To Pay or Not to Pay: That is the Ransomware Question

Published by Axio

Cybercriminals are making serious bank in 2021. Some recent ransomware payments include:

  • $40M: CNA Financial Corp
  • $5M:   Colonial Pipeline Company
  • $11M:  JBS Foods

And these are just a few of the paying victims we know about.

According to the National Security Institute, the average ransom fee requested has increased from $5,000 in 2018 to around $200,000 in 2020.

Ransomware is not going away any time soon, it’s just too profitable for the cybercriminals. These days, technical knowledge isn’t necessary. With plenty of affiliate programs offering kits to deploy, shady blockchain exchanges willing to anonymously convert cryptocurrency into cold hard cash for a small fee, often times all it takes is being a good social engineer.

All trends point to ransomware becoming an even sharper attack vector in the second half of this year. The highly publicized attacks of 2021 have emphasized what we’ve spoken about out for over a decade: it’s all about understanding the financial impact of an event, all the consequences if the scenario is realized such as disrupting necessary products and services for society to function in harmony.

The Biden administration has formed a ransomware task force to find more meaningful solutions to this unfortunate digital scourge of our time.

One may argue that publicity of ransomware is due not only because of the physical impact of the events but also the payment element. The knowledge that the bad guys are profiting without any justice has not just raised eyebrows but temperaments.

Is paying a ransom really necessary? We break down some important considerations:

Ethical Considerations: A Second Payment

There are a number of ethical problems that have to be thought about prior to making a decision on whether to pay the ransom or not. The initial reaction may be that paying the ransom will resume business operations as quickly as possible. While this may be true in some circumstances, it also may cause the attackers to demand a second payment after seeing how easily the first came. Paying the ransom immediately also incentivizes further attacks on both you and other companies, raising further questions of morality.

Some 80% of businesses that choose to pay to regain access to their encrypted systems experience a subsequent ransomware attack, amongst which 46% believe it to be caused by the same attackers, According to ZDNet.

Data Exfiltration Considerations: How Secret and Sensitive?

Moving on from the ethicality of different responses to more technical considerations, there are questions about the data exfiltration that must be answered prior to making a decision on payment. First and foremost, it is vital to always remember that you are dealing with criminals, and that, while unlikely, it’s entirely possible the data will not be returned. Beyond that risk, even if the data is returned, it still doesn’t absolve the victim of data breach notification obligations. The only scenario that may be worth the immediate risk of payment is if high value data is extracted, like trade secrets or future strategic company plans. Recovering that information prior to the hackers leaking it is likely worth the ransom payment.

Data Encryption Considerations: Cost and Time

An alternative form of ransomware attacks are data encryption attacks, as opposed to data exfiltration. Instead of stealing the data, hackers just lock you out of it. If you have viable backups, it makes payment non-mandatory. If not, payment may be required. An important factor to consider is the cost of the ransom versus the cost of a full data rebuild. It’s also important to recognize that decryption will not be instant, and may not provide 100% restoration, so business operations will face a delay no matter the decision.

Acceptance of Risks: The Reality

Above all else, companies that have been the target of ransomware attacks and have made the subsequent decision to negotiate the payment must accept the risks involved. Below is an infographic describing these risks.

Victims cannot forget that the other party in the negotiation is a criminal organization and will attempt to take advantage of you wherever possible. There is no legislature guiding negotiations, and victims are forced to hope that the criminals are acting in good faith surrounding payment. There are future repercussions as well. Paying a ransom immediately marks you as an organization willing to pay a ransom, thereby making you a target for future attacks. Additionally, there is the previously mentioned ethical issue of funding and rewarding criminal activity that needs to be recognized. Finally, there are legal risks to paying a ransom that the government may enforce. If you’re found to have paid an OPAC-sanctioned actor, you may be responsible for fines up to two times the ransom amount.

What Can You Do to Prevent This?

Millions upon millions of other dollars have left corporate coffers quietly and unpublicized. Often times, only a few designated professionals are in the know: the executive team/board, the insurer, the ransom negotiator, and last but certainly not least: our friends in information security who are often wrongfully blamed for not doing their job well enough.

Let’s stop for one second and make it clear: cybersecurity is not a technical problem that relies on technical solutions. If cybersecurity was about building the biggest and baddest fort, with all the latest shiny weapons—we’d have beaten the enemy long ago.

Cybersecurity is a business problem. It’s about aligning dollars and people together to make the right choices. You need to understand your business objectives and clearly align them to the risks that can impact your future. Cybersecurity is crying for a risk-based approach in 2021.

The prospect of a ransomware attack can and should scare most board members and executives. A well-executed attack on an unprepared company can cause massive operational disruption and force a payment to a criminal organization. When understanding if a payment should be made or not, internally debating and discussing the aforementioned considerations is crucial. It’s best to come armed with the actual costs of an event and build a plan to reduce your loss.

Interested in building a Ransomware Action Plan? We can help:

Learn more about our Ransomware Preparedness Assessment.