Cisco on ransomware attacks: To pay or not to pay?

Fady Younes, Cybersecurity Director, Middle East and Africa at Cisco elaborates on what to do while under a ransomware attack.

Ransomware is causing sleepless nights for CIOs across the world. Attacks are on the rise. We’ve seen high profile attacks on large companies and critical networks, and most never even make it to the headlines.

While you can do a lot to prevent and limit the impact of attacks, one question haunts CIOs and CFOs more than anything: should you pay the ransom?

To answer this question, Cisco’s Fady Younes shared his thoughts around some of the main arguments to help those preparing for such a situation.

The basics – what is ransomware?
Ransomware is a type of malicious software or malware. It encrypts a victim’s data, after which the attacker demands a ransom. Once the ransom is paid, the attacker sends a decryption key to restore access to the victim’s data. The ransom can range from a few hundred dollars to millions of dollars. Typically, payment is demanded in the form of a cryptocurrency, such as bitcoin.

What are the risks of paying?
If you choose to pay up, you essentially trust the very criminals, who just broke into your network and took you hostage. With no guarantee that they will in fact do as promised and unlock your data. To continue that line of thought, if the cybercriminals do unlock your data, you are still faced with at least three substantial risks:

  • Paying the ransom does not remove the cybercriminals from your environment, nor fix the underlying security issues that were leveraged to gain foothold on your network in the first place. And who’s to say they won’t build in a backdoor to pay you a visit in the future?
  • It is easier to generate revenue from existing customers than it is to find new ones. That goes for hackers as well. Even without a backdoor, they have already done the work and know the ins and outs of your network. They may try their luck with your company again.
  • How do you know the now unlocked data hasn’t been accidentally corrupted? There are several things that could go wrong, even if the ransomware author is trying to do the “right thing”.

The ransom itself is only the initial cost and doesn’t advance you any further than you were at the moment of the breach. Notifications, security training, and retooling security platforms to address the root cause will be much more expensive.

Should paying be my last resort?
Paying the ransom should be the last resort of any cybercrime victim, yet it is understandable that some choose to pay up, because in many cases, it makes more fiduciary sense to pay the ransom. For example, last year, the City of Atlanta in the United States spent roughly $17 million to recover from a ransomware attack when the attackers had initially demanded a ransom of $52,000.

We should also recognize that no two cases are the same. It’s understandable that those cases with widespread societal consequences or potential impact on human safety present a stronger push to pay those responsible. 

What are your recommendations?
If you are the victim of a ransomware attack and choose to pay, you become a business partner of cybercriminals. Cybercriminals, you don’t know the identity of. Criminals who are unlikely to be held accountable by law enforcement and who hold all the cards. If that sounds like something you want to avoid, here are the basic actions you must consider:

Look at your company like an attacker would
This is how you best understand weak points in your architecture and processes. Prioritize and mitigate vulnerabilities identified when looking at your company from an attacker’s perspective. Cybercriminals are motivated by quick and easy financial gains – make yourself an expensive and difficult target for the criminals. Be unattractive to them.

Manage cyber risks like any other risk
Never rely 100% on your ability to keep hackers out. Even the best architecture can be breached. Have a contingency plan ready – one that involves all relevant parts of your organization, such as Legal, HR, Finance, IT, your Board and Executive Team.

Beyond the individual company and organization, what can be done?
Several of the world’s biggest tech companies, including Cisco, have formed the Ransomware Task Force in an effort to address the root causes in acknowledgement that international and public-private collaboration is critical. We must turn our efforts from what the ransomware actors have done, to what allows them to operate. The goal must be to ultimately dismantle and disrupt the ransomware groups and deter others.

What can Cisco offer to help companies defend themselves?
Cisco Secure offers a number of security solutions that not only address security concerns based on key trends but can also be tailored to meet the specific requirements of a business.  These products integrate seamlessly with the Cisco SecureX platform and include Cisco Secure Network Analytics, Cisco Secure Endpoint, Cisco Secure Firewall, Cisco Secure Email and more. Each of these solutions helps to secure areas which ransomware attackers may attempt to exploit.