You don’t negotiate with terrorists, and you don’t pay ransom unless you have no other choice. Even then, you should try every available avenue before you decide to pay money to the company holding your data for ransom. It’s just a bad idea. Last week there was a news story of a company that paid several BitCoin (each of which was worth roughly $15K) to get their data back. (I am not putting the exact amount or link to the story for reasons I will explain later.)
This kind of thing has become all too common, but this time things were a little bit different. The company disclosed that they had backups of the data that they could have used to restore their environment without paying the ransom. They chose to pay the ransom because they felt that it would restore their data quicker then their backup system would be able to do. I have two observations here: that was a really bad idea, and they should have had a better backup system.
You don’t pay ransom or blackmail!
The biggest reason you do not pay ransom or blackmail is that it says you’re open to paying ransom or blackmail. There is absolutely nothing stopping the entity who attacked you from doing it again in a few days or weeks.
Just ask Alexander Hamilton. Yes, that Alexander Hamilton. He had an affair with a married woman and was subsequently blackmailed by her husband. Mr. Reynolds started out asking for small figures, amounting to a few hundred dollars in today’s money. But by paying a few hundred dollars, Hamilton showed that he was open to paying ransom. If he was open to paying a few hundred, he would pay a few hundred more. Reynolds came back for money several times. By the time the event came to a conclusion, Hamilton had paid Reynolds roughly $18,000 in today’s money. (And the affair eventually came out anyway.)
By paying the BitCoins to the black hat, this company has shown that they will pay the ransom if they are attacked. What makes matters even worse is that the event was published in the news. Now everyone knows that this company will pay a ransom if they are attacked. they might as well have put a giant “HACK US!” sign on their website. (The first version of this story included the name of the hospital and a link to the story. I took it out so as not to add insult to injury.)
They didn’t just paint a target on their back; they painted a target on every companies back. The more companies that pay the ransom, the more black hats will attack other companies. If we all collectively refuse to pay the ransom – after ensuring that we can recover from a ransomware attack without paying the ransom – these black hats will find some other way to make money.
Another reason that you do not pay ransomware companies any money is that you are dealing with unscrupulous characters, and there is no assurance that you will get your data back. I am personally aware of multiple companies who paid the ransom and got nothing.
They need a better backup system
The backup system must not have been designed with the business needs of the company, or it would have been able to help them recover from this attack without paying the ransom. According to the story, the company felt that restoring from a backup would take too long, and paying the ransom would be quicker. What this tells me is that the recovery expectation was nowhere near the recovery reality.
This company must have done a cost-benefit analysis on the cost of a few days of downtime, and decided that the amount of lost revenue was much greater than the cost of paying the ransom. Let’s say, for example, they calculated that everyday of downtime would lose them one million dollars. If they used their backup system to restore their data center, they would lose more than three million dollars, since they said it would take 2-3 days. $55,000 is peanuts when compared to three million, so they paid the ransom. I do not agree with this logic, as I discussed previously in this article. But this is the logic they apparently used.
If they knew that their company would lose a million dollars a day, then they should have designed their backup or disaster recovery system to be able to recover in less than a day. Technology certainly exists that is capable of doing that, and it usually costs far less than the amount of money that would be lost in an outage.
Even if the system cost similar to the amount of money that would be lost in an outage, it still might make sense to buy such a system. The reason for this is the impacts to the business go beyond a straight loss of revenue due to downtime. If your business suffers a sustained outage, you may lose more business than just the business you lost while you were down. You might lose some customers for good, and the lost revenue from that would be difficult to calculate.
Being ready for a disaster
If minimizing downtime is the key, the only way to truly be ready for a disaster is to be able to boot instantly after an outage. There are a variety of products that advertise such functionality today, but very few of them would be able to recover an entire datacenter instantly. I will discuss the various instant recovery options in my next blog post.
For now, I just want to remind you of two things: be ready for ransomware, and never pay the ransom. Make sure you are able to recover all of your critical data in a time frame that your business would find acceptable, so that you can tell any ransomware black hats to go pound sand if they come knocking on your door.
----- Signature and Disclaimer -----
Written by W. Curtis Preston (@wcpreston). For those of you unfamiliar with my work, I've specialized in backup & recovery since 1993. I've written the O'Reilly books on backup and have worked with a number of native and commercial tools. I am now Chief Technologist at Druva, the leading provider of cloud-based data protection and data management tools for endpoints, infrastructure, and cloud applications. These posts reflect my own opinion and are not necessarily the opinion of my employer.