According to Peter Groucutt, managing director of Databarracks, this sets a dangerous precedent and underlines a need for organisations to maintain a non-negotiation policy against ransom demands.
A recent report found over half of SMEs would pay a ransom if hit by an attack, and several government organisations in the USA have paid vast sums of money to criminals after falling victim to a scheme. This goes against a long-held policy of governments refusing to negotiate with criminals or terrorists. According to Groucutt, this trend must addressed before it becomes the norm.
Radiohead’s recent response to an attack –releasing 18 hours of outtakes from OK Computer to the public rather than paying a $150,000 ransom – is a good example of how to defuse a ransom situation.
Groucutt said: “Given ransomware attacks are becoming increasingly commonplace, there’s no excuse to be unprepared. Agreeing to pay a ransom demand isn’t conducive to long-term security, and emboldens cyber criminals to continue to use this method. There is also a risk of looking like an easy target, potentially inviting further attacks.
“Releasing a collection of unheard songs, demos and outtakes, while unconventional, was a PR masterstroke by Radiohead. This obviously isn’t a viable tactic for businesses dealing with a ransomware attack, but we can learn from Radiohead’s defiance.
Companies need to trust in their security capabilities and emphasise a non-negotiation philosophy whenever possible. While this might sound easier-said-than-done, Groucutt believes there is plenty organisations can do, from a technology perspective, to strengthen their security posture and justify a confident outward demeanour. A comprehensive Cyber Incident Response Plan –including recovery from backup – is key.
Groucutt added: “If you are hit by a ransomware attack, you have two choices – recover your information from a previous backup or pay the ransom. However, even if you pay the ransom, there is no guarantee you will get your data back, so the only way to be fully protected is to have historic backup copies of your data.
“When recovering from ransomware, your aims are to minimise both data loss and IT downtime. Defensive and preventative strategies are essential but outright prevention of ransomware is impossible. You need to plan for how the business will act when compromised to reduce the impact of an attack.
“The Incident Response Team or Crisis Management Team must have the authority to make large-scale, operational decisions, taking systems offline to limit the spread of infection. And they must be able to make that decision very quickly. Once the ransomware has been isolated and contained, you must find when the ransomware installation occurred to be able to restore clean data from before the infection took hold. When the most recent, clean data is identified you can begin a typical recovery, restoring data and testing before bringing systems back online again.”
Groucutt concluded: “The solution might not be quite as simple as releasing a trove of music to the public, but by having a plan in place, you can be confident the impact of a ransomware attack will always be minimal. Preparation breeds confidence, and means you’ll be able to maintain a consistently defiant stance if or when you’re faced with a ransom demand.”