As we have all heard by now, the colonial pipeline hackers were paid 5 million dollars. The data that was extracted from all accounts, at least available information, was a mix of financial and accounting files.
I get it, sometimes paying the ransom can assist in returning your business back to normal, or at least operational again. For a small to medium sized business, it can mean whether you get to stay in business or not. The problem is, paying the ransom does not necessarily get your business back to a good state and in some cases, could even make things worse. Bad guys, no matter what they say or do, are innately only interested in advancing their agendas. If you pay them, you are advancing their cause whether it be financial, social, terrorism, or a mixture of all three.
In the case of the colonial pipeline, we are still figuring out the facts. I have worked on several breach remediation projects and I can tell you that it will take time to figure out what exactly went wrong and what the damage will be moving forward. The data that was taken, 100GB of data to be exact, must have been important enough to the entire business that they were willing to pay a hefty price to recover it. On the surface, 100GB is not a ton of data, considering that your typical cellphone has that type of storage. Statistics provided by Kaspersky, see link below, confirm what most Cyber experts report – paying the ransom does not always get your data back at all and often, not intact or corrupted. Out of all the companies who paid the ransom in 2020 only 29% of them were able to restore their entire data set. Half of those who restored reported that they lost some files, 13% of those that paid lost all their data. Just by statistics alone, I would be inclined to say no paying the ransom. Companies must also take into consideration that if they pay a criminal organization, they will be looked at as a soft target moving forward. Cyber gangs are smart, they communicate with each other via back channels, they know who pays and who does not. They are also patient in their endeavors.
We need to better prepare for an imminent attack. Every sector of business, whether large, medium, or small is in the crosshairs of a breach. Preparing means having good, tested backups. Having a recovery plan in place that requires IT, Cyber, and executive group’s inputs. Training your staff on what to do if an event occurs and having a plan in place if worst case scenario happens is essential. Having a cold storage backup is necessary. Segregating network resources also helps contain the propagation of the malicious code.
Continuing on this path is not sustainable. Paying criminals and trusting them to do the right thing by giving us our data back and not selling it on the dark web, whether you pay or not, is not a recovery plan. We must do better to prepare for the worst and expect the best. Create a recovery plan. Practice that recovery process as if it is a real event. Let’s not let the bad guys win and continue giving them what they want, which is encouraging them and making it worth their time to terrorize. It is time to be proactive and prepare, learning from each other often helps keep a breach in check.
Links:
https://purplesec.us/resources/cyber-security-statistics/ransomware/
https://www.wired.com/story/ransomware-double-encryption/
https://www.nytimes.com/2021/05/20/technology/ransomware-attack-ireland-hospitals.html