winner. We will not be beaten, will not back down and will not give in to criminal demands.
What’s key to remember here though, is that a real person’s business is at stake. This small business owner is so financially and emotionally invested that she will fight tooth and nail to save it. Is she willing to risk so much out of not wanting to support criminal activity?
Is her moral objection to extortion of such strong resolve that she is willing to gamble her livelihood and that of her loyal employees to sustain it? Is it not worth her venturing £160 and hoping it works out?
Most will agree that this is a tough situation. The business owner wants to do the right thing, but also look after her business, her family and her employees.
In this case, she decided, reluctantly, to pay the ransom. Almost immediately, she was sent an activation code, which, when put into the user interface, began decrypting files immediately.
All traces of the malware have now been removed and there are now measures in place to prevent it from happening again. There’s likely to be wide and strong differences of opinion on whether or not it was right to pay the ransom and there are arguments for both sides.
What is clear, is that in hindsight, she would have preferred to have had measures in place to prevent this incident from happening in the first place, and have had reliable backups of crucial data so she wasn’t left in a situation where she felt she had no other choice.
Unfortunately, this is growing problem and plenty of business owners find themselves in a similar situation.
How to protect your business
There are a few relatively simple things you can do which will mitigate the majority of ransomware attacks:
- Update your devices – Make sure auto updates are enabled on your PCs, laptops and mobile devices. Many people consider the update process an inconvenience, but the updates contain critical security fixes which help protect your systems and data.
- Backup critical data – Make sure any critical data that you need to do business is backed up. This means you can restore data without having to pay a ransom. It’s also key to make sure that wherever it is backed up to cannot be affected by ransomware at the same time as your PCs. Often, a simple file server or shared folder is also open to a ransomware attack. An offline backup is the safest option as this cannot be penetrated by ransomware.
- Use an antivirus program – Run an antivirus program on all of your devices and make sure it is updated regularly. It should provide ‘real-time’ protection, which means it constantly monitors for malicious software and scans files when you access them.
- Be careful opening attachments and clicking links in emails – A huge amount of attacks use email as part of the way to infect computers. Ensure you and your staff are vigilant.