Ask security experts what to do when hit with ransomware -- the sophisticated malware that infects a device or network, uses military-grade encryption to restrict access, and demands payment for the decryption key -- and you'll typically get the same answer: "never pay the ransom."
But for many, that's simply not an option. For example, last November an employee in the Sheriff's Department in Dickinson County, Tenn., accidentally clicked on a malicious ad and exposed the office network to the infamous CryptoWall ransomware. Detective Jeff McCliss told local News Channel 5 that CryptoWall had encrypted "every sort of document you could develop in an investigation," such as witness statements and evidence photos. Even after consulting with the FBI and U.S. military, McCliss told the news station that the only solution was to pay the $500 to the cybercriminals to get their files back.
This wasn't an isolated case -- for example, a police department in suburban Chicago recently paid a $600 ransom after it was struck by a similar attack, according to the Chicago Tribune. Enterprises that aren't fully prepared for a ransomware attack really have no incentive not to pay. In fact, many of those who do think they're prepared find that they have no option other than to negotiate with their hostage takers.
Organizations that employ real-time backup and frequently test their tools typically survive a ransomware attack unscathed -- they can simply wipe the infected device and restore the backed-up files.
This is hardly the reality for many organizations, especially for mid-sized companies with limited to no IT resources or even larger organizations whose IT staff is spread thin. Even organizations that have prepared for this kind of scenario often find that their file restore functions don't work, says Stu Sjouwerman, CEO of security training firm KnowBe4, which has advised and assisted victims of ransomware. Many organizations that invest in a file backup solution fail to test their restore function. When they need it to work, they find that they cannot restore all the files that they backed up, rendering the backup efforts futile.
"They overlook [testing the restore function] all the time," Sjouerwman says. "It is a best practice, but IT is, as you well know, under a lot of pressure. They are forced to put out fires all day long and in the meantime also put new systems online. So it's hard to find time for that type of thing in a day-to-day IT environment."
From there, the decision to pay basically comes down to whether the data that was encrypted is worth more than the ransom demanded.
In most of these cases, paying the ransom is a "no-brainer" for the organization, Sjouwerman says. That's because ransomware is largely automated, demanding around $500 in exchange for the decryption key for all victims. The ransom for a police department's evidence might be the same for a personal PC user's photos.
Sign up for CIO Asia eNewsletters.