If your data center's ransomware recovery plan is to pay off the hackers with cryptocurrency, it's time to rethink your strategy as regulators crack down.
Today, every data center manager should be aware of the dangers of ransomware and have a disaster recovery plan that doesn't involve paying hackers’ ransomware demands.
But, according to a ransomware survey report released in June by Keeper Security, 49% of companies hit by ransomware paid the ransom — and another 22% declined to say whether they paid or not. Part of the reason why so many companies are paying hackers is the lack of usable backups.
It's not enough just to have tape backups of key databases in an offsite location somewhere. Yes, they're going to be safe from attackers, but restoration is going to take time and money. Often, paying the ransoms is cheaper and quicker.
That strategy might not fly for much longer.
Ransomware Payment Sanctions
Last week, the U.S. Treasury Department sanctioned a cryptocurrency exchange for its role in facilitating ransomware payments and issued an advisory to private companies making such payments that they might be facing sanctions risks.
According to the Treasury, ransomware payments reached $400 million — four times higher than in 2019. And that number is just a fraction of the total economic cost of ransomware.
"The new designations means that U.S. entities and citizens will be banned from performing transactions with sanctioned entities and could themselves face sanctions or enforcement actions for doing business with them," said John LaCour, founder and chief technology officer at PhishLabs, a cybersecurity firm. "No board will want to take on that personal risk."
Companies should change their mindsets, he added, to one where paying hackers is not an option.
"It can be a good exercise for companies," he told Data Center Knowledge. "Which data or systems would they have been willing to pay ransom for? And what additional protections do they need to apply to those systems so as not to find themselves in that position?"
The U.S. isn't the only country starting to crack down on crypto payments. On Friday, China announced a ban on all cryptocurrency transactions.
Ransomware Insurance Coverage
In addition, cybersecurity coverage may start to dry up for these kinds of events.
Insurance carriers have not explicitly said that ransomware payments will no longer be covered, said Jeff Palatt, vice president for technical advisory services at MoxFive, a technical advisory services company.
"But there is a trend where carriers are requiring stronger controls," he told Data Center Knowledge.
They are also getting more thorough in investigating those clients to determine whether they will offer them coverage, and at what price, Palatt added.
"We have already begun to see a shift in the market where more organizations must proactively invest in certain security controls in order to obtain insurance coverage," he said. "It is beginning to show more similarity to the life and auto insurance markets, which we can all relate to more closely."
Outlook on Paying Hackers’ Ransomware Demands
And, with the new guidance, companies may not be able to make ransomware payments. In fact, this has already happened to a number of his clients, Palatt said. "Organizations should absolutely start planning ahead for this."
So far, the government actions seem to be aimed at punishing the criminals, not the victims, said Adam Flatley, director of threat intelligence at Redacted and a member of the Ransomware Task Force at the Institute for Security and Technology.
"But it’s important to remember that we’re at the very beginning of a real push against these actors," he told Data Center Knowledge.
And whether or not a total ban on ransomware payments is coming, companies should still be doing everything in their power to recover without paying the ransom.
"Paying ransomware actors only encourages future attacks," he said.
There are also other reasons not to pay.
First, there's no guarantee that a company will get its data and systems back.
According to a ransomware survey released by security firm Sophos in April, only 8% of organizations were able to get all their data back after paying a ransom, and 29% got back less than half of their data.
Second, by paying the ransom, a company might be setting itself up for more attacks.
"There is a saying that says once a victim, always a victim," said Anurag Gurtu, chief product officer at StrikeReady. "Following a successful compromise, the news quickly spreads among adversaries, and other attackers target not only the victim organization but similar ones as well."