You just sat down at your desk and a warm coffee is gently steaming next to your mouse. You start your computer and out of nowhere a ransom note pops up! The bad actors are at it again, demanding payment for your now encrypted data.
Unfortunately, this scenario is not uncommon – so, what does it look like in real life?
Story Time
It was early in the morning on April 29th, 2021 when hackers gained access to the network of the Colonial Pipeline located in Houston, TX using a stale VPN account. This was no small undertaking – Colonial Pipeline is a vital gas supplier for consumer gasoline and jet fuel in the Southeastern United States.
It wouldn’t be until May 7th (a week later) that personnel working for the Colonial Pipeline were even made aware of the intrusion, when a ransom note popped up demanding a payment of 75 Bitcoins (valued at $4.4 million at the time). Colonial tried what they could, but it was too late. The Hacking Group named “DarkSide” had access to all the Operational Technology in Colonial’s environment - paying the ransom was their only option. Colonial Pipeline paid the ransom and then some to get their network back up and running.
So, Should You Pay the Ransom or Cut Your Losses?
In the U.S. Cyber Defense’s eyes, paying the ransom should NEVER be done. They are considered terrorist organizations and we as a nation should never negotiate with terrorists.
However, cutting your losses is much easier said than done. It is beyond difficult to simply “let go” of the content that you invested all that time and effort to create. But consider this: even if you do pay the ransom, there is no guarantee that the bad actor will hold up their end of the deal. We often read stories of bad actors upping the ransom after an initial payment, because they translate payment as a signal that you’re willing to play their games - and you are now doubly invested in getting your data back from them.
If, at this point, you’re still wondering, “Should you pay the ransom?” The answer is absolutely not! Cut your losses and forfeit your data. However, the question you should really be asking is, “what should I do to prevent this from ever happening to me?”
What Protecting Yourself Looks Like
Make daily backups of your data – use a SaaS (Software-as-a-Service) or cloud solution while also making a physical, air-gapped backup of your data on a USB storage device.
Why the extra layer of backups?
If your SaaS or Cloud backups are compromised, you will have an air-gapped backup on your USB storage device. Hackers strategically attacking backups first to ensure that ransom is your only option.
Air-gapping your backups is the best way to prevent a hacker from accessing this data.
After every backup to your USB device, you must unplug the device from your workstation and store in a safe place.
This may seem a bit extreme, and you aren’t wrong, but if you take this step, the peace of mind is worth the extra effort. Air-gapping is something we encourage and manage for all of Vista’s customers. We even take it a step further and put their tape backups in a locked vault with restricted access.
The days of large, data-heavy organizations being the only targets are long gone. Any device connected to the internet is a target - even those with little to no data. Stay safe online by using a VPN service when accessing anything you deem sensitive and always backup your devices online and offline.
Further Reading
If you want further explanation and a best-practice approach to ransoms, you can read the CISA’s (Cybersecurity and Infrastructure Security Agency) full debrief which is updated quarterly as they become better at handling these situations:
https://www.cisa.gov/stopransomware/ive-been-hit-ransomware
