I’m not a big fan of Matt Damon movies (remember The Martian? Bo-ring!) but I am, however, a huge fan of John Malkovich. Compare his performances for example as the conspiracy kook in RED and RED 2 (brilliant in both in my opinion) with his flawless French dialog as Talleyrand in the European TV historical miniseries Napoleon (well-produced except for Christian Clavier’s sometimes over-the-top acting as Le Petit Caporal). But there’s one scene with both Malkovich and Damon that I often come back to and which I’m going to suggest might apply should you, unfortunately, find yourself locked out of accessing your business data because of a ransomware attack on your company. You can watch this scene here on YouTube. (A longer version can be viewed here.)
Do the right thing? No. Pay the ransom? Yes
That’s right, I’m going to argue in this article that the logical thing to do if perhaps not the right thing, is to pay the ransom being extorted from you. At least it’s probably the logical thing to do from a purely business perspective. But one can also argue that it’s logical to do it from an IT perspective.
Why is that? Because IT in a business context fundamentally concerns itself not with technology but with operational matters. The computing devices, software, and services that business IT manages are there to support the operations of the business; they don’t exist for themselves. So, when viewed from this perspective, one can argue that ransomware attacks fall under the umbrella of ensuring business continuity and disaster recovery preparedness. You’re either prepared and in a good place to recover quickly from a ransomware attack, or you’re not—in which case your business is screwed. Of course, this assumes that you can quickly detect when a ransomware attack against your company has been initiated because the time to recover from a disaster is proportional to the extent of intrusion (more or less). And this itself varies similarly with the amount of time since the breach in your defenses occurred. And defending the computing infrastructure and data of your business is also IT’s concern, as is recovering from the effects of a cybersecurity breach.
Disaster recovery starts with mitigating the disaster
But disaster recovery is more than just restoring systems and data from backups. Disaster recovery at its core is itself a business process, not a technical matter. It’s about restoring your business operations to normal operations and about doing it quickly. Because the longer your operations are interrupted, the more your business suffers. An interrupted business bleeds money quickly and often loses some of their customers as well. Their reputation in the marketplace can also suffer, and their shareholders might become upset with them as well.
Hence, when a company discovers it’s been hit by a ransomware attack and the attackers have demanded money to release their data, management and IT sit down together and calculate the amount of effort and time needed to restore everything from cloud backups. Then they compare the cost of lost business from this recovery period with the cost of simply paying the attackers what they demand. And management realizes that it’ll be cheaper for the company in the long run if they simply pay the extortion price so they can get everything running again immediately.
Not only that, but depending upon the insurance policy your business has, it will probably be your insurance company that pays the ransom, not your business itself. Of course, your premiums will probably go up, so the insurance company will end up benefiting the most in the long run, but at least in the present your operations will be sustained, your customers will stay happy, and your shareholders won’t start dumping on you.
Paying the ransom is not the final chapter
Of course, paying the ransom isn’t all that’s involved in recovering from a ransomware attack. You still need to run a full forensic audit to find the vector by which the attack was launched against your network. You have to perform a complete scan of your systems to ensure there’s no residual infection needing to be removed. And you have to establish new controls, procedures policies to ensure that a similar kind of attack to the one that occurred is unlikely to succeed in the future — especially a repeat attack from the same criminals.
The situation becomes even more critical when a ransomware attack has been launched against a health-care provider or other business where it’s not just profit that’s at stake but people’s health and even their lives. In such cases, payment of the ransom being demanded may not only be the most cost-effective solution but also the only ethically defensible response. In fact, the whole idea of using standard BC/DR procedures and backups for recovering from ransomware intrusions is probably only practicable for small businesses where few systems are involved, and the amount of money lost due to business interruption is relatively small.
But doesn’t paying ransoms like this simply encourage crooks to continue their behaviors and target other businesses? Perhaps, but now we’ve strayed out of the area of IT into what should really be a regulatory matter for governments to decide. For example, governments might pass legislation requiring businesses to disclose ransomware attacks upon detection and even penalize businesses that pay extortion monies to attackers. Perhaps this sounds reasonable from an ethical point of view, but one can also argue that it penalizes the victim, not the criminal. I’ve actually been told, however, that some governments, including the United States, seem to be moving in the opposite direction by making ransomware payments tax-deductible and hence encouraging them over-utilizing standard disaster recovery procedures. I’m neither a lawyer nor an accountant and I’m Canadian, but it appears to me that the IRS already qualifies blackmail and extortion as forms of theft which means, at least to some extent, that losses from these activities can be tax-deductible. Things are probably different in Europe, I expect.
So, switching the perspective from business back to IT for a moment, what’s the solution to this growing problem of ransomware as far as IT pros like us are concerned? Automate your BC/DR procedures as much as possible to make recovery quicker and more effective. Strengthen your cybersecurity defenses as much as you can to make your network difficult to hack into. Be vigilant and stay on top of any bulletins about newly discovered vulnerabilities in the devices, software, and services you manage. Apply patches as soon as you have tested them, and be prepared to deal with the inevitable headaches when a patch has side issues associated with it. Upgrade those legacy server workloads — staying on Windows Server 2003 or running Exchange 2007 really isn’t a good idea at this point, and neither is having Windows 7 or (eek!) Windows XP around just to keep that industrial tool or medical scanner working properly.
And finally, avoid putting all your eggs into one basket — heterogeneity in IT devices, software, and services can actually enhance security, though it does, of course, make it more difficult to manage your infrastructure. So, the next time you’re tempted to go all-in with a hand you think is a winner, pause and take a breath and ask yourself: Are you willing to lose your shirt?
Featured image: Shutterstock