A few days ago, Trend Micro released a report on the threat or ransomware for the first half of 2016. Among other things, they discovered that ransomware attacks cost enterprises more than $200 million in the first three months alone. They also discovered that new families of ransomware were being introduced more frequently than ever before.
In other words, there are more and more types of ransomware being released, making it more difficult than ever to protect oneself from this type of cyber security threat. All in all, it can be said with some certainty that 2016 will be remembered as the year of ransomware.
As far as e-commerce websites are concerned, this year has seen emergence of a particular piece of ransomware that targets Magento websites, called KimcilWare.
In order to be able to address the question of whether to pay up or not when “catching” ransomware, it is important to point out a few facts about this kind of malware.
Ransomware does not necessarily have to be an advanced piece of code and in fact, in most cases it is not. It uses the usual vectors of attack (spam mail, social engineering) and the thing that separates it from other types of malware is its “financial” aspect.
Namely, ransomware is basically a way of extorting money from people. When ransomware is executed, it encrypts the entire or parts of a system, locking the victim out and making it impossible for them to do anything on their system. For a certain price, the attacker provides the decryption key to the victim who then regains access to their system.
While 2016 has definitely been the worst ever in terms of ransomware proliferation, this type of malware has been on the rise for a few years now. One of the reasons for its popularity have been the cryptocurrency payment methods that allow for anonymous receipt of ransom payments. This has made it feasible for attackers to ask for relatively small amounts of money which the victims will be prepared to pay, since it has reduced the amount of risk the attackers take.
As some people have pointed out, ransomware became popular because the attacks and the payouts can be organized like a business. It has become a viable business model which can be put to action relatively easily, wreaking havoc worldwide.
The most obvious consequence of becoming a ransomware victim is the money you are asked for in order to regain access to your system. Depending on whether you are an individual, an organization of some kind, or an e-commerce store owner, you will be asked for different amounts of money.
However, the direst consequence for every commercial entity, e-commerce stores included, is the downtime. Namely, a ransomware attack can put an e-commerce store out of commission for any number of days. In the best of cases, this will be a few days and in the worst, it can be weeks. Since it is a well-known fact that downtime can spell death for an e-commerce business, it becomes obvious how big of a problem this can be.
To Pay or not to Pay?
There are two schools of thought when it comes to the most important question surrounding ransomware – whether to pay or not. The interesting thing is that convincing arguments are made by both sides.
For example, it is easy to justify paying if your e-commerce store’s system was affected by ransomware. You cannot afford to suffer any significant downtime, as it can lead to an insurmountable drop in sales and profits. You have your employees to think of, as well as your own livelihood. When you do the money math, paying a few hundreds of even thousands for access to your system is an expense that pales in comparison to what your e-commerce store would lose if you had to be offline for a few days.
On the other hand, by paying up, you are only perpetuating an ecosystem where ransomware is basically being used as a racket. This is the main reason why organizations like FBI or Europol are saying you shouldn’t pay up. Also, paying up does not necessarily mean you will get access to your system. As InterMedia’s report shows, almost 20% of the ransomware victims who pay the ransom never receive a decryption key.
While at times it can seem depressing, the good news is that there are a few things e-commerce store owners can do to protect their business from being affected by ransomware. For one, there are the more commonly recommended cyber security methods like proper employee education, smart practices and employing updated antimalware software.
More importantly, regular, everyday backups are the best way to prevent ransomware from becoming a bankruptcy-level event. Namely, with regular backups, a system can be restored without skipping a beat, ransomware-free.
In the end, the decision on whether to pay up or not will have to be made by the e-commerce owner who will have to factor in a number of variables. For the most part, it will come down to numbers, i.e. whether it is a smart idea to fork over the money for the decryption key or not.
It is sad that it has come to this, but this is our reality at the moment.