How to respond when hackers target your company with “ransomware”

It’s an increasingly common form of extortion: hackers gain access to your data, encrypt it, and demand ransom for the key. Here’s how to respond

Data centre technician inspecting a server

(Erik Isakson/Getty)

Last spring, the University of Calgary paid cyberattackers $20,000 to lift a ransomware takeover of its computer system. Is there a better way to deal with digital blackmail? We asked the experts how companies should respond if they’re targeted—and how to ensure it doesn’t happen again. Here’s what they said.

Don’t negotiate with criminals

“During a ransomware attack, a notification usually pops up on your screen asking you to pay a fee to regain access to your data or control of your computer. It looks like customer service messaging, and it’s almost like civilized blackmail.

“It may be tempting to pay, especially if the perpetrators aren’t asking for much money, but that just perpetuates this kind of criminal activity. Every time you pay the ransom, it has implications beyond your individual problem. You’re contributing to the continuation of the issue, and you’re making it more likely that others will suffer the same kind of attack.

“The only way to proceed is to show the criminals that this is not an effective way for them to do business. Your first move should be to figure out if you can decrypt the ransomware. But often you can’t, and whatever you lose, you have to accept that you don’t have it any longer and continue with your business, in some cases, as if you’re starting that day. It’s a brutal suggestion, but the best thing to do is pick up the pieces and move on.”

–Avner Levin, Director, Privacy and Big Data Institute, Ryerson University, Toronto

Spread the word far and wide

“Interfering with access to data and use of computers is a criminal offence, but an ordinary business that’s the victim of this kind of ransomware is never going to get legal redress. For one thing, the perpetrator is probably not in Canada. And law enforcement just doesn’t have the capability or the resources to do anything about these smaller incidents.

“If you have been attacked, you should worry instead about informing the parties that might be affected. Organizations that have been the victim of a cybersecurity incident may have a number of legal obligations to report or disclose the incident, not only to government but also to other organizations and individuals whose data might be involved. There are statutory obligations to report—in Alberta and, soon, federally—if there’s a cybersecurity incident that presents a real risk of significant harm to an individual. In addition, there may be other legal obligations. For example, if the data comes from another business, you may have a contractual obligation to report, or if you’re a merchant that accepts credit cards, you must comply with Payment Card Industry Data Security Standard rules.

“Depending on the circumstances—what the incident is and the data is that’s in question—you have to figure out how to go about giving the notice. It may be on an individual basis; if you’re a large retailer with tens of thousands of customers, then a public notification may be necessary.”

–Bradley Freedman, Partner, Borden Ladner Gervais LLP, Vancouver

Minimize your exposure now

“The best way to be prepared for a malware attack is to get everything correct in-house—security systems and procedures, backups and so on. If you’ve been attacked and don’t have the backups and security strategy in place, then the question is: Can you afford to lose what they just took away from you? If the answer is yes, then don’t pay the bribe. The moment you pay, you’re basically being placed on a list of people who can be hacked, and [hackers] sell these lists on the dark web. We started seeing ransomware popping up about four years ago in the corporate world, and if you look at the percentages of people who have paid, close to 50% of them have been attacked again.

“Decryption is not a reliable solution. Instead, save your money and put it toward a better security system. It doesn’t have to be the Pentagon; with a little bit of effort, you can be secure. Do a security assessment at least once a year to find out you if you have any vulnerabilities in your system.”

–Daniel Tobok, CEO, Cytelligence Inc., Toronto