I think a big problem may be that the ransom is actually very cost effective and probably the lowest line item cost in many of these situations where large revenue streams are interrupted and time=money (and maybe also health or life).
The original thought that it should be handled like standard DR and tighten up security may apply to very small businesses though where they could afford to try to ignore the ransom request and rebuild more securely hoping the criminals will move on and not come back for revenge. > On Jun 24, 2021, at 3:08 PM, Shane Ronan <sh...@ronan-online.com> wrote: > > A lot of the payments for Ransomware come from Insurance Companies under > "Business Interruption Insurance". It in fact may be more cost effective to > pay the ransom, than to pay for continued business interruption. > > Of course along with paying the ransom, a full forensic audit of the > systems/network is conducted. The vector for many of these attacks is via a > worm triggered by someone opening an attachment on an email or downloading > compromised software from the Internet. Short of not allowing email > attachments or blocking Internet access, the best method is to properly train > users to not click on attachments or visit "untrusted" sites, but nothing is > perfect. > > Shane > > > > > On Thu, Jun 24, 2021 at 6:01 PM Michael Thomas <m...@mtcc.com > <mailto:m...@mtcc.com>> wrote: > > > On 6/24/21 2:55 PM, JoeSox wrote: >> >> It gets tricky when 'your' company will lose money $$$ while you wait a >> month to restore from your cloud backups. >> So Executives roll the dice to see if service can be restored quickly as >> possible keeping shareholders and customers happy as possible. >> > But if you pay without finding how they got in, they could turn around and do > it again, or sell it on the dark web, right? > > Mike > > >> >> On Thu, Jun 24, 2021 at 2:44 PM Michael Thomas <m...@mtcc.com >> <mailto:m...@mtcc.com>> wrote: >> >> Not exactly network but maybe, but certainly operational. Shouldn't this >> just be handled like disaster recovery? I haven't looked into this much, >> but it sounds like the only way to stop it is to stop paying the crooks. >> There is also the obvious problem that if they got in, something (or >> someone) is compromised that needs to be cleaned which sounds sort of >> like DR again to me. >> >> Mike >>
