Saturday, May 20, 2017

#WannaCry - To Pay or Not to Pay. That is the question...

I'm not always sure that the government offers the best advice… and the press simply repeats it.

Earlier the week I was interviewed by the local ABC Affiliate. The next day, my team pulled together roughly 40 Red Sky Alliance members for a  —largely on my request to better understand and make sense of all of the noise in the press. 


Yesterday, I picked up flowers at a local shop, when one of the owners approached. She'd seen me on WMUR and wanted to tell me that she'd also experienced a WannaCry incident. This was the third such mention by someone who'd been infected. None of the three had full backups. All three told me that because 'they' (meaning the press, largely because of circular reporting) had instructed victims to not pay the ransom. I handed them a business card and told them to call me Monday.

I have a few thoughts. 

1. Don't pay? Be careful. Large companies, and those smaller companies who are prepared for such an event might be fine not paying the ransom. What's 'prepared' mean? It means that you can completely restore lost data from tested backups. In these cases, none of the three had complete backups. They will soon. Each lost far more revenue than they would have if they'd have just paid the ransom.

2. Make your own decisions. The government doesn't run your business. The press only reports what others tell them. Many times those opinions are based on something reported by others —often times coming directly from the government. In this case the government urges people to not pay the ransom. The US does not negotiate with . I would urge you to make you own decisions. 

3. Who did this? I'm not sure anyone has any real evidence. One report compared WannaCry with Lazarus, but in our work, we found only six lines of code in common —largely machine generated; and our opinion, not a good indicator. We discounted it. We do however have theories… we rarely look at attribution at the country level (i.e.: Russia, China, N. Korea). I prefer to look for individuals. In this case, I think the story will unfold. My team, and our Red Sky members, are watching to see if this is a test. My bet? There'll be more. 

WannaCry encrypted over 200,000 computers. Last heard, the attackers earned slightly over $75,000 US. Not a bad payday if you're sitting in someones garage punching a keyboard. Not so good if it's a country attempting to steal money (N. Korea?). 

The bigger lesson? I have two. First, small business owners listen to the government, but in this case, the government (and repeated by the press) didn't give adequate guidance to small businesses. In fact, Here's what the US-CERT offered as guidance:

"Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed."
One, me, might argue that in this case, this guidance is only partially true. Let's break this down.
Paying the ransom does not guarantee that the encrypted files will be released...
 this to me demonstrates a lack of basic understanding on the part of US-CERT. Ransomware is a customer service business. A few weeks back, we paid a ransom for a client --roughly $30,000. When we couldn't decrypt servers we contacted their tech support. YES! They have TECH SUPPORT!. If someone pays and still can't get their stuff back, victims will stop paying. It's bad for business!
…it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information.
I'm sorry. Did I miss something? In which case did WannaCry take someones banking information? Here's the way you buy a BitCoin… Go to an exchange, pay the money, take a picture of yourself with a note that clearly states that you want to purchase the BitCoin (the picture/note combination will be given to PayPal or your credit card company in the event that you try and reverse the purchase). You then get credited with the BitCoin —in a personal digital wallet. Send the bitcoin to the bad guy, and you're done. So where does my bank account get stolen?
In addition, decrypting files does not mean the malware infection itself has been removed.
This is absolutely true. Even if you pay, you'll want to burn that machine to the ground and reload it. 
Two of three pieces of guidance offered by US-CERT were not completely true, and in fact (again, Stutzman's humble opinion) poorly worded guidance. If US-CERT is going to be cited as the authority (and they SHOULD BE!), they really need to pay attention to their audience. Never, EVER give guidance to one company and expect it'll hold true to another. 
I'm certain there are victims out there still reeling from the encryptor. Drop us a note