Brett's Ramblings
On ransomware, my advice is different from that other guy's advice.
For engagements where my clients ask for help in preparing for a ransomware attack, the most asked question is, “Do you recommend we pay if it happens to us?”
The decision to pay (or not) is based on the specific and unique situation. Are there unaffected backups? Is the encrypted data valuable or can it be re-created? Is the entire network held hostage? Can the ransomware be decrypted with available tools or keys? Basically, can we fix it or not? If not, then there is the decision to make on paying a ransom.
I know that clients want a definitive “YES” or “NO”, but it doesn’t work that way. If you advise to definitively pay, maybe they won’t get their files back and then what? Your advice was bad in that it didn’t work. And if you advise to absolutely not pay, then the client surely doesn’t get the files back. You’re between a rock and a hard place.
Here’s been my recommendation. Recommend that the client buy some bitcoin and hold it. How much to buy depends on how much you think a ransom will be based on the amounts of current ransomware attacks. Then, if it happens, the client has saved at least a day of panicking in figuring out how to buy bitcoin and getting the money out of the budget to buy it, and potentially missing the window to pay the ransom anyway.
As far as will Bitcoin increase or decrease in value, that doesn’t matter. It matters to have some on hand. It matters just as much to have someone know how to access/send it when and if needed.
Then if a ransomware attack happens, the client can spend time on deciding to pay or not without having to have a team figuring out “what is this Bitcoin thing?” and distracting from the problem at hand (to pay or not).
Probably the best advise I can give, is that if the client pays the ransom, there is a chance of getting the data back, or more accurately, getting back access to the encrypted data. But if you don’t pay, you have about a zero percent chance of getting access to your encrypted data. I’ve seen someone state that it’s about a 50/50 chance that an attacker will give decryption keys upon payment. I’m not a gambler, but I say paying to get 50/50 odds is a lot better than not paying for 0/100.
The point of this post
A very adamant advocate of not paying off ransomware strongly suggested that I not recommend to my client that they should consider paying off ransomware. His point is that if everyone keeps paying ransoms, this will keep happening. I totally agree. If these attacks keep getting paid off, they will keep happening. The problem is that this is easy to say if you are not the victim. If the existance of your company rests solely on getting your data back, the 'common good' of not paying takes a back seat.
Or, the victim could pay a few bitcoin and better prepare in the event this were to happen again. Yes, the criminals make money. But also, the business survives (people keep their jobs!) and the business prepares to prevent this from happening again.
I know that depending upon who a business calls for ransomware advice, one person will be advising to never pay and another person will be advising to look at the entire picture and keep all options open. The real answer to pay or not rests solely on the client. We can only give recommendations and a shoulder to lean on (or cry on....).
About the author
Posts List
Tag Cloud
Search Blog
Most popular posts
DFIR Training
Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.
Even better, support DFIR Training at Patreon and get access to multiple online courses in digital forensics with included ebooks!
More posts
-
Eat your broccoli first
Something good and something not-so-good on learning DFIR The good thing about learning DFIR is that there are probably fewer barriers and obstacles to learn…
Saturday January 18
13378 hits / 0 comments
-
The Second Decade of the 2000s is almost over!
We’ve come a long way in DFIR over the past 20 years, and even looking at just the past decade, the field has drastically grown!…
Thursday December 26
9143 hits / 0 comments
-
Public Records
I have an outstanding public records request . It is not "outstanding" in the manner that I wrote a great request, but "outstanding" in that…
Thursday December 12
4458 hits / 0 comments
-
The Five Stages of the DFIR Career Grief Cycle
I have been a fan of Craig Ball ever since I met him in a forensic course years ago. I was so impressed with Craig,…
Tuesday September 10
33910 hits / 0 comments
-
Our World is Going to Turn Upside Down with DeepFakes
The short story Any person and their voice, in practically any video (past, present, or future) can have their face and voice digitally replaced with…
Sunday September 01
2421 hits / 0 comments
-
If you are comfortable in DFIR, you might be doing it wrong
I took a 3-day basic forensic course and embarrassingly enough, the instructor (in front of the class), said that I probably know everything in the…
Thursday August 29
2904 hits / 0 comments
-
Everything I Needed to Know about Working in DFIR, I Learned in Boot Camp
You don’t need to experience military life to learn the valuable lessons that are drilled into military recruits. In fact, you can probably enjoy the…
Saturday August 17
3654 hits / 0 comments
-
Personality of a computer
From a recent discussion that I had with Harlan Carvey about the registry, this topic is something that I touched on lightly in Placing the…
Wednesday July 31
2891 hits / 0 comments
-
Add a Dab of Balance in your DFIR World
Jessica Hyde ’ s post of Giving Back in DFIR from 2018 is a great write up on contributing to the DFIR community, and I…
Monday June 24
13776 hits / 0 comments
-
The Easy Way to Learn DFIR
Summary There is no easy way to learn DFIR . You can stop reading from here if you want. Longer version Ok. Since you are…
Saturday June 08
12351 hits / 0 comments
-
Game of Thrones, DFIR Style
Short post and quick opinion. I came across some tweets today about how bad people are in the #infosec/#DFIR community and I dug a little…
Thursday April 25
29242 hits / 0 comments
-
Puking in DFIR
Admittedly, the title of this post is intentionally gross, because I am going to heave a few things at you, mainly about puking. As in,…
Wednesday April 17
5296 hits / 0 comments
-
The #1 Reason that DFIR practitioners don’t post opinions
Lesley Carhart tweeted today that a journalist used one of her tweets in an article that would have been rephrased in a less playful…
Tuesday April 09
5582 hits / 0 comments
-
If USB flash drives were shaped like spiders, we wouldn’t have these problems
I hate USB drives. My first experiences with the darn things was when I was a young patrol officer and the entire police department was…
Monday April 08
2080 hits / 0 comments
-
Working in DFIR is glamorous, but mostly only to those not working in DFIR...
Here is something about the DFIR career field: it is one of the most exciting, eventful, and jam-packed jobs that anyone can have. Running and…
Friday April 05
3197 hits / 0 comments
-
Overcommitted in DFIR
I have seen people be overcommitted, realize that they are overcommitted, yet continue forward in the most serious of situations. By overcommitted, I do not…
Friday March 22
17374 hits / 0 comments
-
'You're guilty unless you can prove it'
Swift on Security tweeted a great article. The article is not great as a well-written piece or containing earth shattering news piece, but more that…
Saturday March 09
20572 hits / 0 comments
-
“I've answered questions, responded to emails, and been on phone calls...when asked.” – Harlan Carvey
I feel obligated to respond to one of Harlan Carvey’s points in his recent blog post, Book Writing Misconceptions ( https://windowsir.blogspot.com/2019/03/book-writing-misconceptions.html ). I agree with…
Tuesday March 05
3128 hits / 0 comments
-
All you need is a tiny spark to solve your case.
During a recent workshop, one person in the class kept asking me for the magic bullet to work his case. By that, I mean that he…
Saturday March 02
2670 hits / 0 comments
-
Some CONS are good. Some cons are bad.
The bad cons are the criminals that victimize you. The good CONS are the conferences that you were glad to attend. CTIN is one of…
Thursday February 14
7969 hits / 0 comments
© 2020 Brett Shavers