The recent ransomware attack on Colonial Pipeline Co. is also a major warning. Any connected business can be hit by a ransomware attack at any time. What should you do if it happens to your business? Apparently, the answer depends on which US government agency you ask – and when.
Ransomware: The Threat is Real
Bloomberg explained the threat well in its May 13 story about the Colonial Pipeline attack. “Ransomware is a type of malware that locks up a victim’s files, which the attackers promise to unlock for a payment. More recently, some ransomware groups have also stolen victims’ data and threatened to release it unless paid – a kind of double extortion.”
“Colonial, which operates the largest fuel pipeline in the U.S., became aware of the hack around May 7 and shut down its operations, which led to fuel shortages and lines at gas stations along the East Coast,” according to Bloomberg. On the following Wednesday, multiple media outlets “reported that the company had no immediate intention of paying the ransom.” Just two days later, Colonial “paid nearly $5 million to Eastern European hackers” in untraceable cryptocurrency, Bloomberg reported, citing anonymous sources “familiar with the transaction.”
And what did Colonial get for its troubles and money? “Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.”
The Government Response: Unclear
Things could have been much worse for Colonial. It could have been hit with a much larger ransom demand. It could also have paid the ransom, only to get nothing from the attackers to help restore normal business operations.
So, should Colonial have paid? U.S. government officials appear divided on the subject, Bloomberg reported.
“The FBI discourages organizations from paying ransom to hackers, saying there is no guarantee they will follow through on promises to unlock files. It also provides incentive to other would-be hackers, the agency says.
“However, Anne Neuberger, the White House’s top cybersecurity official, pointedly declined to say whether companies should pay cyber ransoms at a briefing earlier this week. ‘We recognize, though, that companies are often in a difficult position if their data is encrypted and they do not have backups and cannot recover the data,’” she told reporters Monday. “Such guidance provides a quandary for victims who have to weigh the risks of not paying with the costs of lost or exposed records.”
Indeed. In a Facebook post, former U.S. Secretary of Labor Robert Reich lambasted the U.S. government’s response and guidance to the Colonial attack. “Why does the U.S. allow such extortion?… That’s a signal to criminal hackers to escalate this destructive game.” Reich added that he believes “United States law should prohibit all such payments, ban the use of cryptocurrency for international payments, and prohibit cyber-insurance policies.”
Even the FBI has issued inconsistent guidance regarding ransomware and ransom payments. An October 3, 2019 post at ZDNet was headlined, “FBI’s new ransomware warning: Don’t pay up, but if you do, tell us about it.” Four days later, a post at IT Pro Portal carried the headline, “FBI now says you should pay up for ransomware demands,” with the subhead “New guidance may only apply in certain situations.”
Should Your Company Pay Ransomware Attackers?
So – what should your company do?
Get and keep your users educated. Many ransomware and malware attacks are successful because a user clicks on a malicious but authentic-looking link in an email or on a bogus website. Do whatever you can to instill vigilance against falling for such traps in all your users, including those at partner companies and contractors.
Protect and keep current backups of everything critical. Consistent cybersecurity hygiene across your entire extended technology environment is essential. This means a combination of the most effective protection technologies you can afford and processes that maximize that effectiveness for your specific environment. Take full advantage of any and all relevant resources offered by your chosen vendors.
Test your backups and restoral processes regularly. Backups are like cybersecurity plans. Making them once, then putting them on a shelf and ignoring them until catastrophe strikes is all but pointless. You absolutely must test your backups, and the processes and technologies you use to restore them, at least annually.
Pay the ransom only as a last resort. There is no guarantee that paying a ransom will fully restore your data or your business operations. But if you implement the preceding recommendations well and consistently, you may avoid having to confront whether to pay a ransom entirely.
