So let's imagine a company like Garmin experiences a ransomware attack. Their business is paralyzed. What would stop them from paying the ransom and what could possibly be an alternative to that?
They can bring their systems back up and operational for less cost (both immediate, but also payroll during the fix, lost revenue from both downtown and reputationally after they're back, and opportunity cost off the top of my head).
Your only two options and rebuild on your own at significant cost or pay the ransom. There were long, heated discussions about what to do, and several people suggested paying the ransom but we ultimate decided not to and it ended up costing more than the ransom if you factor in payroll and lost revenue.
I still think out of principle you shouldn't pay the ransom, ever. Assume whatever the ransom would cost is already gone, if you can rebuild for less than that (you probably can't) it's a win.
But even when paying the ransom, you still need to roll back a portion of your environment after you've assessed the intrusion. Can you really trust you've patched everything and removed all trace of persistence that was put by the attacker as a contingency to get back in the system?
That's the job of an external cyber incident response team who can trace how it occurred and to check that the vulnerability has been appropriately eradicated and locked before resuming business operations
> I still think out of principle you shouldn't pay the ransom, ever
There may have been a time when a company would act on principle, but I think it's very rare today. You hardly even expect people to do that. It's the world we have made.
All human activities, including things like principles, charity, sacrifice, and duty, are ultimately self-serving attempts by the biological DNA and cultural memes that constitute us to replicate and improve it's standing.
Nothing, so far. The alternatives to that would be to legislate penalties for paying, to mandate certain precautions like regular offline backups (which could usually be done through regulation), to forbid the government from doing business with entities that have paid in the past X time (procurement regulations are somewhat flexible) and/or to task some government agency with aiding private sector entities in recovery if they don't pay (which has varying difficulty depending on the jurisdiction).
Obviously none of these make it impossible, but the goal needs to be to tip the value proposition the other way.
There are a handful of problems with this approach, which is part of why these types of insurance policies are incredibly expensive. The entire MO of these operations is to infect a company's systems, and wait until most or all of the backups are affects before locking the system down. They will wait months or for bigger targets, years.
That doesn't help. The system is already infected when the backups are taken, therefore the backups are infected. That's why these criminal organizations wait months until actually locking your system down, so that your oldest backups are deleted by retention policy. If they have access to your system and can figure out what your backup retention policy is, they'll set it to go off at the point when all your backups are infected.
For a concrete example, someone could infect an image storing service with code that encrypts (and silently decrypts) the data when it's stored / retrieved. When the hacker removes the decryption key from the running service, the backups will also be inaccessible because they are also encrypted.
Are user accounts data or systems? Compromise of AD is a very common means. This said this can still be fixed before putting it back where it could reach the internet and cause trouble.
No reason such an insurance company couldn't be run in the early/mid 20th century manner, entirely with paper records. Send carbon copies of all documents to two remote locations to eliminate the threat of a fire wiping out the records.
This is easy. It requires you to hire a lot of human clerks, but since the customers are large businesses that means there aren't a whole lot of customers in the first place. And if you can't get enough typewriters, there's no reason the clerk work couldn't be done on computers connected to printers, with all document storage still being done on paper. If the computers get pwned, throw them out and buy new ones; it doesn't matter because the documents weren't being stored on those computers.
The dumbest take of companies was assuming insurance companies would keep paying their ransom because they were thinking fixing their networks was less important
They can bring their systems back up and operational for less cost (both immediate, but also payroll during the fix, lost revenue from both downtown and reputationally after they're back, and opportunity cost off the top of my head).
Your only two options and rebuild on your own at significant cost or pay the ransom. There were long, heated discussions about what to do, and several people suggested paying the ransom but we ultimate decided not to and it ended up costing more than the ransom if you factor in payroll and lost revenue.
I still think out of principle you shouldn't pay the ransom, ever. Assume whatever the ransom would cost is already gone, if you can rebuild for less than that (you probably can't) it's a win.