One year ago, Citrix UK commissioned a poll from One Poll to find out what British businesses were doing to prepare for ransomware attacks.
Stockpiling digital currency, that’s what. It found that a third of UK companies were building a ready stockpile of digital currency – Bitcoin, for example – in case of ransomware attack. More than 35% of the large firms Citrix surveyed were willing to pay over £50,000 (USD $64,555) to regain access to important intellectual property or business-critical data.
According to Citrix’s Chris Mayers, the latest research, published to coincide with Infosec Europe 2017, shows that large British businesses are now prepared to pay out an average of £136,235 (USD $175,896) to regain access to their critical data.
That’s up, on average, by 361% over last year’s research.
Such payoff prep isn’t limited to ransomware: in October, the Guardian reported that several of London’s biggest banks were looking to stockpile Bitcoins in order to pay off crooks threatening to bring down their critical IT systems via massive DDoS attacks.
One may question, given the volatility of unregulated crypto-currencies, how smart it is to “stockpile” Bitcoins or other virtual currencies. As the Financial Times reported recently, “sky-high valuations for bitcoin have helped the value of crypto currencies burst through $50bn, raising fears of an asset bubble in the unregulated market”.
According to Andrei Barysevich, director of advanced collection at threat intelligence firm Recorded Future, one reason these companies are buying up Bitcoins for emergency use is that once the extortionists have penetrated a system, they’ll typically set a deadline for payment before they start destroying data. Unfortunately, that deadline is typically just hours away, and it doesn’t leave victims with much time needed to buy virtual currency, he told me:
It takes, at times, a week for brokers to process you.
It’s not like you can walk into your bank and buy $20,000 worth of Bitcoin. If you happen to live in a city with Bitcoin ATMs, you might be able to pay cash to get a bit of virtual currency, but you won’t be in the position of purchasing enough virtual currency to pay the tens of thousands that crooks typically demand.
As recent research from IBM has shown, 32% of surveyed businesses have paid extortionists to the tune of far more than a Bitcoin or two:
- 20% paid more than $40,000
- 25% paid $20,000-$40,000
- 11% paid $10,000-$20,000
In order for a business to get its hands on that volume of Bitcoin, it can take close to a month for a virtual currency broker company to vet personal information, Barysevich said. The brokers take their time: after all, they know how good at forgery and identity fraud crooks can be.
Chris Pogue, chief information security officer at Nuix, a company that provides information management technologies, told McClatchy that setting up a cryto-currency wallet ahead of time may well be morally repugnant, but it allows businesses to (optimally) get out of trouble quickly:
If they need to go to it, they are not spinning their wheels [setting] up a bitcoin wallet.
At any rate, here’s a fortunate piece of the then vs. now picture: more companies are girding their loins for attack than a year ago. In June 2016, only 20% of smaller companies – those with between 250 and 500 employees – had contingency plans for a ransomware attack. In 2017, that’s shrunk to only 7% who’d be caught with their pants down.
Things aren’t all peachy keen by any means, though. There are a whole lot of woefully unprepared businesses sitting on top of those Bitcoin piles: more than half (55%) of the 500 IT British companies surveyed said they weren’t doing simple security hygiene such as daily data backups.
Do backups actually help? They can, if you do them right. As SophosLabs has noted in its paper on how to protect against ransomware (PDF), inadequate backup strategy can be security hole numero uno.
Backups are ideally done in real-time, off-site and offline.
Given that best possible case scenario, you can see how companies can have backup plans that fail to truly protect their data. You can also see how companies might simply get overwhelmed by the enormity of fighting their way clear, as underscored by these musings from one of our readers, Raylund Lai:
Let’s take a hypothesis, the ransomware attack is not just a matter on “files” or data; it renders all servers and workstations and laptops (and probably network attached backups) not working at all. What these mean the IT department should have enough manpower to “resurrect” the servers and then users’ machines (workstations and laptops) for the company to operate as usual. I think it’s not difficult to understand a company, no matter [if] it’s large corporate or small business, will have overwhelming tasks to do so. Large corporate will have a lot of servers and user machines to handle while a small business will have limited resources/manpower. Hence, at least to me, to restore from ransomware attack is far more complex than I thought. 🙁
And as ransomware attacks continue, it’s clear that there’s far more that we have to do to protect data than to buy up digital currency and plan to pay ransom to crooks – a strategy that a) doesn’t ensure that they’ll actually release your data, and/or b) that they won’t come back looking for more money in the future, and/or c) invites future attack.
It’s better to keep the crooks out in the first place than to hope that a stockpile of Bitcoin is going to save your bacon. To that end, please do take a look at that paper on preventing ransomware (PDF). Sitting on a pile of Bitcoin might feel comfortable, but a good contingency plan entails a whole lot more padding.