Ransomware is malicious software that either encrypts, or enables a perpetrator to obtain and threaten to publish, the victim’s data. Access to data, or non-publication, is then offered in exchange for a monetary ransom, to be paid within a specified time. Encryption is the most common approach, and was used in 2017’s most publicised cyber-attacks so far: WannaCry and NotPetya.
For businesses, charities, universities, healthcare providers and similar organisations, the impact of ransomware can range from being a minor irritation to constituting a catastrophe. It may be possible to rapidly reconstitute affected systems and data, from back-ups or alternative sources. Alternatively customer records, shipment details, accounting software, academic records, research data, patient records and other vital systems may be locked away, strangling operations.
Victims in the latter camp will feel particular pressure to pay the ransom (which often increases as time passes before hitting a hard deadline after which decryption is no longer possible). Whether to do so is a question worthy of serious consideration.
Ransomware works on a trust model. Victims must believe that if they pay, they will receive a valid decryption key and regain access to their files. The criminals behind the ransomware must, therefore, have a system in place which allows them to confirm payments made and decrypt files swiftly.
In reality, successful decryption is not guaranteed. In a 2017 report, Telestra found that 1/3 of victims who paid a ransom never recovered their files. Much depends on the motive, organisation and planning skills of the perpetrator. The more incompetent or malicious perpetrators are unlikely to provide decryption:
- In the NotPetya attack, victims were required to email a single, specific address in order to confirm that payment had been made, after which they would receive the decryption key. However, once the attack was publicised, the email provider for the account simply blocked the address. Victims who paid were therefore unable to contact the perpetrators and never achieved decryption.
- The process underpinning the WannaCry virus was similarly flawed, requiring the perpetrators to manually release files. With hundreds of thousands of devices affected, that quickly became impossible.
Even those who pay and receive decryption keys face an ongoing threat. As well as risking being labelled as an easy target (many criminal outfits develop and trade in “suckers” lists), if the flaw in a victim’s software still exists, there is no guarantee that the system will not be immediately re-targeted. There is also no guarantee that the perpetrators have not copied the data they encrypted.
So what should you do? First, we recommend consulting the No More Ransom project, launched in 2016 by Europol, Kaspersky Labs and others. The project compiles decryption techniques and tools covering numerous families of ransomware. Second, contact software specialists, as the flaws in WannaCry and NotPetya that reduced chances of decryption were visible to coders when they reviewed the ransomware. Paying the ransom should be a last resort.
As ever though, prevention is better than cure. Organisations operating old, unsupported software should look into upgrading in the near future. Those running newer software should diligently apply the free software patches distributed by the developers. Finally, an appropriate and properly implemented back-up system is vital.