Why You Should NEVER Pay Your Ransomware Attackers
An interesting thing happened earlier this month when a county in North Carolina was attacked with ransomware and was asked to pay $23,000 to get their data back …
The county refused to pay.
The refusal was rare in that it received national media attention, but not so rare in the details: companies often refuse to pay ransomware hackers—and they should. But after a year of terrible ransomware attacks across the globe, finally somebody got recognition for standing up to the attackers.
As the New York Times aptly wrote: “In a world rocked by hackers, trolls and online evildoers of all stripes, the good people of the internet have long looked for a hero who would refuse to back down. Finally, someone has said enough is enough. And that someone is the government of Mecklenburg County, N.C.”
Today, we look at how the attack unfolded and the reasons why Mecklenburg County should be considered a role model for organizations everywhere.
Ransomware attackers take down 48 county servers with one bad email
Mecklenburg County initially announced the attack as a “computer-system outage” after a county employee inadvertently opened an email attachment containing ransomware.
Authorities say the attackers used a well-disguised phishing email to fool the employee. The attackers apparently gained access to another employee’s account to send the message, and then another unsuspecting staff member opened the attachment inside.
The malware immediately began encrypting files on the employee’s computer and across the county’s network. On-screen messages made it immediately clear that ransomware was at play: there was a demand for two bitcoin to decrypt the files and instructions on how to send the digital currency.
The county’s IT folks worked fast to isolate the infection, but it was too late. The attack affected 48 of the county’s 500 servers.
A $23,000 demand
At the time of the attack, two bitcoins were worth about $23,000 USD – a sizable chunk of change, even for a large local government like Mecklenburg County, which includes Charlotte, the state’s most populous city. All told, the county serves about a million people.
According to USA Today, the attack used a newer strain of LockCrypt ransomware, and experts believe the hackers operated out of Iran or Ukraine.
The attack limited access to most of the county government’s systems. The county did manage to stay open, but all remaining services slowed to a crawl. Employees were forced to complete many processes manually—with these weird, antiqued tools known as “pen and paper.”
NBC News reported, “The police department has to manually process records, the county’s domestic violence hotline goes to voicemail and even marriage licenses can’t be processed.” Information on scheduled medical appointments was lost for roughly 300 people.
“Confident our backup data is secure”
Through it all, Mecklenburg County stayed firm in its decision not to pay the attackers. The reason was two-fold: they had a secure backup system in place and every cybersecurity expert they spoke to advised them not to negotiate with the hackers.
Even if they’d paid the ransom, county officials said, restoring everything would take just as long as recovering backups from scratch. So the county said to the attackers, “No deal” and began reconstructing their data.
Mecklenburg County Manager Dena R. Diorio said in a statement: “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”
How to make hackers angry
The county’s refusal to pay apparently angered the attackers.
After being denied the first time, the hackers redoubled their efforts and tried to infiltrate the systems again, without success. They apparently even emailed the county officials with repeated threats that the data would be destroyed forever.
But once again, the county stood their ground. They continued working to restore their files and access to systems. “We have the resources to fix this situation ourselves,” Diorio said. “It will take time, but with patience and hard work, all of our systems will be back up and running as soon as possible.”
Rooting for the good guys
Perhaps what catapulted this story into the national spotlight was how it unfolded. When news of the attack first broke, Mecklenburg County wasn’t totally sure how to respond.
Initial reports said the county was weighing paying the attackers: “If we don’t pay, we will have to rebuild applications from scratch and that will take even longer,” Diorio has said.
Then, the price of Bitcoin started skyrocketing, which raised the stakes even higher.
So while the residents of Mecklenburg County waited for their government to restore services, people around the world started watching, wondering what would happen next.
And when the county announced it would snub the bad guys? The story took off, and we all celebrated.
But let’s not turn this into a cartoonish scenario of “cops and robbers,” good vs. evil, etc. In reality, no ransomware victim should ever pay the ransom. Here’s why …
Paying the ransomware hackers only makes it worse
There are two very basic reasons why it’s never a good idea to pay the ransom:
- There’s no guarantee you’ll get your data back.
- Paying the ransom only supports the business of ransomware.
In 2016, roughly 35% of small and medium businesses (SMBs) paid the ransom, totaling over $301 million, according to a report by Datto, based on findings from 100,000 businesses. Of those businesses that paid up, 15% never got their data back. So while it may be tempting for some organizations to pay a nominal sum to stop an attack that’s crippling their operations, they may actually be throwing their money away.
The FBI also strongly discourages paying the ransom because it only rewards the hackers and motivates them to do it again. In a 2015 report, FBI Cyber Division Assistant Director James Trainor said, “Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.”
In other words, by paying the ransom, you’re pretty much making ransomware worse for everyone.
So, how do you prepare for such an attack so that you’re able to refuse to pay, just like Mecklenburg County did? It’s all about prevention and proper business continuity planning.
How to prevent ransomware and say ‘no’ to hackers if it happens
New strains of ransomware are increasingly sophisticated, exploiting vulnerabilities in operating systems and spreading across networks without human intervention. That said, there are several simple steps that can greatly reduce your risk of an attack and improve your ability to recover if disaster strikes.
- Back up your data!
Use a dependable, secure backup system that will allow you to quickly rollback to clean data after an attack. This is the simplest and best way to respond to a ransomware attack. It effectively removes the threat and eliminates the need to pay a ransom.
- Train employees
Since most ransomware still arrives via spam and phishing emails, you can greatly reduce your risk of an infection by training staff on how to spot suspicious messages. It’s also important to educate everyone on the dangers and cost of attacks like ransomware, so everyone knows what’s at stake.
- Block unwanted emails/sites/files
You can effectively block the majority of ransomware attempts with security measures like spam filters, IP address blocking, file attachment scanning and restrictions on opening attachments.
- Scan for malware/viruses
Invest in better malware defense and run routine scans to detect a possible infection as easily as possible. Go a step further with business continuity solutions from Datto, which have ransomware detection built directly into the BDR system.
- Patch software and operating systems
Some of the worst attacks in 2016 were due to older operating systems not being updated by administrators. Patch, patch, patch!
- Restrict files/folder access
Generally, if the user’s account stops them from accessing other folders on the network, then the ransomware will be stopped too. The FBI advises, “Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.”
What to do in an attack
Okay, so you’ve been infected with ransomware. Don’t freak out—here’s what to do:
- Isolate the attack by removing infected systems from the network.
- Validate and recover your backup. Make sure the backup hasn’t been infected too. If clear, restore at the most recent clean recovery point.
- Contact authorities. Even if you’ve restored your data without problem, the FBI wants to know about it. You are encouraged to contact your local FBI field office immediately.
- Change all account/network passwords. This is a good idea for after the malware has been removed.
Protect your company now
For more information on how to protect your organization with today’s best backup and disaster recovery solutions, contact our business continuity experts at Invenio IT. Call (646) 395-1170, email us at [email protected], or request a free demo to see how you can recover your data, from anywhere, in a matter of minutes.