After carefully not listening to the advice from your IT company, as you were sure that this sort of thing will never happen to you, you have managed to wind up with your entire network encrypted with ransomware. What do you do now?The first call to the IT company to see whether those guys can magically fix it and make everything work again, didn’t go as well as you had hoped. Apparently your highly organised backup regime of copying a few files onto a USB stick when you remembered to do it, had somehow failed you. Your last backup was two and half months ago and only covered a few promotional images that you had paid for and a spreadsheet that became obsolete shortly after you’d copied it. With no real backup to speak of, there is nothing to restore. The IT company says that their only option would be to reset all the PCs to their factory states…
Meanwhile, the ransomware guys only want US$5,000 to put everything back and make the problem go away. Do you take the plunge and pay them? What is the official guidance on this? Is it even legal to pay a ransom like this?
It is not difficult to see how small businesses wind up in situations like the one described above; completely out of their depth both from both strategic and technological angles. A lot of small businesses do not have any real security structure and only the bare minimum of protection, often in the form of a free and / or home-use antivirus software. They do not spend any time trying to understand what they see as a minor part of being in business, hence they have no idea about what to do when the worst happens.
The Information Commissioner’s Office (ICO) has a few things to say about ransomware:
- The GDPR requires you to implement “appropriate measures” to restore the data in the event of a disaster. The ICO does not consider the payment of a ransom as an “appropriate measure” to restore personal data.
- Even if you pay, there is no guarantee that they will provide you with the decryption key.
- “Double extortion” is also common, where you pay for the decryption key and the attacker then requires an additional payment to stop the publication of the data.
- Attack groups may also target you again in the future if you have shown willingness to pay.
- Law enforcement do not encourage, endorse, nor condone the payment of ransom demands. The ICO supports this position.
The ICO goes on to say that if you are in a position of making such a decision as to whether to pay or not, then you have lost control of your data; this is data breach and you should take appropriate actions. If the data included any personally identifiable information (PII) then the ICO and data subjects must be informed within some pretty tight time frames.
I appreciate that I am preaching to the converted here, but always remember that good prevention is way better than trying to fix things once an incident has occurred.
- DO risk assessments
- DO put appropriate security measures in place
- DO automated off-site backups
- DO NOT assume that you will be alright just because it has not happened to you yet