To pay or not to pay: What to do when ransomware attacks


September 14, 2017

Last week’s Equifax hack shone a critical light on the firm’s cybercrime prevention strategies, but also brought renewed attention to common hacking techniques and how businesses deal with the aftermath. However, in terms of cybercrime, ransomware attacks pose a unique challenge. Instead of tracking attackers through the company’s own environment, incident response professionals must first limit the scope of the damage and then decide how far they’re willing to go to placate the attackers.

Any way you slice it, determining whether to pay ransomers means gambling with your files and databases—and there’s no way to know whether hackers will actually honor their word if you pay up. Ultimately, ransomers want you to believe that you have only one choice: pay, or the database gets it. But if you’ve been regularly backing up your files and are willing to do some creative web-sleuthing, it’s possible to resolve the issue without losing much of your data at all. Before you make a decision, follow the steps outlined below.

Gauge the extent of the damage

Just as doctors can’t prescribe medicine until they’ve diagnosed their patients, you won’t be able to triage your networks and computer stations until you get a clear look at the damage. Most attackers use encrypting ransomware variants, which typically lock files and send a ransom note detailing what to do if users ever want to see their data again. For instance, the WannaCry virus—one of the largest ransomware attacks in the history of malware—exploited a vulnerability in Windows operating systems to copy and lock users’ files, preventing them from being accessed without a decryption key.

Viruses like these are often disseminated through phishing emails containing suspicious files or dangerous links, but some can spread across networks to infect your whole team. With this in mind, it’s important to find out how severely your computers and servers have been impacted before you even begin to think about paying a ransom.

Isolate the virus

Once you’ve determined the extent of the breach, you’ll want to try to limit the damage. Any users who’ve reported symptoms should be immediately disconnected from the network to keep the virus from spreading, and you should send out a company alert so unaffected users know what to look for. Warn them to watch for emails with suspicious attachments or links, and emphasize that hackers often use realistic-looking documents such as invoices to trick users into downloading. Additionally, tell your team to let IT know about any signs of an attack as soon as possible.

You’ll also want to check server files and temporarily lock down your network drives while your team reviews file activity, as a high incidence of file renaming often indicates an attack. Lastly, make sure that your network security monitoring systems are current and that up-to-date virus protection is installed on all machines in your office.

Look for a decryption tool

Ransomware spreads like… well, a virus. If an attacker has found their way to your company’s hardware, there’s a good chance you’re not the first to be affected. Most ransomware is little more than a few lines of malicious code, so while it’s not exactly easy to unlock your files, it’s not impossible, either. In fact, the No More Ransom Project—a joint effort by law enforcement and security professionals—hosts a free online diagnostic tool for ransom victims. Upload an encrypted file to the project’s Crypto Sheriff to check for and download a decryption solution. Malware Hunter Team offers a similar service here.

Alternatively, you can try doing a little detective work of your own: Paste the text of the ransom note into Google and see what pops up, then follow one of the ransomware removal guides over at You may just find a solution!

Check your backups

If you’ve been using a backup service or regularly saving backups to an external drive, you can avoid the decryption tool hunt and simply restore your files using an earlier, unaffected version. However, your backups may also be encrypted, so make sure to check them first. If the files look good, wipe any affected machines and reinstall their operating systems before copying over the backed-up files. Be sure to install updated malware detection software as well.


Don’t pay the ransom if you can avoid it

Security experts—including the FBI—typically recommend that infected businesses not pay hackers. Think of it this way: You’re dealing with criminals who’ve already proven that they’re not to be trusted, so should you really believe they’ll give back your files after you pay? In fact, payment often encourages ransomers to restore a small portion of your files and then ask for more money, keeping you dangling like a fish on a line.

For many security professionals, taking a risk is only part of the problem associated with paying a ransom—there’s an ethical issue at play, as well. Paying attackers makes malicious attacks more likely to occur in the future and may even get you added to a list of easy targets.

If you opt to pay, negotiate first

If your attacker has successfully encrypted mission-critical files and you’re without usable backups, payment may be your only option. In this case, you should always try to negotiate by using the contact information in the ransom note to offer the hackers a lower ransom in return for your files.

While there’s no guarantee that your offer will be accepted, anecdotal evidence suggests there’s at least a chance. In this example, a hospital was able to negotiate a ransom down from $3.6 million to $17,000—a fraction of the original demand.

Keep in mind that although attackers frequently use deadlines and other psychological tactics to panic users into making a decision, security experts have found that ransom deadlines are often flexible. Maintain a cool head when dealing with your attackers, and you may just be able to minimize the damage.

Prevention is the best solution

While you can’t turn back time, you can ensure you’re ready the next time ransomware strikes. First, check that all your operating systems are up to date, and ascertain that every endpoint has antivirus and antimalware software installed, with critical data regularly backed up to an external drive.

You may also want to take more thorough preventative measures, such as conducting a security risk assessment and evaluating your critical data and backups. This is where MyITPros can help! Reach out to our business security specialists to establish a full asset inventory and create regular data backups, as well as to gain access to 24/7 server monitoring and help from our support team. Take that, ransomware!

We're Integris. We're always working to empower people through technology.

Keep reading

Top 10 IT Best Practices To Adopt Right Now

Top 10 IT Best Practices To Adopt Right Now

Welcome to the Top 10 IT Best Practices To Adopt Right Now. This simple, non-technical “listicle” (slightly updated since December of 2021) covers some of the most valuable technology tips we can assemble into a five-minute read. Some of the recommendations are a...