Ransomware – Should You Pay?
Last night I watched an episode of Chicago Med (Season 2, Episode 19). It happened to be about ransomware. Chicago Med was infected with ransomware, rendering all computer systems (doctor’s tablets, MRI machines, patient history systems, diagnostic systems, etc.) useless. The staff of Chicago Med had to resort to “manually” doing everything – filling out paper lab requests, using a whiteboard for patient status, using old school methods to diagnose patients, etc.
A debate ensued about whether Chicago Med should just pay the ransom, which was around $30k. The staff had differing opinions in the episode.
This is a debate worth discussing, as I do not see a clear answer to the question “should I pay the ransom”, other than “it depends”.
I tend to look at everything from a risk perspective. Sure, it’s easy to say “our policy is we do not pay ransom”, but at what cost? Many people have polarizing opinions on just about everything, including this topic. It’s easy to make recommendations from afar. What if your spouse was in a hospital and needed immediate emergency treatment, but treatment was delayed because of ransomware? Every second in this delay increased the risk that your spouse might die. Would you still support the policy “we do not pay ransom”, even if it meant your spouse may die? Is $30k worth more than your spouse?
Also, the rationale for the “we do not pay ransom” policy goes something like this – “if the hackers know we do not pay ransom, they won’t attack us”. This is flawed logic because many cybercriminals release ransomware into the “wild”, non-directed, to spread to as many systems as possible, so they can maximize odds of success and returns.
The Chicago Med hospital administrator was adamant about not paying the ransom, but one of the doctors paid the ransom himself. After the ransom was paid, all the systems came back online and everything went back to “normal”. The doctor that paid the ransom simply stated that the risk was too great and that he had calculated the ROI and it was an easy decision.
But, wait…what if you pay the ransom and the hackers just take your money and don’t decrypt your systems?
This is certainly a possibility, although it is almost never the case. Most cybercriminals are in the business of making money, so their business models support this objective. Cybercriminals probably analyze risk in greater depth than most IT Staff of Cybersecurity Staff.
Risk is the real issue that is almost always overlooked. Sure, screw paying the ransom if:
Your IT/Cybersecurity Staff has an up-to-date and rehearsed Incident Response Plan
Your IT/Cybersecurity Staff has current, up-to-date backups that can be restored quickly
Your IT/Cybersecurity Staff can source the ransomware infection and prevent it from occurring again after the backup restoration
Your IT/Cybersecurity Staff knows which vulnerability the ransomware exploited
Your IT/Cybersecurity Staff knows the extent of the infection – did the infection hit the backup systems?
In the Chicago Med episode, they had to end up diverting patients to other hospitals because of the ransomware. The Chicago Med IT Staff seemingly did not have a plan, at least a timely one, to restore the hospital systems.
I’m certainly not advocating people pay the ransom, but blindly making blanket policies without understanding risk is a huge problem, especially at places where time is of the essence, such as hospitals.
So, what can you do to help with RANSOMWARE? I recommend 3 things to start:
Perform a risk assessment against your environment – identify your critical assets (data and systems). Not everything is critical. Narrowing your focus to what is critical, then prioritizing accordingly allows you to better protect these systems and restore them in a prioritized manner. Too many organizations try to equally protect everything. This is a huge mistake, as everything is half-ass protected, which doesn’t cut it. It’s better to protect your 10 critical assets 100% and leave the 90 noncritical assets at 50%. This is better than all 100 assets being protected at 60%, which is a common mistake.
Once you know your critical systems, make sure those systems (and the applications installed on them) are patched routinely and that they are backed up (the system itself as well as the data on the system) as frequently as needed.
Critical system backups security and testing. Make sure the backup system is secure. If the ransomware hits the backup system, the backups are no good. Also, make sure you know how to restore from backups. This seems simple, yet it is often overlooked. I’ve seen many organizations back up their data routinely and religiously and never once test the restoration procedures. During an incident, they found out that the restoration procedures did not work at all or only partially worked.
If you’re unclear on how to perform the risk assessment or need help with a cybersecurity plan, we can help you with our fractional and virtual CISO service.