#anti-virus #protection #response

Why Paying to Ransom Your Data Doesn’t Save Your Ass

by Al Hartmann

June 27, 2019

access_time 7 min read

With your enterprise data held for ransom by a ransomware attacker, you might be tempted to pay the ransom, thinking to minimize restoration time and cost. But that argument rests upon specious logic—ransom payment can only compound your dilemma. Don’t be played for a fool.

The Problem

As the realization dawns that your enterprise has suffered a widespread ransomware attack and been brought to its knees, you desperately look for a quick fix to restore operations and secure your enterprise. What backup assets are available? How long will it take to restore databases and data files? Could we lose recent transactions or even incur substantial permanent data loss? If we refuse extortion demands, could the attackers wipe our systems or corrupt firmware, making systems unbootable or even unrestorable? If we refuse their demands could the attackers sell or publish our data? Can we even afford to do a full recovery from backup, in time, staff resources, lost revenues, or mission damage? What can we do?

To Pay Up or Tough It Out

Headlines continue to report contrasting responses to actual ransomware attacks against both government entities and commercial enterprises. Some victims view a ransom payment as the quick way out of their insoluble dilemma, while other victims bite the bullet, bring down their operations, and get to work with a full restoration costing many times the ransom demands and taking far longer to complete. Which of these victim responses is wise and which is foolish? Certainly, the challenges, risks, and options will vary for each case, but in large measure, paying a data ransom is wrong, dead wrong!

To argue rationally we must begin with the basic elements of information security as represented by the classic CIA triad - confidentiality, integrity, and availability. In a ransomware attack, the first of these pillars to be lost is confidentiality, as the attackers inventory data assets and then begin reading and encrypting (and possibly exfiltrating) files. Once the files are encrypted, then down goes availability. Now at this stage confidentiality and availability have both been lost. Let’s assess.

Confidentiality can no longer be guaranteed after the attack, since there has been unauthorized data access. Maybe your incident response team has sufficient network and endpoint monitoring visibility and log retention to determine if data likely has been exfiltrated or not, but that cannot be ascertained with total certainty. The conservative assumption is that your enterprise has been breached and proper notifications are due.

Due to file encryption in the attack, data availability is also lost, and your challenge is to now restore availability in a timely manner. But data availability cannot be restored at the expense of the third pillar, data integrity. Opting to pay the attackers’ ransom demands means that the attackers will supply a key to their attack code to enable file decryption. However, there is no guarantee that these operations of file encryption, decryption, and rewriting of file contents by attacker-controlled malware is done without error and without malevolent intent to introduce unauthorized insertions, deletions, or modifications.

The only method to retain data integrity is to restore from trusted, secure sources. Any data obtained through unauthorized parties and processes must be considered tainted and untrustworthy, period. In that case the chain of custody has been broken and the data now lacks validity and authenticity guarantees and would be challengeable in court. In addition, any new data based upon this untrusted data, such as running account balances or downstream transactions also becomes untrustworthy, built upon a flawed foundation. Thus, over time the taint could metastasize, enveloping newer data and transactions, until information trust is entirely lost.

Data Integrity Guidelines

Because enterprise data integrity is not optional, caving to ransomware extortion demands is not an option. It may be an option for consumers threatened with loss of their digital photo albums or personal contact lists, but not for the enterprise and especially not for government organizations. A number of data integrity and information security guidelines are available from various government agencies, especially where data integrity may affect health, safety, financial integrity, physical safety, or critical infrastructure. For example,

What is "data integrity"?

For the purposes of this guidance, data integrity refers to the completeness, consistency, and accuracy of data. Complete, consistent, and accurate data should be attributable, legible, contemporaneously recorded, original or a true copy, and accurate (ALCOA).

--FDA Data Integrity and Compliance Guidance for Industry, Dec. 2018

A raft of information security compliance standards and documents are available from NIST, especially the Cybersecurity Framework and Special Publication 800-53. Another excellent reference is the ISO/IEC 27000 standards family. Compliance with these frameworks will help prevent or alleviate victimization by cybercrime ransomware groups targeting enterprises. Compliance is not simple, easy, cheap, or quick, but is worth the security investment. Continuous monitoring and cyber vigilance are incorporated in these standards and will serve your enterprise well. Armor up, don’t pay up!

Learn more about how Ziften can help protect your organization from ransomware: