In a recent public service announcement, the FBI slightly adjusted their stance regarding whether victims of ransomware attacks should pay the ransom…sort of.
Whereby they used to simply say “don’t pay under any circumstances” it has now taken a slightly lighter approach.
While they still say that companies should not crack under the pressure of an attack, they also acknowledge that paying the hacker to resume normal business is a viable option.
The (somewhat sound) advice given to most organisations is to never pay the demand. One key reason for this is that many forms of ransomware are irreversible, and many others damage the data in the encryption process and can never be fully recovered.
There is also the argument that it encourages hackers to keep attacking. If a firm as large and influential actually told businesses to just pay the ransom every hacker and their dog would be on the attack.
Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.
Regardless of whether you or your organization have decided to pay the ransom, the FBI urges you to report ransomware incidents to law enforcement. Doing so provides investigators with the critical information they need to track ransomware attackers, hold them accountable under U.S. law, and prevent future attacks.IC3 alert number I-100219-PSA
In other words, “Don’t pay them…unless you have to…but tell us if you do…or don’t”
Somewhat confusing, no?
Indeed there lies the issue, how can any firm give definitive guidelines on an event with so many variables?
Our stance on the matter is far less vague:
Prevention is better than cure.Phishing Tackle – 4th October, 2019
It is infinitely preferable to have security-focused staff who are trained to spot phishing emails and keep software up to date, than it is to wait until you eventually have to make a decision between a rock and a hard place.
We also understand that no single security solution is going to solve all your problems. There must be a culture shift towards focusing on all 3 aspects of the information security triangle, People, Process and Technology. Far too many organisations focus on the latter two and ignore the first entirely.
Your staff are your first and last line of defence, regular Security Awareness Training (SAT) is essential to the health of your organisation. You may be surprised at how affordable it really is. And when you compare it to how expensive a successful ransomware attack can be, there is not a better return on investment out there.