A post on the cyber security blog “Ride the Lightning” from October 1, 2020, discussed the difficulties a company faces when it’s hit with ransomware.  Does the business pay the ransom or not, and if so, how does one negotiate with the hackers?

Paying the ransom does have some benefits.  It is a quick way to get the captured data returned.  But this is only true in cases where the criminals can be trusted to return the data.

Ransom payment could arguably, at least in some cases, be in the interest of customers or stakeholders.  The example used in the blog post is of a hospital patient in desperate need of an immediate operation whose records are locked up.

As alluded to earlier, a drawback of paying ransomware is that some criminals take the ransom payment, but then don’t actually return the data.  So how does one know if the reputation of the hackers is good or bad?

If your company were to get hit with ransomware, would you negotiate with the criminals?  If so, would you offer to pay the full demand?  Or only a fraction of the cost?  How would you get the cryptocurrency needed to satisfy the ransom?  How would you know if the criminals had a good reputation for restoring data once the ransom was paid?  Would engaging with the criminals leave you and your company with civil or criminal legal liabilities?  There are so many questions to consider.

The key to a successful recovery from a ransomware attack equals engaging an experienced incident response team that deals with the bad guys all day every day. Do not go it alone or try to mitigate the situation without the assistance of one of these teams that can be found at many of the top cyber security firms across the country.

In the midst of an attack, an IT team needs to concentrate not on learning how to deal with cyber criminals, which has a steep learning curve, but on getting the company running again.  Karen Sprenger of LMG Security explains: “Your primary focus is on getting your organization back up and running as quickly as possible.  As it should be.  After all, as a ransomer once told me in the middle of a negotiation, ‘time=$$.’  You know your network best, you know the workflows, the files, the structure – you know which files contain sensitive information and which need to be prioritized for recovery.”

Spenger continues: “Let the professionals worry about forensically preserving evidence, finding patient zero, negotiating ransoms, and testing decryptors.  While evidence is being preserved, you may not be able to dig right in, but you can assist with ransomware recovery by getting access for your new IR team, purchasing hard drives to replace the encrypted drives, hunting down backups and so on so that you’re ready to go when you system is clean.”

Fortunately, business executives who have purchased a state-of-the-art cyber policy can rest assured that if ransomware attack hits, a team of qualified professionals will come alongside them immediately to guide them through the storm.

In fact, gaining access to top cyber security firms is one of the chief benefits of carrying a quality cyber policy.