Ransomware – Should You Pay?

cybersecurity certificationsLast night I watched an episode of Chicago Med (Season 2, Episode 19). It happened to be about ransomware. Chicago Med was infected with ransomware, rendering all computer systems (doctor’s tablets, MRI machines, patient history systems, diagnostic systems, etc.) useless. The staff of Chicago Med had to resort to “manually” doing everything – filling out paper lab requests, using a whiteboard for patient status, using old school methods to diagnose patients, etc.

A debate ensued about whether Chicago Med should just pay the ransom, which was around $30k. The staff had differing opinions in the episode.

This is a debate worth discussing, as I do not see a clear answer to the question “should I pay the ransom”, other than “it depends”.

Ransomware Attack - Manual method

The reliance on medical technology makes manually processes like this prone to mistakes

I tend to look at everything from a risk perspective. Sure, it’s easy to say “our policy is we do not pay the ransom”, but at what cost? Many people have polarizing opinions on just about everything, including this topic. It’s easy to make recommendations from afar. What if your spouse was in a hospital and needed immediate emergency treatment, but treatment was delayed because of ransomware? Every second in this delay increased the risk that your spouse might die. Would you still support the policy “we do not pay the ransom”, even if it meant your spouse may die? Is $30k worth more than your spouse?

Also, the rationale for the “we do not pay the ransom” policy goes something like this – “if the hackers know we do not pay the ransom, they won’t attack us”. This is flawed logic because many cybercriminals release ransomware into the “wild”, non-directed, to spread to as many systems as possible, so they can maximize odds of success and returns.

The Chicago Med hospital administrator was adamant about not paying the ransom, but one of the doctors paid the ransom himself. After the ransom was paid, all the systems came back online and everything went back to “normal”. The doctor that paid the ransom simply stated that the risk was too great and that he had calculated the ROI and it was an easy decision.

But, wait…what if you pay the ransom and the hackers just take your money and don’t decrypt your systems? 

This is certainly a possibility, although it is almost never the case. Most cybercriminals are in the business of making money, so their business models support this objective. Cybercriminals probably analyze risk in greater depth than most IT Staff of Cybersecurity Staff.

Risk is a real issue that is almost always overlooked. Sure, screw paying the ransom if:

  • Your IT/Cybersecurity Staff has an up-to-date and rehearsed Incident Response Plan
  • Your IT/Cybersecurity Staff has current, up-to-date backups that can be restored quickly
  • Your IT/Cybersecurity Staff can source the ransomware infection and prevent it from occurring again after the backup restoration
  • Your IT/Cybersecurity Staff knows which vulnerability the ransomware exploited
  • Your IT/Cybersecurity Staff knows the extent of the infection – did the infection hit the backup systems?

In the Chicago Med episode, they had to end up diverting patients to other hospitals because of the ransomware. The Chicago Med IT Staff seemingly did not have a plan, at least a timely one, to restore the hospital systems.

I’m certainly not advocating people pay the ransom, but blindly making blanket policies without understanding risk is a huge problem, especially at places where time is of the essence, such as hospitals.

So, what can you do to help with RANSOMWARE? I recommend 3 things to start:

  1. Perform a risk assessment against your environment – identify your critical assets (data and systems). Not everything is critical. Narrowing your focus to what is critical, then prioritizing accordingly allows you to better protect these systems and restore them in a prioritized manner. Too many organizations try to equally protect everything. This is a huge mistake, as everything is half-ass protected, which doesn’t cut it. It’s better to protect your 10 critical assets 100% and leave the 90 noncritical assets at 50%. This is better than all 100 assets being protected at 60%, which is a common mistake.

  2. Once you know your critical systems, make sure those systems (and the applications installed on them) are patched routinely and that they are backed up (the system itself as well as the data on the system) as frequently as needed.

  3. Critical system backups security and testing. Make sure the backup system is secure. If the ransomware hits the backup system, the backups are no good. Also, make sure you know how to restore from backups. This seems simple, yet it is often overlooked. I’ve seen many organizations back up their data routinely and religiously and never once test the restoration procedures. During an incident, they found out that the restoration procedures did not work at all or only partially worked.

If you’re unclear on how to perform the risk assessment or need help with a cybersecurity plan, Alpine Security can help you with our CISO-as-a-Service.

70% of Cyber Attacks Will Be Against Small Businesses in 2020

cybersecurity certifications


In 2020 it is estimated the percentage of cyber attacks against small businesses will be close to 70%. It’s also estimated that in 2020 the cost of cyber attacks is going to be around $5 trillion. That’s trillion with a T. And if 70% of the attacks are against small businesses, then obviously the small businesses are going to be paying for a lot of that $5 trillion. Cyber attacks affect small businesses in a few ways. This post discusses how cyber attacks affect small businesses and what can be done about it.

The Effect of Ransomware and Stolen Data on Small Business

One way cyberattacks affect a small business is if a small business is attacked with something such as ransomware. The ransomware can render systems useless for maybe one week or two weeks. So the small business can’t provide the service they need to provide to generate revenue or they can’t produce the product they need to produce to generate revenue. So basically they’re dead in the water for one or two weeks and they can’t produce anything to generate revenue. That alone can take a small business out of business.  

The other primary method or primary way that small businesses have to pay for a cyber attack is if a small business’s client data is stolen. Typically, for every record that’s stolen the small business has to pay for credit monitoring for all those records. There’s a clinic in Missouri that was put out of business. They had 20,000 patient records stolen by an attacker. They had to pay for credit monitoring for all 20,000 of those patients. The credit monitoring, I’m not exactly sure the price, but I think it was around $20 per person. So if you had 20,000 records stolen and you have to pay $20 per record, that’s $400,000 that that small business had to pay per year in credit monitoring fees. Most small businesses do not have a cash reserve of $400,000 so that took that clinic out of business.

Why Do Cybercriminals Attack Small Businesses?

You may ask yourself, “Why do attackers go after small businesses? Why is the percentage so high towards small businesses?” There are two main reasons. The first reason is most small businesses do not have a very mature cybersecurity program. They don’t have a dedicated staff to solely work on cybersecurity, it’s typically somebody’s additional duty. The attackers know this and they know that they can more easily get into a small business than a larger business because most large organizations have a dedicated cybersecurity staff and a mature cybersecurity program.

The second reason is attackers will attack a small business and use that business as a foothold to attack a larger business. Small businesses typically have relationships with larger businesses. If the large business is fairly secure but the small business is not, the attacker’s going to go after the small business and then leverage that relationship from the small business to attack the larger business.

An example of this is Target. Target’s a large store. Obviously, they’re all over the place, but Target wasn’t attacked directly because they have a fairly mature cybersecurity program. The HVAC vendor or heating, ventilation and air conditioning vendor was attacked. The HVAC vendor for Target was a small business. So the attackers attacked the HVAC vendor and then from there, they leveraged the HVAC vendor’s relationship with Target. The attackers rode the trusted connection from the HVAC vendor to attack Target and compromise Target’s point of sale machines which stole everyone’s credit card numbers.

As a recap, the two reasons small businesses are attacked:

  1. They are typically not very mature in the cybersecurity maturity process
  2. They are often leveraged to attack the larger business

What Can You Do?

My company, Alpine Security believes small businesses are vital to the economy. We’re a small business and we want to support other small businesses. So we’ve come up with our fractional virtual CISO service – that offers an affordable means for small businesses to develop cybersecurity capabilities in alignment with risk tolerance, industry, and business objectives. To learn more about our CISO service, you can call us at (844) 925-7463, email us at info@alpinesecurity.com, or visit: https://alpinesecurity.com/services/ciso-as-a-service/

It is in our interest to help small business owners protect your environment from being attacked.