OK, I have, elsewhere, expressed my opinion that paying the ransom for ransomware is a bad idea. First off, you are funding crime. Secondly, you are encouraging crime. (If nobody paid the ransoms, they'd stop doing ransomware, wouldn't they?)
Then there are the various reasons why paying the ransomware isn't a good idea in simply practical terms. Some of the ransomware was never intended to allow you to recover. Some is badly coded, and doesn't work when decrypting. Some of the ransomware families are simply based on symmetric encryption, and one key decrypts all. (You can find lists of those, and the ways to recover, at various places on the net.) Some of the ransomware groups are just disorganized, and lose their keys.
(Then there are those who confuse ransomware with breachstortion, and are talking about people who actually do steal your data, and then threaten to publish it unless you pay up. Most of the same reasons why paying ransom to them is a bad idea hold, with the addition of the fact that, if you pay the ransom, you are relying on the promises and integrity of a bunch of thieves, liars, and extortionists.)
(Oh, and that argument about the "business model" of ransomware and breachstortion being based on them doing what they promise? That business model only works if you are talking about return or repeat business. Are you telling me that you are going to go through ransom or extortion with the same group all over again? How stupid are you?)
Now some research from Sophos backs that up. If you pay, you've got a less than 10% chance of getting all your data back.
But the trick is to keep the ransomware out, which in the case of the incident concerned meant changing the received wisdom. No you can't rely on your AV product to keep it out. You can't rely on your web filtering either, as it's often simply not smart enough. We had to move to weekly patch cycles, as attackers were reverse engineering the patches released by vendors to craft exploits, so actually targeting organisations with a longer patch delay time. So if you go back to your old NIST SP800-40 there's a reason they cite patch delay time as a key metric to capture!
@Steve-WilmeThen what about ensuring your vulnerability management system is directly aligned with what is really going on in the world, and ensuring your patch management regime is prioritised in terms of urgency or criticality?
But the trick is to keep the ransomware out, .... We had to move to weekly patch cycles
Without question, prompt preventative maintenance is important, but it is also important to realize that patching will not protect you from a Zero-day (been there; had to recover a company from one).
One really wants a multi-layered defense strategy that includes both preventative and recovery measures.
@denbesten It would also be a good idea to replace human beings (radical approach) with Robotic Process Automation (RPA) especially in repetitive roles, especially those who do not think or are multi-tasking - talking to their mates on mobile phones etc etc or distracted.
However, a good endpoint prevention regime is also required, with automatic policies to reduce the likelihood of a zero day occurring especially with Augmented Intelligence (AI) to reduce the impact and therefore the resultant cost of compromise.
An here is another gloat of Ransomware attacks in Australia:
Look at the impact on people and hospitals.