Stop Paying Ransoms: Implement Data Recovery Strategy

NCCoE Data Integrity Project Seeks Collaborators and Technology Providers

How the Infection Chain Works: Ransomware proliferates through these main attack vectors: Spam/Social engineering; Direct drive-by-download; Drive-by-download through malvertising; Malware installation tools and botnets
Graphic Source: How the Infection Chain Works from the 2016 Bitdefender Study, "Ransomware: A Victim's Perspective, a study on US and European Internet Users"

Incidents involving ransomware, malicious insider activity, and destructive malware make the news every day. While Hollywood Presbyterian Hospital made news recently for suffering a ransomware attack and eventually paying a ransom of approximately $17,000, they are not alone in being a victim. Other businesses, school systems, and even public institutions, like police, are falling victim as well. The size of the business appears to be irrelevant, as the ransoms are generally small enough to encourage victims to simply pay up.

In a recent Bitdefender study of more than 3,000 users in six countries, the data shows the high rates of infection: 61.8 percent of all malware files distributed by email and targeting Americans contained some form of ransomware threat, with a slightly lower percentages for other countries.  

Criminal enterprises involved in distributing ransomware are making a large profit, with some studies showing profits in the hundreds of millions worldwide. In the Bitdefender study, more than 50 percent of the United States targets paid the ransom, while 40 percent said they would pay if they were hit. However, an effective data recovery strategy and business continuity plan would eliminate the need to pay the ransoms. Some companies may not get useful data back even after paying, not only because they are dealing with criminals, but because the ransomware might be poorly written.

Even if an organization gets its data back, recovery personnel or an incident response team must go through a complete recovery effort—if the ransomware is still on the system, the criminals can come back and demand more money. The only true solution to ensure the integrity of data and systems is to have a trusted source from which to restore it, ensure the restored system is malware-free, and test it often.

Developing a process to detect and recover from a data integrity attack is too significant and costly a challenge for a single company to address in isolation.  Therefore, the NCCoE has begun collaborating with technology partners and business leaders to develop a comprehensive, cross-industry solution.

We are currently seeking collaborators and technology providers to participate on this Data Integrity project. If you represent an organization that would like to get involved, please see our Federal Register Notice to learn more. Interested parties must submit a letter of interest outlining their proposed contribution, and those selected to participate will enter into a cooperative research and development agreement with NIST.

Learn more about the challenge in our final project description, Data Integrity: Recovering from a Destructive Malware Attack.

If you have additional comments, questions, or would like to join the Community of Interest helping to guide this project, please email us at