A ransomware attack can be an end of life event for a small company. Paying the ransom can drain the cash reserves of a small business, sometimes to the extent that it can never recover. There’s also the reputational damage and the risk of losing clients to seemingly more reliable rivals.
When a ransomware attack does occur, it can be tricky to know how to respond if you don’t have a plan of action in place. Ransomware attackers are very good at piling on the pressure and pushing you to make a snap judgement, says Rob Demain, the CEO and Founder of cyber security consultant e2e-Assure.
“As time goes on, the price starts going up. They hit you with time pressure because they don’t want you to have any thinking time. If you’re in a chat window with ransomware attackers and you don’t respond, they will say things like: ‘You’re not responding. We’re going to sell your data.’ They won’t stop pushing you to pay.”
Many SMEs don’t realise that holding their data ransom does not necessarily require sophisticated software. If an attacker can get into a cloud-based system using a compromised email account, they can get your data.
“They don’t need to use encrypting ransomware or run an exploit because they’ve got your accounts and therefore they’ve got your data. They move on to the ransom,” says Demain.
The big question for businesses in this situation is whether it’s a good idea to pay up or not. On one hand, you have potentially great cost. On the other, there’s the risk of losing your data. It’s important to remember, first and foremost, that you’re dealing with experienced, organised criminals, says Demain.
“You’ve got to understand what’s going on and who you’re dealing with. They may come across as friendly, but these are criminals and they are dangerous. If you pay a ransom, you’re paying money to terrorists.”
Pravesh Kara, Security and Compliance Product Director for IT company Content+Cloud, recommends that you avoid negotiating if possible. “Paying ransoms adds further fuel to the fire, inciting repeat behaviour in ransomware groups. There is also no guarantee that they’ll actually decrypt or honour any agreement.”
You also need to be aware of any country-level sanctions that might be in place, says Kara. That could mean that you lose money to ransomware and the government penalises you. “Report it to the National Cyber Security Centre and call Action Fraud, which can help you.”
If you really have no option to get your business back up and running, keep the conversation short and plain, says Kara. “Respond promptly, but delay decisions, cite any issue you can in gathering the amounts they are asking for, ask for extensions on deadlines, then when reaching the final throes of negotiations ask for a significant discount. They usually want to close payment and move on quickly so do tend to reduce their asking price the longer you can negotiate. If you don’t feel comfortable negotiating, then there are ransomware negotiation services available that can help and further limit the damage.”
This, however, comes with a lot of risk. Demain says that the best solution is to take precautions to ensure you can restore your data yourself. Back up your data on a safe, separate drive, he says.
“That’s your weapon; I can restore my data, therefore this ransom isn’t going to work. They’ve still stolen the data – that’s a different issue – but it’s not going to stop your operations. If you make sure you’ve always got a copy of the data, they can’t act.”
Do not be concerned about playing hardball with ransomware attackers, he says. There is nothing you can do to get back your data; they have it. It is outside of your control, so focus on the factors that are, he says.
“You might as well just restore everything and not worry too much because the extortion is going to happen anyway. The key is to reinstall the data from a ransomware-proof backup. You can spend a fortune and still have your data sold on to others.”
Accountancy firms and finance teams should have backups already, so they may already have the solution to the problem at hand, says Demain. “When ransomware really works is when the victim needs that data to function. Unless it’s their busy season, accountants probably have a bit of time to fix the problem. The message is that that could happen, so make sure you have up-to-date backups.”
Read more: You’ve been hacked: how to respond in the first 48 hours
Cyber security awareness
Each year ICAEW marks global Cyber Security Awareness month with a series of resources addressing the latest issues and how to protect your business.