A company based in Norwalk, Connecticut is helping small businesses deal with ransomware attacks by negotiating with cybercriminals to reduce ransom amounts and paying them in bitcoin, a Forbes report from September 17, 2018, showed.
When “Never Pay” Is not an Option
While ransomware attacks have become a new normal to many big companies dealing with a lot of private client information, the past year has seen an increasing number of small businesses falling victims to cybercriminals stealing their data.
Many security experts advise victims of these attacks not to negotiate with hackers and avoid paying the requested ransom at all costs. However, when it comes to small companies, following this rule is not always possible.
According to Bill Siegel, CEO, and co-founder at Coveware, a company that helps small firms deal with ransomware, the “never pay” mantra is simply not attuned to the reality of the choices businesses have when they are hit.
In an interview with Forbes, Siegel said that ransomware attacks can have massive implications, sometimes even forcing firms to lay off employees or close down.
— Coveware (@coveware) September 17, 2018
In his mind, this presents a far worse outcome than paying a fee that the attackers requested. He also pointed out that the “never pay” rule disappears when firms have no other options for data recovery. Siegel explained that their strategy works in practice and that Coveware has had a 100 percent success rate receiving decryptor tools from attackers.
During the first few weeks of September, Coveware helped a Texas-based wrecking company whose servers and files had become encrypted. Siegel said that they were able to negotiate the ransom amount down by 80 percent in just 36 hours, after which they helped the company facilitate a secure Bitcoin payment.
Paying the Ransom Is Only Half the Battle
However, Siegel pointed out that the full data recovery rate after the decryptor is fully exhausted is about 90 percent.
This is because encrypted files don’t automatically decrypt themselves once the ransom is paid – specific and sophisticated tools are required to restore the stolen data. Siegel admitted that that decryptor tools are “extremely flukey and difficult to work.”
Coveware reportedly uses tear sheets documenting the nuances of how decryptor tools operate, which configurations or file types they trip on, and how to use them as efficiently as possible.
However, Siegel said that the most common practice is to go back to the attackers and ask about the type of encryption they’ve used. He explained:
“For the most part, the attackers do their best to be helpful, which creates an odd dynamic, to say the least. But at the end of the day, the criminals are running a business, and they know that if their decryption does not work, word will get out quickly.”
To acquire “hard, real-time case data,” which he believes there’s a lack of, Siegel’s company offers small businesses help for free.
By managing the incidents, Coveware aggregates hundreds of data points that help it to craft analytics, alerts, and shareable information that its clients, security manufacturers, and law enforcement use to stop incidents from occurring.