Menu
  • Home
  • My Books
  • Courses
  • My Events
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • My Events
  • About Me
  • Contact

Brett Shavers | forensics & things

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Print
3 minutes reading time (610 words)

On ransomware, my advice is different from that other guy's advice.

Digital Forensics
Brett Shavers
Wednesday, 21 November 2018
488 Hits
1 Comment

For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “Do you recommend we pay if it happens to us?”

The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network held hostage? Can the ransomware be decrypted with available tools or keys? Basically, can we fix it or not? If not, then there is the decision to make on paying a ransom.

I know that clients want a definitive “YES” or “NO”, but it doesn’t work that way. If you advise to definitively pay, maybe they won’t get their files back and then what? Your advice was bad in that it didn’t work. And if you advise to absolutely not pay, then the client surely doesn’t get the files back. You’re between a rock and a hard place.

Here’s been my recommendation. Recommend that the client buy some bitcoin and hold it. How much to buy depends on how much you think a ransom will be based on the amounts of current ransomware attacks.  Then, if it happens, the client has saved at least a day of panicking in figuring out how to buy bitcoin and getting the money out of the budget to buy it, and potentially missing the window to pay the ransom anyway.

As far as will Bitcoin increase or decrease in value, that doesn’t matter. It matters to have some on hand. It matters just as much to have someone know how to access/send it when and if needed.

Then if a ransomware attack happens, the client can spend time on deciding to pay or not without having to have a team figuring out “what is this Bitcoin thing?” and distracting from the problem at hand (to pay or not).  

Probably the best advise I can give, is that if the client pays the ransom, there is a chance of getting the data back, or more accurately, getting back access to the encrypted data. But if you don’t pay, you have about a zero percent chance of getting access to your encrypted data. I’ve seen someone state that it’s about a 50/50 chance that an attacker will give decryption keys upon payment.  I’m not a gambler, but I say paying to get 50/50 odds is a lot better than not paying for 0/100.

The point of this post

A very adamant advocate of not paying off ransomware strongly suggested that I not recommend to my client that they should consider paying off ransomware. His point is that if everyone keeps paying ransoms, this will keep happening. I totally agree. If these attacks keep getting paid off, they will keep happening. The problem is that this is easy to say if you are not the victim. If the existance of your company rests solely on getting your data back, the 'common good' of not paying takes a back seat.

Or, the victim could pay a few bitcoin and better prepare in the event this were to happen again. Yes, the criminals make money. But also, the business survives (people keep their jobs!) and the business prepares to prevent this from happening again. 

I know that depending upon who a business calls for ransomware advice, one person will be advising to never pay and another person will be advising to look at the entire picture and keep all options open. The real answer to pay or not rests solely on the client. We can only give recommendations and a shoulder to lean on (or cry on....).

 

 

Tweet
Digital Forensics is Really Easy
Don’t totally discount attribution in Incident Res...

About the author

Brett Shavers

Brett Shavers

 

Comments 1

Guest
Guest - Paul on Monday, 26 November 2018 06:38

Sound advice in my opinion!

0 Cancel Reply
Sound advice in my opinion!
Cancel Update Comment
Already Registered? Login Here
Guest
Tuesday, 19 February 2019
If you'd like to register, please fill in the username, password and name fields.

Captcha Image

Brett's blog

Posts List

Tag Cloud

imaging North korea wiretap Windows Forensic Environment privacy investigation case studies surveillance Jimmy Weg bitcoin University of Washington email bitcoin forensics gmail windows forensic environment writing Registry Forensics forensics training X-Ways Forensics book phishing Virtualization Volume Shadow Copy Hacker RegRipper Bitcoin Forensics tor browser dfir Hiding Behind the Keyboard investigations Placing the Suspect Behind the Keyboard windows fe 4cast winfe X-Ways Forensics Practitioner's Guide

Search Blog

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!

http://www.patreon.com/DFIRTraining 

© 2019 Brett Shavers