The Ransomware Dilemma: Is Paying Up a Good Idea?

September 10, 2016

The ongoing fight against ransomware attacks and the cyber criminals perpetuating this menace is more than a full-time job. In a cyber world without boundaries, ransomware has become a worldwide problem where no organization is immune to victimization.

According to some security experts, the first known reports of ransomware attacks took place in Russia in 2005. Over the past 10 years, these attacks have spread to all corners of the globe, successfully targeting hundreds of thousands of business systems and home PCs. And, the effects are mounting: the FBI reported ransomware-driven losses of $18 million over a 15-month period in 2014 and 2015.

The way ransomware works is by making an infected device unusable by locking the screen or system, encrypting its data and then demanding a ransom to unlock and decrypt this data. In some cases, once the user’s PC is infected, the ransomware also displays threatening messages disguised as coming from a law enforcement agency in order to appear credible while intimidating the PC owner. Payment is usually demanded in the form of bitcoins, a virtual currency that is untraceable.

This is apparently what happened at Hollywood Presbyterian Medical Center in California in early February 2016 when it fell victim to malware, which locked the hospital’s computer infrastructure. According to reports, to remain operational and continue providing patient care, the hospital was forced to use “old school” methods including paper records, faxing, and good old-fashioned pen and paper.

In a letter regarding the attack, following a bitcoin payment of $17,000, hospital CEO Allen Stefanek stated “...The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Healthcare Providers Increasingly Targeted

Malware-based attacks on healthcare organizations seem to be on the rise. A recent story from the Los Angeles Times reveals “…since 2010 at least 158 institutions, including medical providers, insurers and hospitals, have reported being hacked or having information technology issues that compromised patient records, federal records show.”

But is paying the ransom the best approach? Many experts say this is similar to negotiating with terrorists. By paying what’s demanded, the revenues may then be used to launch attacks on other organizations. There’s also a good chance that cyber thieves will up the ante once they realize you’re willing to pay the ransom. In the end, it’s up to each individual organization to decide whether paying the ransom is right for them. In Hollywood Presbyterian’s case, they were unable to conduct the business of caring for their patients and were even forced to turn away some emergency cases to other area hospitals because a lack of access to their networks. For hospital CEO Stefanek, paying the ransom seemed to be the only way out of this predicament.

Humans Often the Weakest Link

Although the specifics of how the attack was waged on the hospital remain unclear, what we do know is that the main way malware is able to infiltrate an organization’s network is through one well-intentioned employee opening an infected email. Although anti-virus software is usually very efficient at blocking spam and malicious emails containing the malware, it is imperative that every organization develop and execute a solid security policy. Part of this policy should include regular training and education sessions for all existing and new employees to ensure they’re up to date on the latest strategies cyber criminals are employing to target, trick and outsmart unsuspecting personnel.

Organizations must train employees to be wary of opening seemingly innocuous attachments that come from unknown sources, using the same passwords for a lengthy period of time and clicking on suspicious links and ads. To decrease the potential for breaches due to negligence and just general human behavior, it’s critical to make it a policy to conduct quarterly or half-yearly training sessions on IT security awareness for all employees, and even include these sessions as part of the employee onboarding process.

In these regular sessions, two best practices that employees should be continually reminded to heed are:

Never download attachments or click links in emails received from unwanted or unexpected sources, even if the source looks familiar.
Ignore unwanted pop-up ads or alerts, many purporting to come from companies like Microsoft “alerting” you to a problem on your computer, while visiting unfamiliar or even familiar websites.

From an IT department standpoint, best practices should include:

Keeping up on all recommended security updates to OS, software and Internet browsers.
A focus on strengthening email security. Research has shown that nine out of every 10 viruses that infect a computer reach it through an email attachment. It’s critical that organizations use a spam filter and attachment scanner.Network email security systems, which protect the business as a whole, are also essential as these can help to block hackers and identity theft. And, as remote workers become more commonplace, the endpoint security software installed on laptops needs to be able to enforce the company’s security policies, even when that laptop is not connected to the corporate network.
Regular backups for all desktops. Rather than backing up systems while connected to the Internet, offline backups are recommended. Not only will you have a copy of all critical company and customer data, this also ensures that you won’t have to meet the hacker’s demands.

Although it is impossible to prevent every single cyber attack, getting employees involved and invested in the overall IT security health of the organization will decrease the chance that ransomware, delivered through email-based malware in an average-looking email, will wreak havoc. Every business has the power to take preventative action in order to mitigate and even prevent underhanded and illegal blackmail tactics.

Sanjay Katkar is the Co-Founder and Chief Technical Officer of Quick Heal Technologies, a leading global provider of IT security solutions. He holds bachelor’s and master’s degrees in computer science from University of Pune, India. Katkar, who has been associated with Quick Heal since its incorporation, has spearheaded the development of the company’s enterprise software, technology and services. Quick Heal’s Seqrite data security product line is specifically targeted at small to midsize enterprises and is sold in North America exclusively through channel partners.

In this webinar, we review the rise of cloud access control and access control as a service, its advantages and disadvantages, and how to select the optimal cloud access control solution for your company.

Security leaders need to accept and act on this reality and take measured and thoughtful steps to mitigate the risk and train staff about the growing likelihood of such violent incidents in their facilities and workplaces.