© 2019 SourceMedia. All rights reserved.

Explore paying ransomware threats in parallel with other recovery options

Your organization has just received ransom notices across your infrastructure, informing you of what you already fear. All your critical business data has been encrypted. You are angry that someone’s moved your cheese, and you don’t want to reward them for it. Your emotions are confirmed by advisors who give you the conventional advice: “Don’t negotiate with terrorists! Never pay the ransom!”

Meanwhile, business operations have come to an abrupt halt, and the cost to the business increases by the minute. As the attack grinds on, your organization scrambles to find new ways to meet core functions, putting stress on everyone, including executive management.

As the stress and financial burden rises, hard-line conversations about whether to negotiate with cybercriminals suddenly take a back seat to the reality that you are beholden to the business and its key stakeholders.

The city of Baltimore has been grappling with a highly publicized ransomware attack for nearly a month. The attack has greatly hampered the city’s operations for everything from its police department to its finance department. Estimates of the financial impact of the attack are around $18.2 million. The cost the extortionist demanded for decryption keys was around $76,000 of bitcoin. However, the day of the attack, the mayor of Baltimore announced a refusal to pay. This was shortsighted.

ransomware threats pay.jpg
Employees read a ransomware demand for the payment of $300 worth of bitcoin on company computers infected by the 'Petya' software virus inside a retail store in Kiev, Ukraine, on Wednesday, June 28, 2017. The cyberattack similar to WannaCry began in Ukraine Tuesday, infecting computer networks and demanding $300 in cryptocurrency to unlock their systems before spreading to different parts of the world. Photographer: Vincent Mundy/Bloomberg

While many advise against paying ransoms, Forrester has been tracking a trend of companies that negotiated with the extortionists and paid for decryption keys as part of their incident recovery. Here is why:

  • Conventional wisdom does not factor in what is best for your business and the situation you are currently in. Platitudes and emotion are not going to help you formulate an optimal recovery path for your business.
  • Recovery is complicated even if you have good backups that survived the attack. Many organizations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.

Forrester’s guidance is not a recommendation of whether or not to pay a ransom but to recognize paying the ransom as a valid recovery path that should be explored in parallel with other recovery efforts to ensure that you’re making the best decision for your organization. Look forward to our report providing guidance on how to implement incident response workflows to optimally select the best recovery for your organization.

(Written with Madeline Cyr, senior research associate)

(This post originally appeared on the Forrester blog, which can be viewed here).

For reprint and licensing requests for this article, click here.