Security Alert
Ryan Harnedy
Jun 2016

What a $20,000 Ransomware Attack Can Teach You About Backup and Recovery

Photo by Source

Key Details

  • empty
  • empty
  • empty
  • empty
  • empty
  • empty
  • empty
  • empty


Aside from Gilfoyle on Silicon Valley, the biggest Canadian name in tech is unfortunately the University of Calgary, which got hit with ransomware last month and wound up having to pay a ransom of $20,000 Canadian dollars to get their data back.

The high price tag, coupled with the fact that the university decided to pay up, has gotten a lot of people talking. To help make sense of this, we asked our Chief Scientist Ryan Berg to share a few thoughts on what we can learn from the attack and what it tells us about the importance of backup in the fight against ransomware.


Ryan, is it true U of Calgary paid $20K for their data? That’s well above the ~$500 ransoms we typically see.

Unfortunately, it’s the price they had to pay. Most current thinking on ransomware is that when it hits you have three basic options:

  1. Restore from backup.
  2. Pay the ransom.
  3. Nuke the computer, wipe your data, and start over.

In this case, the University of Calgary likely wasn’t running proper backups of their data, and they couldn’t afford to lose every student’s and faculty member’s information, so the only option was to pay the ransom and get the decryption key from the ransomware creators.

So is this a confirmation paying the ransom is a valid option for getting back your data?

You might get it back, but there’s no guarantee. While the FBI has recommended paying in the past, if you get hit with ransomware there’s nothing, other than good customer service, compelling the ransomware creators to give you the decryption key. While a few ransomware families like CryptoWall are pretty good with decrypting your data, others such as CBT-Locker and Reveton have developed a reputation for taking the money and running.

As ransomware becomes more prevalent and larger and larger organizations are targeted, it’s likely that the price of the decryption key will keep going up. There’s really nothing stopping a cyber criminal from demanding millions to give you your data back.

If paying isn’t the answer, but I don’t want to just accept all the data is gone, what should I do?

Well, the first step is trying to limit your chances of getting infected with ransomware in the first place. Invest in a strong, multi-level security strategy that includes behavior-based endpoint protection and work on training your users to help them avoid falling into the ransomware trap.

Next, make sure you have a backup strategy, not just backup. Having backups is not the same as having a strategy and a strategy is what you need to recover if you ever do get hit.

Here are five things you can do to make sure recovering from ransomware with backup is actually a realistic option when you need it:

  • Have an up-to-date inventory of the backup status for all your workstations. That includes your recovery point objective (the timeframe dictating how frequently backups are created).
  • Run tests recovering data from backup in different scenarios. Keep track of how long it takes to restore and the success/failure rates. This is one thing that can’t be ignored, having backups that you don’t know you can actually recover from is no better than not having any backups at all.
  • Practice a 3-2-1 backup strategy that requires you to have three copies of your data in two different locations, one of which is offsite. That will help you ensure your backup isn’t encrypted by a ransomware attack, as well. Offsite doesn’t have to mean in a closet under a mountain in Colorado, but it should be isolated from a network perspective so the corruption of one machine doesn’t automatically lead to all corruption of your backups (backing up to a mounted network share is not offsite)
  • Conduct a risk assessment to identify and assign value to your organization's critical data assets. You need to know what data is important and where it resides. Once your data is encrypted you don’t know what you lost and it’s always better to know where the furniture is before the lights go out.
  • Determine the cost of downtime should critical assets become encrypted/inaccessible. This can often be a major deciding factor for critical systems. If it takes 24 hours to recover and verify your backups and this downtime will cost $50,000 and the ransom is $10,000 the decision may be easier to make, but you won’t know if you don’t know and it takes a real strategy to know at all.

Protecting your organization from ransomware

Learn more about why improving your endpoint security is the #1 way to lower your risk of getting infected by ransomware and other modern cyber attacks. Download our free guide below.

Photo by GotCredit

Ryan Harnedy

Ryan Harnedy

Ryan writes about how to make cybersecurity make sense to end users and keep employees safe from ransomware, malware, and phishing attacks. He enjoys decoding buzzwords and sharing security tips that users might actually follow.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.