Sometimes, the easy way out is the road to ruin.

After WeLiveSecurity published the article Ransomware: To pay or not to pay?, SC Computing's Bradley Barth picked up on a point I made there, where I said that we hear of instances where organizations pay ransomware even though they have backups because it’s cheaper.

No defence versus insufficient defence

Just to be clear, I didn’t say that they don’t implement defences at all. I can’t say that never happens, but it’s far more common for companies to implement inadequate defences because they aren’t security-savvy enough to plug all the holes, than it is for them to ignore security altogether.

No policy, no consistency

Bradley Barth was particularly interested in specific research, examples, data, or anecdotal evidence. I wasn't prepared to give specific examples, because I couldn't do so without tripping over confidentiality issues. However, my friend and colleague Stephen Cobb provided a generic but appropriate example:

I spoke on a panel at a conference recently where several members of the audience – about 300 Managed Service Providers, each of whom works with multiple client firms – said they knew of specific instances where system administrators had paid ransoms even though recovery from backups would have been possible. The risks of doing this extend beyond not getting the data back despite paying. They include, and again, there was actual knowledge of this: getting hit again because you are seen as a soft target.

In none of those cases were there any rules/policies in place to guide to limit the sysadmin response to a ransom demand. Also recent: I helped conduct a table top exercise for about 60 disaster recovery professionals and it was clear that most organizations had not yet addressed the handling of ransom demands in their policy manuals or incident response playbooks.

Human firewalls

Regrettably, defending against ransomware is not simply a matter of plugging in some sort of anti-malware package using the default settings and relying on it to defend you. Mainstream security programs are good at detecting known ransomware, and much better than you might think at detecting unknown ransomware by monitoring its behavior (behavior analysis). However, there’s no such thing as 100% detection, even with security software set at its most paranoid, and it’s not unknown for staff members (not necessarily deliberately) to give an attacker a way in by some incautious action. Education and policy are often effective ways of making the end-user part of the defensive masonry rather than a flaw in the brickwork.

Porosity and Perimeters

Regrettably, defending against ransomware is not simply a matter of plugging in some sort of anti-malware package
If ransomware gets the chance to execute, the amount of damage it can do is limited by access restrictions in the environment in which it is executed. Unfortunately, if backup systems are set for convenience rather than ransomware-specific security, backups may also be compromised by the malware, even if they're outside the organization's perimeter.

Paying your way out of trouble?

If there are organizations that are missing out steps that would help them survive such circumstances, in the expectation that they can always pay the ransom, they could be in more trouble than they realize. Paying the ransom doesn’t always guarantee the recovery of the data. I was taken to task in a comment to that previous article by someone who asserted that ransomware gangs:

"WILL decrypt your files because:

A) It's their business money, AKA, it's how they make money. If they didn't decrypt the files after the payment, no one would pay the ransom.

B) Ironically, their support is amazing, way better than most corporations."

Well, he's not completely wrong, though those are pretty sweeping statements. In fact, it's not unusual for criminal organizations to have fairly effective 'customer support' for victims of ransomware and other kinds of malware. 'Better than most corporations' is, I think, a bit of an exaggeration, though in nearly 7 decades I've met with some pretty atrocious support from legitimate companies over the years. I'll save those war stories for another blog, though. Going back to his more convincing argument, I'll agree that as far as I can see, most gangs will provide a decryption key to victims who pay up, because (of course) if they never did, there would be no point in anyone paying up.

Trust me, I'm a criminal

However, some gangs (or individuals) have no intention or means of getting the data back for companies or individuals that pay. Consider, for instance, the appalling Hitler ransomware, which demands a ransom of 25 Euros but can't help you decrypt your files, because they were never encrypted, but simply deleted. Lawrence Abrams, for Bleeping Computer, asserted in his description of this particular malware that 'It looks like file deletion is becoming a standard tactic in new ransomware applications created by less skilled ransomware developers.' Similarly, it's far from clear at the time of writing whether the 'FairWare' attackers are actually keeping copies of the data they remove from compromised servers, or are simply deleting them. Since the attackers state that 'Questions such as: "can i see files first?" will be ignored', I'm not inclined to be optimistic.

Honey, I shrunk the decryptor

Some of those developers towards the script-kiddie end of the market may intend to get the data back but have screwed up with the decryption mechanism. Even the more professional gangs can make that sort of mistake. Yet another report from Bleeping Computer indicated that CryptXXX version 3.0 not only prevented Kaspersky’s RannohDecryptor from enabling victims to decrypt their files for free, but also had the (presumably unintended) effect of breaking the criminals’ own decryption key, so that paying the ransom didn’t, at that time of writing, guarantee that the victim would get a working decryptor. As I remarked at the time, when a ransomware gang screws up, it doesn’t always work to the benefit of the victim. And sometimes security measures may actually kick in and interfere with the recovery process. If your files are already encrypted, then removing the malware doesn't usually reverse the encryption.


Data recovery is not all about ransomware

I don’t say these scenarios are common, but they do raise the stakes. And, of course, the risk of ransomware is not the only issue that needs to be addressed by a sound backup strategy. What if your data are lost or corrupted because of issues that have nothing to do with ransomware? You can’t just cough up a few bitcoins in that case, and even expensive data recovery specialists may not be able to come up with a fix.

Paying for protection and paying for protection rackets

The scenarios Stephen describes, where organizations are insufficiently prepared for attacks they probably don't fully understand, are much more typical.

As it happens, I heard recently of an academic institution that was asked for $100 to get its data back. Presumably this was an instance of a bottom-feeder aiming to profit from individuals rather than a gang deliberated targeting a large organization. In a case like that, I can see that there might have been a temptation to pay up. Of course, that might depend on how difficult it might be perceived as being to recover all the compromised data, which in turn would depend on how much data had become inaccessible and how fast and easily they could be recovered from backups. However, in this case the institution concerned chose not to take that route, happily. But, as Stephen suggests, sometimes an organization does take the easy way out. Furthermore, many individuals also pay up (and who can blame them?) And that’s what is keeping the gangs in business. Do I expect every victim to take the moral high ground? Of course not. But in a protection racket, everyone who pays up is keeping the racket alive.

The commenter quoted above also said:

Regarding backup strategies and specialized IT security personnel that everyone keeps talking about, it's obvious you're out of touch of the real world...

Well, what is obvious is not always true. Before I was assimilated into the security industry, I spent decades working (mostly) in security as a support engineer, systems administrator, security analyst, and as a security manager. And sure, I could cite examples of misconceived short-termism and cost-cutting that actually multiplied long-term costs to the organizations concerned. But to dismiss all 'CEOs and their respective bean counters' as idiots who only commit resources to security after the fact, and then only by applying sticking plaster, is just crass. The security decisions made at C-level are all too often wrong. But it's not often that the people at the head of an organization pay for security practitioners with the express intention of ignoring them.

You can find Bradley Barth's article here: Ransomware locks experts in debate over ethics of paying.