Brett's Ramblings
On ransomware, my advice is different from that other guy's advice.
For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “Do you recommend we pay if it happens to us?”
The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network held hostage? Can the ransomware be decrypted with available tools or keys? Basically, can we fix it or not? If not, then there is the decision to make on paying a ransom.
I know that clients want a definitive “YES” or “NO”, but it doesn’t work that way. If you advise to definitively pay, maybe they won’t get their files back and then what? Your advice was bad in that it didn’t work. And if you advise to absolutely not pay, then the client surely doesn’t get the files back. You’re between a rock and a hard place.
Here’s been my recommendation. Recommend that the client buy some bitcoin and hold it. How much to buy depends on how much you think a ransom will be based on the amounts of current ransomware attacks. Then, if it happens, the client has saved at least a day of panicking in figuring out how to buy bitcoin and getting the money out of the budget to buy it, and potentially missing the window to pay the ransom anyway.
As far as will Bitcoin increase or decrease in value, that doesn’t matter. It matters to have some on hand. It matters just as much to have someone know how to access/send it when and if needed.
Then if a ransomware attack happens, the client can spend time on deciding to pay or not without having to have a team figuring out “what is this Bitcoin thing?” and distracting from the problem at hand (to pay or not).
Probably the best advise I can give, is that if the client pays the ransom, there is a chance of getting the data back, or more accurately, getting back access to the encrypted data. But if you don’t pay, you have about a zero percent chance of getting access to your encrypted data. I’ve seen someone state that it’s about a 50/50 chance that an attacker will give decryption keys upon payment. I’m not a gambler, but I say paying to get 50/50 odds is a lot better than not paying for 0/100.
The point of this post
A very adamant advocate of not paying off ransomware strongly suggested that I not recommend to my client that they should consider paying off ransomware. His point is that if everyone keeps paying ransoms, this will keep happening. I totally agree. If these attacks keep getting paid off, they will keep happening. The problem is that this is easy to say if you are not the victim. If the existance of your company rests solely on getting your data back, the 'common good' of not paying takes a back seat.
Or, the victim could pay a few bitcoin and better prepare in the event this were to happen again. Yes, the criminals make money. But also, the business survives (people keep their jobs!) and the business prepares to prevent this from happening again.
I know that depending upon who a business calls for ransomware advice, one person will be advising to never pay and another person will be advising to look at the entire picture and keep all options open. The real answer to pay or not rests solely on the client. We can only give recommendations and a shoulder to lean on (or cry on....).
About the author
By accepting you will be accessing a service provided by a third-party external to https://brettshavers.com/
Posts List
Tag Cloud
Search Blog
Most popular posts
Magnet Forensics Conversation
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training by subscribing at https://www.dfir.training/subscriptions and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
Should you improve your DFIR skills on your personal time?
Almost two years ago, I wrote about burning out in DFIR (“Only race cars should burn out"). I still stand by what I wrote at…
Friday September 04
11396 hits / 0 comments
-
TikTok is like a big, greasy cheeseburger. We know it is bad for us, but don't care.
Short version: Any social media platform can be compared to the biggest, greasiest cheeseburger that you can find. You know that the cheeseburger is unhealthy,…
Tuesday July 07
22555 hits / 0 comments
-
Jessica Hyde and I talk about forensic stuff
Jessica Hyde of Magnet Forensics sat down together (virtually...) to talk about forensics. In case you missed it, here it is!
Thursday June 11
10406 hits / 0 comments
-
Facebook Spoofing: Your Reputation, Investigations, and Massive Data Collection
A “new” article on imposter Facebook accounts was published today in the Philippines. I put “new” in quotes because this is not a new issue,…
Sunday June 07
2370 hits / 0 comments
-
You do not want to work in DFIR.
The fantasySo many people ask how they can start a career in the DF/IR field, which is completely understandable. The glamour is there. Hollywood shows…
Thursday June 04
2678 hits / 0 comments
-
COVID-19’s Investigative Impacts on Digital Forensics/Incident Response (DFIR). AKA: All burners are now burned.
The meat and potatoesA bit is still a bit and a byte is still a byte. COVID-19 cannot change that, which means that the technical…
Saturday April 25
16105 hits / 0 comments
-
Mini-WinFE 10 and WinFE 10 Updated
The short story on the newest Mini-WinFE 10 (aka, the download link):Mini-WinFE has been updated and upgraded. I update WinFE developments (including the downloads for…
Sunday April 05
9932 hits / 2 comments
-
Eat your broccoli first
Something good and something not-so-good on learning DFIRThe good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn and…
Saturday January 18
30622 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
10373 hits / 0 comments
-
Public Records
I have an outstanding public records request. It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that I…
Thursday December 12
4969 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
36266 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short storyAny person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with any…
Sunday September 01
4114 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
4500 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
6017 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
4812 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde’s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I see her…
Monday June 24
14914 hits / 0 comments
-
The Easy Way to Learn DFIR
SummaryThere is no easy way to learn DFIR. You can stop reading from here if you want.Longer versionOk. Since you are still reading, you probably…
Saturday June 08
14465 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
34679 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
6118 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful manner…
Tuesday April 09
6202 hits / 0 comments
© 2020 Brett Shavers