What to do if your data is taken hostage

Getting duped online by a cybercriminal is infuriating. You let your guard down for a minute and the thieves find their way in to your machine.

And then the “fun” begins if ransomware is involved. Hopefully, you have your data backed up, but if not now starts the dance with those who have ultimately taken you hostage. Ransomware is obviously analogous to kidnapping, and dealing with the perpetrators can feel much like negotiating with a jumper standing on the edge of high-rise roof.

Look no further for help than the Institute for Critical Infrastructure Technology (ICIT) report that in part describes how to deal with criminals when they are holding your data hostage. The report describes what to do once a breach has been found.

ICIT says the proper response will depend on the risk appetite of the organisation, the potential impact of the hostage data, the impact on business continuity, whether a redundant system is available, and the sectorial regulatory requirements.

Procedure

Hopefully, the information security team has already planned out a procedure to follow in the event of a ransomware attack. They should begin by notifying the authorities and applicable regulatory bodies. The plan identifies the organisation’s recovery time objective (RTO), and recovery point objective (RPO) for data breaches. In the event that a back-up exists, then cyber-forensic evidence of the incident should be preserved and documented for/by law enforcement.

In the event that there are no redundancy systems or if the secondary systems are compromised, then the information security team can find and implement a vendor solution or decryption tool.

In many cases, files may be partially corrupted or incompletely decrypted. Even if a vendor solution is a simple executable, the victim may not be able to assure that their system is not still compromised by inactive ransomware, backdoors, or other malware.

Data recovery

Another option is to attempt to recover the data. System back-up and recovery are the only certain solutions to ransomware. If you have a back-up system, then recovery is a simple matter of restoring the system to a save point. Otherwise, you could attempt to recover data through shadow copies or through a file recovery software tool; however, many ransomware variants delete shadow copies and some even detect file recovery software. Since many variants infect the registry, system restore from a save point may not be possible even if the recovery point remains unaffected.

If you do not like those options, you can put your head in your hands and do nothing. In lieu of an information security team or vendor solution, options are limited to paying the ransom or accepting the loss of the system or data. If the system is backed up, and the back-up remains reliable, then the victim can ignore the ransom demand and restore the system according to the back-up. If there is no backup, but the ransom outweighs the cost of the system, then the victim may have to purchase a new device and dispose of the infected system with extreme prejudice.

Last resort

In what should be a last resort, the ransom can be paid. If the culprit actually provides the decryption key, then paying the ransom may alleviate the immediate pressure on the organisation. Some attackers may release the system after receiving payment because doing otherwise would reduce the likelihood that other victims will pay. If paying the ransom is legitimately being debated, then perform a quick Internet search on the type of ransomware holding your system. Whether or not criminals who use that ransomware are likely to release data after receiving payment is likely to show up online.

Security experts caution about this approach though as there is no guarantee that once the money is paid that the perpetrator would release the data. Also, another worry is that once you pay the ransom, the cybercriminal could come back and do the same thing at a later date.

Some attackers recognise this dichotomy of trust. They recognise that if files are never unlocked then no victim will ever pay a ransom. As a result, variants such as CTBLocker (Trojan.Cryptolocker.G) have an option to decrypt a few random files as a gesture of good faith.

Hybrid approach

Another tact is if the ransom is low, say $300 (€287) for a multimillion-dollar organisation, then it might make sense to adopt a hybrid approach. This could include simultaneous efforts to pay the ransom, to triage the system, and to attempt to restore from a back-up server. Organisations must consider whether system downtime is of greater impact than the ransom consequences. A hybrid approach ensures that the system will be operational in some amount of time, no matter what. To minimise the expended resources and the impact to the organisation, hybrid solutions should only be attempted by a trained and prepared information security team.

The number of ransomware attack variations is limited only by the imagination and motivation of the attackers. A vigilant cybersecurity centric corporate culture that cultivates an environment of awareness is the most effective means to minimise the attack. If you do have an infosec team, it should cover: an immediate companywide vulnerability analysis, a crisis management strategy that takes into consideration all known threats, continuous device and application patching, auditing of third-party vendors and agreements, organisational penetration testing and security-centric technological upgrades.

IDG News Service