Q
Manage Learn to apply best practices and optimize your operations.

Is paying the ransom the only way to remove ransomware?

Should organizations pay the money to save their attacker-encrypted data and remove ransomware? Expert Mike O. Villegas advises enterprises on the best approach.

Our organization is developing a short policy statement to deal with future ransomware outbreaks. However, a key...

point we disagree on internally is that some people believe it's okay to pay a ransom for data depending on the cost/value equation, while others think paying the ransom is like negotiating with a terrorist and should just never be done. What approach should we take?

Ransomware is surreptitious software that overtly takes control of a computer's hard drive and encrypts it. It holds the information hostage until a ransom is paid for release of the decryption key. Payment of the ransom is often made in bitcoin, which is anonymous and untraceable. The ransom can be -- and typically is -- paid if the information or computer taken hostage is critical to the operation of a business or victim. The underlying question is how this could have happened and what recourse is available. On June 5, 2014, Cisco foretold of a rash of ransomware attacks and this is starting to come to pass.

Companies falling victim to ransomware and that wind up paying the ransom, tend to either have poor backups or insufficient controls; or, if both systems are working effectively but still succumb to more sophisticated attacks, there are greater concerns regarding reputational or financial risks if the incident goes public.

Should a company pay ransom for information or computers taken hostage? Ethically speaking, the answer is no. But in a practical sense, given the criticality of the asset, it might have to. If not paying to remove ransomware has an adverse effect on a business' viability, then there are few choices. If the organization can accept a loss in business, then the ransom should not be paid and attention should be focused on preventing reoccurrence.

There are several steps organizations can take to prepare for a ransomware attack, including backing up critical data daily, running incrementals to make the backup process less cumbersome and time consuming, ensuring strong network security, verifying and periodically testing malware detection and application controls and also deploying comprehensive monitoring processes to detect unauthorized access attempts and unknown or unexpected changes in environments. The key is to have sufficient controls and recovery processes in place to render a hostage situation merely an inconvenience and not a critical business threat.

Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)

Next Steps

Mike Chapple explains how to deal with advanced encryption algorithms in ransomware.

This was last published in May 2015

Dig Deeper on Information Security Incident Response-Information

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Join the conversation

3 comments

Send me notifications when other members comment.

Please create a username to comment.

Does your organization have a security policy for dealing with ransomware attacks?
Cancel
Having Security policies is one thing and enforcing policies is another.

Most importantly how many companies actively run user awareness programs? 

Paying ransomware is not the only way unless you have miserably failed on your Security Policies or backups more importantly in case of an attack.

Cancel
That's a tough one. I still feel we need to be more cautious and diligent doing our back-up procedures. Any time the is new data of high importance I always take a backup. Paying the ransom and getting your data back may just be opening your system to future attacks...  Personally I would not pay and restore my data and maybe have to reprocess a days worth of data to get back in sync.
Cancel

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly.com

Close