Ransomware: To Pay or Not to Pay? That Is the Question

It’s a big question for businesses hit by a ransomware attack: should we pay the ransom or not?
 
Ransomware is malware that encrypts files on a device, making them inaccessible and rendering the systems that use them inoperable. Cybercriminals demand a ransom in exchange for decrypting the files.
 
One of the most well-known ransomware attacks happened in May 2017, when Wannacry affected more than 300,000 computers across 150 countries. It targeted computers running the Microsoft Windows operating system and caused damages estimated to be in the hundreds of millions of dollars. Other widely publicized ransomware attacks have used Ryuk, which mainly targets large businesses and government agencies, Maze, which threatens to publish ransomed data on the internet if the victim fails to pay, and NetWalker, which targets remote workers, as well as government agencies and healthcare organizations.
 
What are the leading causes of ransomware infections? Phishing attacks are the most common, followed by lack of employee cybersecurity training; lack of, or outdated, security tools like antivirus or firewalls; malicious websites or malvertising; and end user error (Datto, 2018). Not surprisingly, 80% of this list is caused by human behavior. It is crucial that every organization stay vigilant with their security tools, but more importantly, train employees on how to avoid cybersecurity traps and be secure online.
 
Ransomware can have a disastrous effect on a business and leave it without the data and systems needed to maintain its operations. In recent years, ransomware criminals have added extortion to their demands, threatening to expose sensitive or proprietary data if a victim doesn’t pay the ransom, and publicly naming the company as having been hacked.
 
The dilemma for ransomware victims is weighing the cost of paying the ransom and the financial loss that comes along with it versus managing the lost productivity, extra IT costs, legal fees, network damage and potential reputational loss that not paying the ransom could create.
 
What is the average ransomware demanded? In 2020, the average of known ransoms was $178,000 (Coveware, 2020) and includes ransomware attacks on large companies which does push the average up. The average known ransom for smaller businesses is $5,900 (Datto, 2019). The largest published ransom demand of 2020 (there may be higher ransoms of which we are unaware) was made of a French construction firm and was 10 million euros, or $11.8 million (Cloudwards, 2020).
 
The costs to recover from a ransomware attack are significantly higher than the ransoms demanded. The average recovery cost was $1.45 million for companies that paid their attacker’s ransom, while those that didn’t pay spent only $730,000 to recover from the attack (Sophos, 2020). Only about 25% of ransomware victims made payments to their attackers (Sophos, 2020).
 
As you can see, ransomware attacks are expensive and they can be devastating. In May 2019, the city of Baltimore’s computer system was infected, and estimates put the recovery cost at over $18 million, although the cybercriminals only demanded $76,000 worth of Bitcoin. In 2018, the city of Atlanta spent over $17 million to recover from an attack that demanded $52,000 in Bitcoin.
 
Paying or not paying the ransom is a decision that each business must make for itself, but the Federal Bureau of Investigation (FBI) does not support paying a ransom because doing so doesn’t guarantee that the ransomed data will be decrypted or that your systems or data will no longer be compromised, and it encourages cybercriminals to target more victims. The Cybersecurity and Infrastructure Security Agency (CISA) and Multi-State Information Sharing and Analysis Center (MS-ISAC) also do not recommend paying ransoms.
 
If your organization is hit with a ransomware attack, CISA recommends immediately: 1) determining which systems were impacted and isolate them, 2) if impacted devices cannot be disconnected from the network, power them down to stop the spread of the infection, 3) triage impacted systems for restoration and recovery. Next, engage internal and external stakeholders to mitigate, respond to, and recover from the incident.
 
In order to prevent a ransomware attack from happening to your organization and putting you in the uncomfortable position of having to decide to pay or not to pay a ransom, MCPc strongly suggests these activities to help keep you from ever having to make that decision:
 
  • Ensure that all user software is updated, and security patches are installed as soon as they are released (this includes operating systems and application software)
  • Frequently backup your data, and make sure there is a gap between it and the Internet, as it too can be ransomed
  • Keep your security tools like firewalls, antivirus, antispyware, and remote monitoring up to date with the latest versions
  • Periodically review and update your incident response (IR) plan, and test it against real-world threats
  • Stay current with cybersecurity news and learn lessons from other ransomware events
 
MCPc is a global data protection company that helps organizations protect themselves against ransomware attacks and provide incident response services to minimize the business disruption a cyber-attack can create. Our goal is to help every client achieve the highest degree of security and the least amount of risk their organization can afford, or what we call, SecurityCertainty SM.