Security

Ransomware: To Pay or Not To Pay?

The decision whether or not to cave in to a ransomware attack may be less a philosophical decision and more a cost-benefit analysis.

• By Dian Schaffhauser
• 02/23/17

Pity poor Los Angeles Valley College, one of the latest victims of a ransomware attack to make the headlines. The community college paid about $28,000 to cyber criminals to retrieve data that had been encrypted. After the payment was made, a "key" was delivered to regain access to the infected systems, whose "hundreds of thousands" of files are now being methodically unlocked, according to an FAQ issued by the school. The disruption hit computer, online, e-mail and voicemail systems. Fortunately, the ransom was covered by a cybersecurity insurance policy, which also is paying for the services of cybersecurity experts to uncover just what happened. Law enforcement is involved.

LAVC is hardly alone. Last June, the University of Calgary transferred almost $16,000 in bitcoins to extortionists after its IT security team spent a week attempting to crack the ransomware that had infected a hundred of its computers. At the time, university vice president Linda Dalgetty told a reporter, "The actual process of decryption is time-consuming and must be performed with care." And, she pointed out, "Decryption keys do not automatically restore all systems or guarantee the recovery of all data." The institution paid, she noted, to make sure research work wasn't lost.

It would be a brief story if that were all there were to say on the topic: Pay the bad guys and hope you get your stuff back.

A few months after the Calgary incident, Carleton University faced the same decision when 3,200 PCs were hit. In that case, a graduate student told CBC Radio-Canada, the attackers gave a choice: "either two bitcoin per machine or 39 bitcoin total to release the encrypted files" — about $35,000 at today's conversion rate. The university chose not to pay anything.

Which one of these schools took the right approach? You may not be able to figure that out until you're staring into the stunned eyes of a desperate researcher, president, director, student or faculty member.

The Evolution of a Problem

BitSight reported last year that in a comparison of six segments, education "exhibited the highest rates of ransomware." More than 11 percent of the ed industry had the Nymaim Trojan on its networks, the report stated, and almost 4 percent had Locky.

So how come so few colleges or universities have admitted to being hit? Currently, data breaches continue to garner the most attention: The attacks in which the goal is to gain access to personally identifiable information hit at least 11 institutions in the United States last year, according to tracking by the Privacy Rights Clearinghouse. None of those involved ransomware specifically.

Yet ransomware incidents are on the rise. According to the U.S. Department of Justice, this form of attack, in which quick extortion from the victim is the objective, has grown 300 percent since 2015, right alongside the continued proliferation of e-mail spam, infected macros, "malvertising," botnet-driven processes, exploit kits and the expansion of "affiliates" that pay others to do the infections for them. As an example of just one of those categories, ransomware attached to spam increased from less than 1 percent in 2015 to 37 percent in 2016, according to IBM's X-Force security research team. In the first three months of last year, the FBI estimated that more than $209 million in ransomware payments had been made in the U.S., compared to $24 million in 2015.

Ransomware has been around for a long time, previously spread through floppy disks. This type of malware has found its sweet spot, however, with the explosion of consumer computing devices, many of which go unprotected, and the popularization of virtual currencies that facilitate anonymous transactions.

Also a factor, as the X-Force found: Users are more self-assured than they ought to be, which means they're not as careful as the situation warrants. According to a report issued in December 2016, while three-quarters of consumers said they could protect data on their computers and two-thirds said the same for the data on their mobile or tablet devices, six in 10 hadn't taken any action in the previous three months to protect their devices from hacking, such as avoiding suspicious attachments or links in e-mail, regularly changing passwords or staying off of public WiFi access points.

Among business people, the results were even more alarming. A SANS survey in the financial sector found that 32 percent of companies had lost anywhere from $100,000 to $500,000 due to ransomware.

Spreading on Campus

In a widely reported research project undertaken by security vendor SentinelOne, 63 percent of British universities had "suffered from ransomware events." Only one of the respondents had reported the attack to law enforcement. Bournemouth University, in particular, was called out for being the "most targeted," with 21 attacks in a single year. What was less reported was the institution's response: "It is not uncommon for universities to be the target of cybersecurity attacks; there are security processes in place at Bournemouth University to deal with these types of incident." In other words, it was business as usual on campus, and this was just one more blip on the security radar.

Why the difference? The primary attack vector for ransomware is an individual who has clicked on something he or she shouldn't have. Numerous institutions — among them, Georgia College, Fort Lewis College in Colorado, Red Deer College in Alberta and the University of Houston Clear Lake — have posted messages on their IT or information security websites broadcasting that members of the community had experienced ransomware incidents that had encrypted their devices and apprising others about how to minimize their risk and respond if it happens to them.

Those institutions that have been most successful in keeping ransomware problems from spreading are the ones where the user has immediately unplugged the device from the internet or turned off WiFi and communicated with IT as quickly as possible. It appears to be as simple as that.

The Cost-Benefit of Paying Up

You'd find few people willing to go on the record as supporting payouts to black hat hackers that have locked up a computer. Most agree that caving in just encourages more ransomware activities. And there's no guarantee the victim will get back device access or data. Just to confuse the decision, some ransom schemes now come with a new variable: Hackers threaten to make the data publicly available if somebody refuses to pay.

During a cyber security summit held at Georgia Tech last fall, experts recommended just that: Avoid payment. However, acknowledged Evan Downing, a doctoral student in computer science, the "decision whether to or not all comes down to personal cost-benefit analysis."

His suggestion was to examine "what you're willing to pay for, literally and figuratively: What data can your business stand to lose? How quickly can your business recover from losing this data? How much money will an attack cost your company from the lack of the service your company provides? Is this all worth the risk of paying the ransom and possibly not getting your data back?"

Given that, an IT leader who needs to decide how to respond to a ransomware demand may approach the problem with more confidence: Been there, done that. As a 2017 report from Georgia Tech's Institute for Information Security & Privacy emphasized, "It's just malware, people." By not announcing their presence, other kinds of malware are doing "far scarier things."

Eventually, these security experts predict, ransomware will have run its course. With "training, planning and partnering for effective intelligence sharing" in place, this form of IT headache will "hopefully wind down to become an outdated cybersecurity problem."