The discussion and opinions on paying ransom in case of cyber-ransomware is very alive and vivid.
Many people have strong opinions, but the actual victims of ransomware are seldom heard. They mostly keep silent.
This article is the English translation and adaptation of an article, originally published in Dutch, earlier.
(Source) Initial article in Dutch : https://identityunderground.wordpress.com/2021/07/30/de-oplossing-tegen-ransomware-volgens-brian/
In Trends magazine, Brian Schippers published an opinion article a few days ago with a very easy and simple solution against ransomware: don’t pay. (Source: Trends)
I must admit, it’s a great opinion article to get a nice discussion going with companies. At least it helps to raise awareness of ransomware and ransom payments. But unfortunately the article is not a Greek ancient-wise talk [σοφςς].
But he’s right about the reprehensible statements made by some of the ransomware victims. It is outrageous that a company dares to claim that ‘only’ 300K has been paid.
(translated quote) “We understand that we are suffering reputation damage, but we can’t be blamed,” the company manager told reporters. That statement in the press will haunt him for a while.
And it’s not the first time we’ve witnessed such statements. For another company from the Westhoek (Western Belgian Region, near the coast) , it was “less than 1 million”…
It’s very meaningful, how little business leaders worry about ransomware or how careless they can be to protect their business.
And Brian puts forward a very nice theory how to stop ransomware, … in the ideal world.
But unfortunately, the article does not show in any way that the opinion-maker, in real life, has ever been on the side of a defenseless victim who is completely under the control of some remote criminal.
Because the choice to (NOT) pay a ransom is only available if you have a well-functioning and thoroughly tested backup and restore system.
At that moment, when it happens, all preventive measures have clearly failed already. Way too late to have regrets…
Prevention only works BEFORE the criminal strikes. Or when he has left again, to avoid repetition.
People do not choose to pay ransomware. It’s the last resort.
They just have no choice. All other means are already exhausted or unavailable.
You don’t pay a ransom if your backup/restore system works properly.
Without a guaranteed recovery function, mathematics is very simple
If you
- DO NOT pay = 100% GUARANTEE that you LOSE your DATA and you’re almost certain that your company will also be dead very quickly, or at least suffer long-term or irreparable damage.
- PAY = there is SOME chance that you may see (something) of your data again. That’s always better than the previous option, no matter what it costs.
The third option in between is that the cost of the ransom is lower than the real cost of restoring your data. If you run into a cheap criminal, you can only try to talk him out of it and limit the damage. Pure math.
What if…?
It’s very easy to imagine: if a good-looking homejacker just rings the doorbell at your home. And your dearest opens the heavily armed front door.
A few seconds later, the robber asks you to clear your bank account completely with a gun to your dearest one’s head.
Are you going to pay or not?!
Do you have a choice?!
Replacing your dearest… is not an option, I would think.
With ransomware, the situation is exactly the same.
Well, Brian Schippers apparently doesn’t think so.
In his article Mr. Schippers is very convinced that you should certainly not pay a ransom. But the article does not offer any concrete, useful solution or practical suggestion as alternative.
He talks about a “security solution”… and reading between the lines you easily know where it should come from.
But there is no mention of decent and continuous training of people, thorough awareness training and thorough backup/restore or even better offline backup, even in the current age of cloud.
Because with “wise” software alone, it won’t work.
Even with the best technical security you have, people remain the weak point.
And the stronger the security, the more crime will target people directly.
And people make mistakes. People make software. Each software contains errors.
And mistakes will always be exploited.
And you only need just one employee who is fooled by a cleverly designed, but infected mail or a noble unknown on the phone.
It happens in no time, there are more than enough statistics in practice.
Because the hack or phishing is so well designed these days, that even cyber professionals can’t easily detect fake mails.
“The budget should not be a problem.”
Yes, yes, of course it shouldn’t, Brian! Nice slogan.
NOT.
Because the practice proves something completely different:
cyber protection < a very small percent of the IT budget < a small percent of the company budget.
Well, now what?!
It would be quite different if business leaders and managers were personally held liable for a pertinent lack of “state-of-the-art” (i.e. up-to-date) security that aligns both people, processes and technology very well.
Only THAT would solve the whole ransomware problem, very quickly. Deprive the criminal from his leverage.
Don’t look too far. Just look at how the insurance companies are doing in real life.
See how they implement car, fire, liability or other insurance. If it is shown that you are negligent, knowingly refuse to implement sufficient security … then the insurance will not pay or will claim back the refund.
Easy and simple, isn’t it?
Not so in cyber insurance, that’s the wild west. For a couple a thousand Euros in insurance, you get a bag of money of a couple millions to pay the criminal.
You bet on hackers to give up.
And if you bet hackers will give up soon, start by giving a “tournée générale” (buying a beer to everyone).
Because cybercrime and ransomware is big business. They make a lot of money with crime, so they won’t give up. Not now, not ever.
[BTW, it’s not because known ransomware groups suddenly disappear that they’re gone too. We don’t know the facts about that yet…]
But criminals don’t respect any law or rule. And they certainly don’t have ethical principles. It’s just a business that makes a lot of money.
So they are always have a head start and they are very motivated. And they will twist your arm even harder… or worse.
Finally
We must keep repeating that state-of-the-art security is all about security solutions at different layers and levels, which look beyond technology.
When you keep claiming you should not pay for ransomware, you’re running after the facts. In practice, it doesn’t solve anything… People in distress and panic will ignore law and ethical guidelines.
Also in physical life, many authorities officially declare that they do not give in to ransom demands. Is paying a ransom prohibited by law? But in many cases, money is paid clandestinely. Reality check.
So?
Make sure that the liability for implementing poor security measures hurts the right person, in the right place. Not the employees, but their boss.
And consequently:
So make sure that cybersecurity is sponsored at the top management level.
Identity Underground 