Last week, US shipping tech firm, Pitney Bowes, was hit with a ransomware attack that “encrypted information” on its systems. While it is reported the company is working with a third party to address the issue, it still faces the challenge of whether to pay the ransom.
Recently, the FBI issued a Public Service Announcement examining the threat of ransomware attacks on US businesses and organisations. Amongst the advice, the document discusses whether organisations should pay a ransom if infected.
Historically, companies were strongly advised to never pay a ransom, but this stance has softened slightly. The FBI acknowledges that meeting a ransom demand is now a plausible option for businesses.
Peter Groucutt, managing director of Databarracks says that – while tempting – organisations should retain a non-negotiation philosophy in the face of ransomware demands.
“We’ve seen a lot of incidents reported in the press, particularly public sector organisations in the US, hit by ransomware attacks. While some remain staunch on not negotiating with criminals, there are those who have actually relented and paid a ransom to get their data back. Given ransomware attacks are becoming more common, there’s no excuse to be unprepared.
“Agreeing to pay a ransom isn’t conducive to long-term security. Cyber criminals, experienced and new, see it as a big money-making opportunity and are consequently devoting vast resources to develop new strands and new methods of delivering ransomware. Being seen as a ‘payer’ makes you vulnerable and potentially invites further attacks.”
Groucutt continues, “we recommend organisations retain a non-negotiation philosophy –instead of paying, companies should try to recover their information from historic backup copies of their data.
“When recovering from ransomware, your aims are to minimise data loss and IT downtime. Unfortunately, there is no way a business can completely prevent itself from an attack. But by having a defensive strategy you can reduce the impact of an attack.
“The Incident Response Team or Crisis Management Team must have the authority to make quick, large-scale, operational decisions, taking systems offline to limit the spread of infection. Once the ransomware has been isolated and contained you must find when the ransomware installation occurred to restore clean data from before the infection. When the most recent clean data is identified, you can begin a typical recovery, restoring data and testing before bringing systems back online.”