"Your best bet is to look small, and poor."

This is the advice of Ed Skoudis, Faculty Fellow and Penetration Testing Curriculum Lead at SANS Institute, should your organisation become the victim of a crypto-ransomware attack.

If you call to say you're a Fortune 500 company and ask to please decrypt your files, expect to be paying through the nose, he said, speaking on a panel The Seven Deadly Attacks at cybersecurity event RSA Conference 2017.

Cybercriminals, Skoudis explained, are savvy enough to know some money is better than no money, so you should look like a small individual who will have trouble scraping together a couple of bitcoins to pay the ransom.

Ultimately, though, the decision to pay or not is a business one: be prepared to separate your principles from business reality if the cost of paying the ransom is cheaper than the operational loss you're suffering.

Skoudis also advised including a ransomware attack in your cybersecurity preparations, especially "deciding who gets to decide" well in advance. If your company is hit by an attack, who will be responsible for the decision to pay or not to pay the ransom?

Crypto-ransomware, also known as cryptoware, is growing rapidly Skoudis observed because cybercriminals don't need a command and control system for it (as with botnets, for example), data doesn't have to be exfiltrated (as with data theft through malware), and the victims contact you to give you money. From a cybercriminal perspective, it's a no-brainer.

The prevalence of IoT devices and their vulnerability was also a focus, especially the potential for cryptoware to spread through IoT devices – instead of holding just files hostage, very soon we could be seeing the infrastructure of a business held hostage too.


"What would you pay to turn your lights back on? What would you pay to turn your heat back on?" Skoudis asked.

Combine this with IIoT (Industrial Internet of Things) and industrial control systems – "what could possibly go wrong?" Skoudis observed dryly – and the question becomes: 'What would you pay to turn your factory back on?'

The problem, of course, is exasperated by the notoriously poor security features on the majority of IoT devices today. Changing default passwords, disabling telnet and HTTP, and shutting off remote access if it's not absolutely essential are all common sense safeguards for IoT in your business. But also raised was the importance of extending penetration-testing to your IoT devices, and not just workstations and servers.

Further, if an IoT device is recalled, make sure you return it: aside from the security implications, Skoudis noted the market pressure this would put on IoT vendors, which in turn would encourage better security design from the outset for future devices.

When asked where ransomware threats are heading Skoudis, along with panellists Michael Assante, Director of Industrials and Infrastructure and Lead for the ICS Curriculum at SANS Institute; and Johannes Ullrich, Dean of Research, SANS Technology Institute, singled out small to mid-sized banks because "that's where the money is", but also realtors because they deal with a lot of money and "don't necessarily have IT infrastructure support".

Key takeaways for taking action on ransomware:

  • System and network hygiene – Brush up on the Centre for Internet Security's critical controls (see PDF here).
  • Watch network shares – Shares from individual desktops and laptops to other desktops and laptops is asking for trouble. Additionally only have network shares on your file servers when there is a defined business need, and limit permissions so if a workstation gets infected it will have a limited impact on network shares.
  • Decide who decides – Who is it that is going to decide whether you pay or not?
  • Separate principles from business reality – Your business principles may have to give way to business reality if the downtime of your business is more costly than the ransom.​
  • Play it small – Realise you are in a negotiation with the bad guys who understand that some money is better than no money, so be the company that's struggling to the pay the bills.

ACS President Anthony Wong and ACS CEO Andrew Johnson attended RSA Conference 2017 in San Francisco as part of Australia's Austrade Cybersecurity delegation.