Pay the ransom, and then pay some more: Security teams should bet on defense

By Carl Herberger, Vice President of Security, Radware

When a movie character is kidnapped, paying the ransom doesn’t always result in the hostage’s release. Quite often, the kidnappers simply ask for more money.

In real life, companies who have become victims of a ransom attack face a similar situation. Paying the ransom encourages the hackers to attack again, and certainly keeps them in business to attack others.

Ransom attacks have come primarily in two forms: Distributed Denial-of-Service (DDoS) attacks flood a network or website with requests, paralyzing it, while a second form, so-called non-volumetric attacks, exploit vulnerabilities in a system to encrypt and lock a hard drive. Both models, as you probably know, have the same outcome: To free your frozen data or prevent an impending DDoS attack, hackers demand payment, usually in the form of a hard-to-trace cryptocurrency like Bitcoin.

Whether it’s a classic phishing scheme or an SSL based attack, the threat of DDoS, or another variant, ransom attacks are here to stay. They’re finding new victims and leveraging new tools. If your systems are locked down or under threat of a flood of malicious traffic, should you pay up? If you take the right steps, you might not need to.

Ransom attacks find new, vulnerable targets

Financial institutions remain a favorite target of hackers. That’s where the money is, after all. But cybercriminals have also turned their attention to healthcare facilities, which have proven themselves to be unprepared for attacks and more willing to pay than other organizations.

Hospitals require constant access to health records and their network, and ransomware can cripple operations. At the same time, the private health information sold on Darknet marketplaces commands higher prices than credit card data. In March, for example, an Austin, Texas-based urology practice began notifying 279,000 patients that a ransomware attack may have exposed their confidential financial and medical records.

The healthcare industry isn’t the only sector ripe for extortion – the critical factor is the nexus of money and a desperate need for access to data. The money doesn’t have to be high stakes. College students sometimes pay ransoms of $50 or $100 to unlock the coursework on their hard drives.

New tools, new threats

Ransom attacks have grown sneakier, and more powerful, as hackers try different methods. SSL-based attacks have increased by approximately 10 percent over the past year, according to our research. About 39 percent of companies experienced an SSL-based attack last year, and 75 percent of companies said they aren’t confident they can handle one. SSL attacks are one way hackers are dropping ransomware onto a victim’s system, taking advantage of the encryption to strike vulnerable organizations before they’re aware.

As for ransom DDoS, hackers can up the ante on their threats with powerful botnets harnessed by the Mirai malware. Capable of DDoS attacks above 1 TB, a Mirai botnet offers significant incentive to pay up. Of course, like with any ransom DDoS, no one knows if the hacker can make good on the threat until payment is refused.

To pay or not to pay?

Deciding whether to pay a ransom requires executives to weigh issues of business expediency against their morals. If your IT system is locked down, and you’re caught flat-footed, you can pay the ransom and get back to business, but you put a big target on your organization by doing so, essentially exclaiming that you’re willing to pay to avert an attack.

On the other hand, you can refuse to pay and deal with the loss of data, productivity, and revenue. It’s not an easy choice, but consider the moral question: Do organizations do themselves any favors by keeping criminals in business?

If you’re going to pay, do so knowing that you’ll likely keep paying. The alternative? Shore up your defenses, segment your backups, and build a system that can easily be restored to normal if a user clicks on a bad link. It’s cheaper in the long run, and it slows the flow of cash into the pockets of criminals.