Ransomware, Breach

How to Deal with Ransomware: Mitigate the Damage, Don’t Pay the Ransom

Author: Delta Risk Senior Security Consultant John LeBrecht
Author: Delta Risk Senior Security Consultant John LeBrecht

Organizations continue to be faced with a tough dilemma: Pay the ransom, or rely on contingency plan to regain access to critical files and systems.

Hancock Health is an example organization that paid the ransom. Infected by the SamSam ransomware, the Indiana-based hospital spent $55,000 to get their systems up and running again, despite having backups. They decided that paying the ransom would be the fastest way to unlock their email system and internal operating system rather than restoring their backups, which could take days or weeks.

Since it’s difficult (and in some cases, impossible) to break ransomware encryption, and since sensitive files often contain irreplaceable information, organizations often end up paying the ransom. Many organizations might not believe they have a choice.

However, paying the ransom is a risky proposition. There are no guarantees that a decryption key will be provided after the crooks get their money. According to a recent survey by Druva, even when the ransom was paid, nearly half of the victims didn’t get their files back. There’s no honor among thieves after all.

So, what can you do to prevent or lessen the damage and cost of these malicious criminal operations?

Security Controls Can Mitigate the Damage

In a previous blog, I outlined how security controls could improve overall security and lessen your organizational risk. You can rely on these same controls to limit your ransomware risk. For instance, you can lower your exposure to ransomware by employing specific controls found in the National Institute for Standards and Technology (NIST) Security and Privacy Controls for Information Systems and Organizations.

In addition, since ransomware usually gets into systems through email attachments and malicious websites, user awareness plays a critical part in prevention. By adhering to the NIST Awareness and Training (AT) family of controls, your employees and contractors can better understand the risks and key prevention steps. If you apply and enforce the AT-2 control, you not only provide basic security training, but also prevent the spread of malicious malware in the first place.

Most malware preys on unsuspecting users to inject a payload. Emails and websites that look legitimate are created to lure people to click on a link or an attachment. By clicking through, they’re allowing attackers to access a network. Users need to be aware of this, along with other new and emerging ransomware tactics.

Restrict and Manage Administrative Rights

Controls that ensure antivirus programs are updated and patches are applied across your network are critical in preventing ransomware. After all, even the most aware users can still be influenced by crafty criminals to give up a password, whether they click on a link or divulge that information over the phone. By running well-patched applications and current antivirus software (and frequently scanning to make sure these patches and software are up-to-date), you can prevent the delivery of ransomware payloads even if credentials are stolen.

Similarly, using controls that restrict and manage user administrative rights can keep cyber criminals at bay. These attackers typically leverage elevated privileges to gain permission to install their malware and open sensitive files. NIST provides guidance for reducing the risk of these powerful accounts.

For example, Access Control (AC-6) describes the concept of “least privilege,” allowing only authorized access for users which are necessary to accomplish assigned tasks. By restricting access to special users, you can significantly deter an attacker from installing ransomware software and gaining privileged access across the network. You can also prevent them from locking critical files.

Ultimately, criminals may get to the front desk of your network, so to speak, but if you implement the AT-2 and AC-6 controls, you can keep them waiting in the foyer.

Don’t Pay the Ransom

After all your prevention efforts, what if attackers still get in, lock your files, and demand payment? You have no choice, right? Time to pay up.

Well, not exactly. If your organization strictly adheres to a security controls program, they can still recover from ransomware and decrease the impact. For instance, the NIST Contingency Planning (CP) controls not only address backup of critical information, but also backup intervals, offsite storage, and frequent restoration testing.

Maintaining trusted backups of all critical information at an offsite location can help you avoid paying the ransom and restore recent backups without a decryption key. While it might not be the ideal way to go, having reliable, up-to-date backups that are segmented from the network can put you back in a business in a matter of hours.


With the impact of ransomware so debilitating—loss of critical information, loss of productivity, ransom costs, reputational damage—the effort to prevent and recover from ransomware is well worth it. However, it doesn’t have to be difficult or expensive.

Basic adherence to tried and true security controls may not prevent all ransomware. However, strict adherence to a comprehensive control methodology, and frequent monitoring of their effectiveness, can reduce the likelihood of a successful ransom campaign against your organization in 2018 and beyond.

For more information on the impact of ransomware, check out our ransomware eGuide, “What You Need to Know About Ransomware & HIPAA Compliance.”

John LeBrecht is senior security consultant at Delta Risk LLC. Read more Delta Risk LLC blogs here.