We know ransomware can wipe out a business—maybe not so much from the cost of paying the ransom, but from the downtime it causes—so don’t get caught without a backup. I asked the experts whether a processor should pay the ransom, and while the responses were mixed, the moral of the story is: Have a backup!
Patrick McBride, Claroty: Ransomware has become the most prevalent form of malware attack, and it is a significant risk to operational environments. WannaCry and NotPetya both caused millions of dollars in damage to industrial environments last year. Both of these threats exploited known vulnerabilities for which patches were available. Patching systems in an operational environment can be very challenging due to limited maintenance windows, but we must include vulnerability scanning and patching as part of the solution.
Steve Pflantz, CRB: Ransomware gains access in similar fashion to other viruses or malware. Either prevent it, pay the ransom, or have backups or disaster recovery means and methods to reconstruct or restore your system. Ransomware basically locks up your system and holds it hostage. If you make a backup, then keep it on an external drive or storage media, or somewhere not closely connected to your system so that the ransomware cannot take your backup hostage. You can pay the ransom if it seems reasonable, but you should have a backup and disaster recovery plan anyway. Not just in case of ransomware, but in case some other failure or event damages or destroys your system and data.
Ragnar Schierholz, ABB Industrial Automation division: If you pay the ransom there is no guarantee that you will get your system back, and you may end up on a list of people who are known to pay the ransom, so will likely be targeted again in the future. One has to realize that these people are already in the process of committing a crime, so it is risky to trust that they will indeed do as they say and release the encrypted files. For example, the NotPetya malware had reportedly encrypted files and requested a ransom, even though there were no technical means for the attackers to obtain the keys necessary to decrypt the files. Essentially, it is assumed that the ransom was just a disguise for the essentially purely destructive malware.
Larry Grate, PREMIER System Integrators: You should have a good, tested, disaster recovery plan. The best created plan, which is not tested on a reasonable frequency, will become old and outdated quickly as technology on the site changes. Every asset on your list should be backed up and a separate, disconnected and offsite backup should be updated on a basis that makes sense for the risks associated with—and the frequency of change of—that asset. Most security professionals will tell you paying the ransom is not often a good or successful plan. You don’t want to put your future in the hands of a threat actor that already doesn’t have your best interests in mind.
Scott McCausland, Process and Data Automation: First of all—NEVER PAY THE RANSOM! Even if a ransom gives you your data back, by paying the ransom it is encouraging the attackers to continue and providing the monetary incentive to continue. Second, a strong backup policy can mitigate much of the risk when it comes to ransomware. The ability to restore to recent copy, pre-ransom, can save significant dollars and stress. You should always employ multiple backup procedures—take frequent backups (full versions) and store one onsite and one offsite. Be proactive…train your staff to be cautious when opening emails and attachments, and be constantly diligent when downloading files.
For more information on cybersecurity, visit “How processors can guard against cyberattacks, FE, October, 2018.