Attivo Networks Blogs

The Ransomware Dilemma: Pay Now or Pay Later

According to a new study by Trend Micro, there is a reason ransomware continues to dominate the security news cycle. The study found that new ransomware families increased a whopping 752% in 2016. The report adds that the availability of open source ransomware and ransomware as a service (RaaS) will continue to make it easier for cybercriminals to run turnkey ransomware attacks. While it may be a challenge to find the money for ransomware prevention, the old adage “you can pay me now or pay me later” certainly comes to mind here. If you can’t find the budget to protect against ransomware, you may ultimately still find yourself paying in the long run. The findings shared here, can be useful as supporting budget justification.

The latest discovery by researchers from Palo Alto Networks earlier this month was a new ransomware family dubbed RanRan. Before starting the encryption process, RanRan will shut down a series of processes, mostly in parts belonging to database servers. It will also monitor these processes at regular intervals and prevent them from starting up again. Similarly, removing RanRan to disinfect the system is difficult, as it continually monitors for windows with titles that contain “task manager” and closes them, which makes killing the payload’s process difficult. According to the researchers who found the new family, RanRan represents an interesting shift in tactics by ransomware. Instead of being purely financially motivated, this specific family takes a hacktivist approach by attempting to force a Middle Eastern government organization to make a negative public statement against their leader. As part of your risk assessment, have you identified what an attacker would target and how valuable this information is to you? In this case, the attack was not founded on financial gain, but instead on reputation. Would thinking about reputation create a different value on protecting your data? Keeping in mind that even a perfect backup of data would not have defused this attack.

Healthcare, of course, became the poster child for ransomware after the attack at the Hollywood Presbyterian Medical Center in Southern California last February. In that incident, a hacker successfully held the hospital’s computer system hostage in exchange for $17,000. But the loss of productivity and, undoubtedly, reputation were even more severe. It certainly got the attention of the government.

Last Wednesday at a Boston cybersecurity conference, FBI Director James Comey said, “Healthcare enterprises face all the same challenges that the rest of us do, but a recent plague is one for them to focus on, and that is the ransomware plague”. He added that attackers now see the healthcare sector as a “piggy bank”. This aligns with the July 2016 report shared by Becker’s Hospital Review that nearly 88% of ransomware attacks were on hospitals.

Interestingly, according to a report released this year by the CyberEdge Group, attackers are looking at more industries than just healthcare as a “piggy bank”. The research and marketing firm serves the cybersecurity industry’s top vendors, and its fourth annual Cyberthreat Defense Report, includes findings from 1,100 IT security decision makers and practitioners from 15 countries, six continents, and 19 industries. According to the report, a nearly unbelievable 61 percent of responding organizations were compromised by ransomware in 2016. Worse, the firm reported that one-third of all victims surveyed felt they had no alternative other than paying the ransom associated with an attack.

Mike Rothman, president of security analyst firm Securosis, says these findings are consistent with what that firm is seeing in the industry. He says, “There are more attacks, more sophisticated malware, and more complexity ahead”. On the positive front, he notes, budgets continue to increase and security initiatives are very high profile, consistently getting boardroom visibility. “So, all in all, it’s the best of times and the worst of times for security folks” he adds.

At the ISMG Fraud and Security Summit on March 29th, the conference deeply covered the risk of ransomware and that ransomware-as-a-service was growing rapidly given the ease of access to ransomware ready-made kits.

It is an ongoing challenge to balance the budget to maintain existing infrastructure and invest in new defenses to protect against the unknown attacker and risk of being the next target of an attack.

Multilayered security solutions that cover gateways, endpoints, networks, and servers can help prevent ransomware infections, however even the best security infrastructure has gaps. Attackers methods are also changing. With the ease to enter a network via phishing, persistence is no longer as important. As such, the complexity in preventing entry and quickly detecting an attacker once they are on the inside increases.

The changing landscape of resources, motivation, and marketplaces for easy financial transactions should cause any company to pause and consider investing in new technology solutions that are designed to detect and stop this class of attack. Ones that even the most sophisticated attacker can’t anticipate, bypass, or evade. Notably, there were 16 network security technologies in the Cyberthreat Defense Report that were identified as options for building a stronger defense. From the survey results, the one most sought after this year, by 41% of the respondents, is network deception technology.

There is no question that prioritizing the list of what to spend based on the myriad of choices any CISO faces can be extremely difficult. However, based on the overwhelming evidence that a ransomware attacker is highly likely to pay you a visit, you might want to take a look at detection technology as a way to prepare for and defeat the attacker. Holding data hostage is on the rise, but so is adoption of one of its best deterrents, deception technology. The risk is real, so how much risk is your organization prepared to take? To reduce the risk, companies are paying a little now to know that they have traps that will not only detect an attacker, but also consume their attack effort by feeding it endless deception data, giving the needed insight and time to shut down the attack. Proactive investment will provide predictability. A reactive payment is a gamble and may ultimately come with a much higher payment price.

For more information on deception technology click here.

Share on:

Free Active Directory Assessment

Get Visibility Into Privilege And Service Account Exposure

For a limited time, Attivo Networks is providing free Active Directory Security Assessments to demonstrate how ADAssessor provides unprecedented and continuous visibility to AD vulnerabilities.

Try Our Endpoint Detection Net (EDN) for Free


Free use offer of our Award-winning security solution to prevent attackers from lateral movement, credential theft, and privilege escalation, fast and easy.

Newsletter Signup

    Yes, please opt me in to receive your quarterly newsletter, event invitations, and product updates.

    I understand that I can opt out at any time, and can refer to Attivo Networks Privacy Policy for more information.
  • This field is for validation purposes and should be left unchanged.

ADSecure 90-Day Free Trial


  • Hide and deny access to AD objects
  • Get alerted on unauthorized queries
  • Attack details easily viewable in dashboard
  • Your data remains on-premise


Leave a Comment

Your email address will not be published.

three × one =

Ready to find out what’s lurking in your network?

Scroll to Top