John Pescatore - SANS Director of Emerging Security Trends
Paying Good Guys to Recover Data and Prevent the Next Ransomware Attack
This week’s Drilldown will focus on one item (included below) from NewsBites Issue 83, commenting on a report that a Mississippi school district paid a security consulting firm $300,000 to both recover the data impacted by the attack and correct weaknesses that enabled the attack to succeed.
Solid data on the actual costs of cyber incidents in general, and ransomware in particular, is hard to find. In May 2020, cybersecurity vendor Sophos published a survey of 5,000 IT managers that provided one data point:
- 94% of organizations whose data was encrypted got it back. More than twice as many got back their data via backups (56%) rather than by paying the ransom (26%).
- Paying the ransom doubles the cost of dealing with a ransomware attack. The average cost to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, ransom paid, etc.) is $732,520 for organizations that don’t pay the ransom, rising to $1,448,458 for organizations that do pay.
Source: “The State of Ransomware 2020,” Sophos (May 2020)
These costs obviously vary by organization size and preparedness before the attack. But the basic message to management remains the same: Ransomware payments may stop the pain, but don’t cure the underlying problem.
The approach taken by the Mississippi school district appears to be a bargain, since it included recovery and improving the security baseline to raise the bar against impact by future attacks. This is what should happen after any security incident, regardless of whether extortion is involved--respond, recover and reduce residual risk.
The decision as to whether to pay off ransomware remains a complex business decision. When cyber insurance is involved, improvement efforts may not be covered, but ransomware payoffs may be. In Q1 2021, SANS instructor Ben Wright and I will be doing a SANS research paper on the topic, including how cyber insurance factors into the decision to support informed decision making.
Bottom line: Be proactive and get cost estimates on recovery and remediation support in advance to support informed decision making by management.
Mississippi School District Paying a Company to Help It Recover Files After Ransomware Attack
(October 19, 2020)
The Yazoo County School District in Mississippi chose to pay a private company $300,000 to regain access to encrypted files. The district became aware of the ransomware attack on Monday, October 12. It took its IT systems offline and solicited help from a cybersecurity company to help the district recover its files.
[Pescatore] It looks like the $300,000 is to both improve security and recover the data. Essentially, rather than pay the arsonist to put out the fire in your burning house, you pay a contractor to rebuild it to existing fire codes to build in smoke detectors and sprinklers--essential safety requirements.
[Neely] Paying the company not only to restore files but also put in protections to prevent recurrence is a good approach, and it's more cost effective to implement controls prior to a compromise. The challenge we all face is obtaining management support to fund and resource the efforts when the attack is just a potential. The Yazoo County School District can be a case study to strengthen your position.
Read more in:
Infosecurity Magazine: Cyber-Attack on Mississippi Schools Costs $300,000