Steve Donald, CTO, Hexis Cyber Solutions
Steve Donald, CTO, Hexis Cyber Solutions

Ransomware is making headlines across the globe. In particular in the healthcare sector where attacks on US institutions have been particularly rife, with strikes on the Chino Valley Medical Center, the Kentucky Methodist hospital and the Desert Valley hospital  flagging some very prominent warning signs across the pond to the UK.

Not only does ransomware result in the temporary loss of data, it also leaves services out-of-pocket. The Hollywood Presbyterian hospital, for example, paid the Bitcoin equivalent of £11,000 in February this year to regain control of its mission-critical communications systems from cyber hostage-takers.

According to reports, the attack even forced medical staff to revert back to paper medical records. The 10-day intrusion locked employees out of critical electronic medical record systems, among others. The hospital explained that the “quickest and most efficient way to restore its systems and administrative functions was to pay the ransom and obtain the decryption key.”

With the NHS looking to digitise medical records and put the population's health data online, it begs the question of “when” rather than “if” such attacks will become prevalent in our healthcare system. However, as these attacks grow more prevalent, the growing question is, “to pay or not to pay?”

Risk/benefit analysis needed on whether to pay up

There's a school of thought that one should never pay a ransom, but even the FBI admits that ironclad refusal isn't always the best option.

When it comes to the ransomware threat, criminals are market-savvy. They know the precise cost of a particular dataset and will play on human emotion to get what they want. Analysing the benefits and risks of paying up for data will help determine what action to take when an enterprise is hit by this insidious threat.

Think about the end result

We must remember that each situation is unique in terms of the consequences it presents and these should be tackled on a case-by-case basis. Organisations need to consider how valuable the stolen data set is and whether it warrants paying up.

Organisations need to be as savvy as the criminals when they are contemplating whether to pay up. If it is a matter of life or limb, then I would argue that this warrants paying a ransom immediately.

However, if it's just that ransomware is creating a mere inconvenience to organisations, as data is lost and individuals are unable to conduct tasks for a few days, then ransoms should not be paid.

Being made to pay

Let's say an organisation was to pay. What are the risks involved? On the one hand, historic ransomware payments have been secure. Institutions that have paid in the past, including the Hollywood Presbyterian, did so using Bitcoin. This essentially means that no physical money or banking details changed hands. The payee uses a third party broker to conduct the encrypted transaction and so has no way of knowing where funds end up, not to mention no way of tracing the criminal.

So after such a transaction is complete, what is the likelihood of the organisation actually retrieving its precious datasets back? Almost certainly.

In the analysis of ransomware attacks so far, every criminal has released the data back to its original location. The first ransomware criminal not to honour this agreement, will ruin the game for everyone.

Enterprises shouldn't take these apparent securities as a given to pay up. Paying the bad guys can also have repercussions and it shouldn't always be the ‘go to' solution for an enterprise. A judgement to pay must be worthwhile and justified as these actions only succeed in giving criminals the upper hand and a clear mandate to attack other vulnerable institutions and services.  

Paying up in any other situation not only puts enterprises out of pocket, but also actively fuels the weaponisation of ransomware for all of us.


In figuring out a strategy to stem the tide of ransomware hacks, it's important to know the two forms this type of attack takes: locker and cryptoransomware.

Locker was once the most common, but these attacks have declined as illicit actors learn the more sophisticated method of cryptoransomware. Locker attacks restrict access to an entire computer system and it is because of this panic that these attacks result in payouts to the bad guys.

Cryptoransomware targets only the most valuable parts of the networks and endpoints it attempts to disrupt. A computer under this type of attack will still work. However, access will be denied to encrypted files. It's a type of judo, explain the authors of the ICIT report.

"Cryptoransomware is as simple as weaponising strong encryption against victims to deny them access to those files," the researchers write.

"After the initial infection, the malware silently identifies and encrypts valuable files. Only after access to target files has been restricted does the ransomware ask the user for a fee to access their files."

Another reason to back up regularly

U nderstanding the type of ransomware attacking an enterprise helps organisations plan their best line of defence. Building a culture of consistent back-ups in the enterprise will serve as the most appropriate solution against such threats.

If you can easily restore any valuable information ransomware has denied you access to, you effectively neutralise the attack. Of course, if you've let hackers into your system and they've accessed the data and found information that would be embarrassing or harmful to business if made public, the data could be leveraged for cyber-blackmail.

One solace for victims of ransomware is that cyber-insurance policies are increasingly written to reimburse for the costs associated with these attacks. If your company has this type of insurance, check to see if ransomware is covered. If not, look into adding a rider to your organisation's policy.

So while 2016 may indeed become the "Year of Ransomware," it could also become the year companies and organisations figure out how to detect, verify and respond to this insidious threat.

Contributed by Steve Donald, CTO, Hexis Cyber Solutions