Last week, on October 26, 2015, the Business Insider reported the FBI’s suggestion that you may need to pay up if hackers infect your computer with ransomware. Assistant Special Agent Joseph Bonavolonta of the FBI’s CYBER and Counterintelligence Program in Boston, spoke at the 2015 Cyber Security Summit and stated, “The amount of money made by these criminals is enormous and that’s because the overwhelming majority of institutions just pay the ransom.” He went on to add that the Bureau and other’s efforts have yet to yield a solution.
A spokesperson from the Boston Bureau told Business Insider that while the FBI doesn’t make recommendations for what businesses should do if they fall victim, “instead, the Bureau explains what the options are for businesses that are affected and how it’s up to individual companies to decide for themselves the best way to proceed. That is, either revert to back up systems, contact a security professional, or pay.”
The knee-jerk question to such a statement would be “Are the FBI just giving up?” but look a little deeper into what is being suggested. For a non-profit organization, a corporation, or an individual, it all starts with a good data policy, procedures in place, and cybersecurity awareness. If there is a good policy and an execution of that policy in place for doing backups then the amount of information lost from recovering from a breach will be minimal. If a breach occurs, then the recovery of that machine will be easier and less of a financial burden.
An organization, regardless if it a business of one or one hundred thousand, should have yearly cybersecurity awareness training for all their associates like they do for sexual harassment. In that training, ransomware should be discussed, employees’ responsibility should be made clear, and a discussion on how to avoid these infections should be discussed. Lots of examples of how ransomware works and the results in being able to recognize suspicious emails or illicit websites will hopefully get the point across. Also, there are cybersecurity specialists that will setup social engineering exercises to allow you to test your employees’ awareness and target training to those who are the culprits of launching such attacks. It is this kind of preparedness that shows promise in reducing the number of ransomware infections and other forms of malware. Regard it in the same way as you hold fire drills or renew benefits packages. You do not wait until disaster strikes to carry out damage control. Your people already know where the Fire Exits are, and they have health coverage in place. Cybersecurity procedures should be no different.
As far as simply paying a ransom if the worst occurs, this is worse that a final option. Caving into demands of black hat hackers will only encourage more people to write ransomware, or return your data with a different sort of malware installed. As a result, more machines will get infected. If you want to reduce the number of infections, then refuse the ransom. Once ransomware becomes less financially rewarding, the market will dry up.
That market, however, will continue to exist if organizations continue to pay. The more individuals and organizations pay, the more hackers will write ransomware. You end up in a vicious cycle.
The cost of unlocking machines of ransomware might go down but more infections will likely happen which means more money will be spent recovering from these infections. Behavioral modification is the only way to stop these attacks. Hackers can stay one step ahead of the tools that scan and remove these infections, which means cybersecurity is no longer just a one software package solution. The goal is for the community to fight back by preventing the infections in the first place, killing the ransomware market through preparation and planning.
The moral of this particular cyberstory is to understand that paying the ransom is never a best solution. Prevention and recovery from these kind of malware infections is found not only with solid, reliable software solutions, but also have the right policies in place and knowledgeable training in your associates. Be ready. Be vigilant.
Stratford University, in association with Key Cybersecurity, is offering CISSP, CISA and CEH training and certification courses at many of its Northern Virginia campuses. We will be providing students the hands-on experience with state of the art security solutions like HeurekaCyber’s Cyber Armor and others. Join us at http://www.stratford.edu/cyber in becoming the first line of defense in cybersecuity.