The large scale WannaCry (WannaCrypt) ransomware attack that has crippled over 100,000 computer systems, primarily in health care, is a reminder of just how vulnerable the world's computing infrastructure really is. But what's most amazing about the attack is not its scale or the speed with which it spread, but how easily it could have been avoided.
In my last Inc.com column I talked about ways to survive the inevitability of a cyber attack. However, I didn't call out ransomware specifically. If you haven't yet been the victim of this type of attack, then you need to pay close attention to WannaCrypt. This is the fastest growing type of attack, and it's one that is especially vicious and and wreaks havoc for most organizations as they try to deal with the horrible dilemma of paying the attacker to regain control of their computer systems or lose time, money, and potentially lives as they try to discover the vulnerability and recover.
The Ransomware Dilemma
So what is ransomware and how do you deal with it?
I'll keep it simple. Ransomware is any attack that prevents you from gaining access to information needed to run your business. Most often this takes the form of either encrypting your files (which remain on your system), with the attacker holding a key for decryption, or a screen/system lock that prevents you from gaining access to your processes and information.
Once the malicious attack has been deployed, the attacker demands that you pay a certain amount of ransom in exchange for decrypting or regaining control of your information systems. The amount will vary, but has steadily gone up on average from hundreds to now thousands of dollars. It's important to note that in the vast majority of cases the attacker does not have access to your information, only the ability to prevent you from gaining access to it.
Of course you're already starting to see the dilemma here. You're paying someone who clearly has few ethical or moral boundaries, and has the proven ability to lock you out of your information and systems, to follow through on a promise to restore your access.
In a cybersecurity class I teach at Boston University, I present students with a hypothetical case of a hospital that has suffered a ransomware attack which results in patients lives hanging in the balance. Doctors are screaming at IT and the hospital administration to do whatever it take before patients suffer the real-life consequences of the attack. The administrators are loath to pay up for fear of being attacked again, promoting the behavior of the attackers, and generally giving in to something and someone so blatantly unethical as to hold the well being of patients in the balance.
When I ask the class if they would pay the ransom they are almost always evenly split. Even after we talk through the case at length the percent for and against paying is still evenly split.
It's no different in the real world. So, should you pay? Well, first things first.
This is clearly not the type of problem you want to have to deal with. Which is why WannaCrypt is so distressing. It could have been entirely avoided with something as simple as having up-to-date software from Microsoft which had already detected and fixed the vulnerability.
Modern day software, of all types, is so complex that it inevitably has numerous vulnerabilities that are only detected over time. In fact, there is a whole community of white hat (good guys) hackers who try to find these vulnerabilities and report them to the the software developer/owner. Having up-to-date apps and software is the single best way to avoid ransomware attacks.
However, going back to my prior article, about not being able to avoid all attacks, the question still remains, do you pay up?
Well, there are two schools of thought on this. One takes a short view and says that ransomware is a business like any other (minus the ethics) and that there is a sort of "honor among thieves" that prevails. If you subscribe to this then you pay, get on with your business, and try like hell to make sure it doesn't happen again.
The other school of thought takes the long view which says that paying only emboldens this sort of behavior, promotes it, and ultimately makes it even more of a threat to everyone.
If you're quick to provide an answer as to which school you subscribe to, let me assure you that it's not that easy. For example, if your loved one is in an operating room waiting for a lifesaving procedure and the hospital can't perform it unless $1000 is paid to decrypt data critical for the operation I can pretty much assure you that you'd pay the ransom yourself. On the other hand if you're the CEO of a hospital down the street from the one being attacked (and your data is not being held hostage) you are likely to be very much against anything that will only increase the likelihood that your hospital will be the next target.
Don't Wait To Decide
My advice to you is actually quite simple; make sure you play out as many scenarios of a ransomware attack in your own company as possible. This is exactly what I do with my students and with my clients. I'll actually create a group of white hats (those defending the organization) and black hats (the attackers), present them with the full infrastructure of the business and then ask each group to come up with a set of attacks and a set of defenses. Once each group has their respective lists I'll ask them to take turns attacking and defending. But, here's the caveat, they can ONLY use items already on their list.
Going through that kind of a simulation creates a deep appreciation for the sorts of risks and defenses that need to be in place. It also gives the organization the ability to have the hard discussions about how to deal with the chaos and aftermath of the attack. For example, the PR strategy to deal with media should always be part of the white hat strategy, as should ransomware insurance (Yes, that really is a thing!).
There are also myriad strategies that you can use to simulate randomized attacks. (I'll cover one of my favorites in a later column next week.)
The bottom line is that you should do everything you can to avoid being put into this sort of a situation by having in place the basic practice of keeping your apps and software up-to-date, but you should also put just as much time into simulating how you would deal with a ransomware attack. The easiest attack to deal with is certainly the one you have been able to avoid all together, but the second easiest is the one you've already prepared for by going through it!