Ransomware: To pay or not to pay

Comprehensive security plans and programs must focus on defense, but also on answering these key question: “How will the organization respond to a ransomware attack?”, and “At what point will the option of paying the ransom be on the table?”

What are the key considerations that must be made to reach an answer?

Paying the ransom – key considerations

1. Paying funds cybercrime activity

The more ransoms organizations pay, the more profitable ransomware attacks are to cybercriminals. Furthermore, when organizations pay the ransom, this information can be made public and damage customer confidence (since the business is seen to be funding cybercrime). For this reason, paying is always inadvisable – if sometimes unavoidable.

2. If you pay once, you’ll most likely get hit again

When an organization pays a ransom, the news circulates among cybercrime gangs and it makes it more likely that the business will get hit again. If a business does decide to pay a ransom, it should be prepared for more attacks in the future.

3. Sometimes you just have to weigh it all up

Some of the businesses that get hit with ransomware have absolutely no chance of recovering their data by themselves or getting back up online again quickly. If this is the case, organizations need to know the downtime costs when an attack unfolds. When building out security programs, organizations must understand the cost of downtime per hour and the losses they stand to endure if a ransomware attack happens (this could relate to reputation, contractual obligations, share price and employee productivity). If the ransom demand is much smaller than these losses, paying the ransom can appear to be the most financially responsible option in the short term.

4. It’s unlikely all your data will be returned

Modern ransomware gangs do not rely on one type of extortion. In addition to locking up your data and systems, they will usually steal information and ask for money for not selling it on to other parties. This approach is particularly effective when the attackers steal sensitive customer data like financial records or health data. However, paying ransom demands is doing business with criminals, so if an attacker is ruthless enough to hold an organization’s data hostage, should you really trust their word that they will return it and not use it?

Few organizations ever get all their data back and recovery can still take months. So, paying should never be viewed as a guarantee of getting back online quickly.

Not paying the demand – key considerations

1. It is ethically correct not to pay

Not paying a ransom is the ethically correct decision. It’s the right thing to do. In some countries paying the ransom is even against the law. But just because it’s the right thing to do, that doesn’t always make it the best financial decision for the business.

2. You are unlikely to recover all data on your own

While paying the ransom may not be the recommended action, the data losses posed by attacks can be catastrophic. Full data recovery can take months and can often mean restoring data from scratch by pulling in data from different sources.

While most organizations will run regular backups, there is often a window of data that does not get backed up in time and – depending on the size and focus on the business – that data loss can range from manageable to irreparable. Either way, not paying the ransom may lead to a much longer recovery period and the lengthy recovery process could cause burnout in your IT teams.

3. If you don’t operate a sophisticated security program it could result in insolvency

In the most severe cases, ransomware can end up killing businesses. If they choose to ignore the demand, it can result in irreparable losses that put the business out of operation. The full impact of an attack must be considered before deciding not to pay.

The solution

It’s fair to say that organizations are not in a position of power when it comes to ransomware attacks. They are at the mercy of cybercriminals and however and whenever they decide to attack.

The best course of action, therefore, is a two-pronged strategy to prepara for attacks: protection and resilience.

Defenses to protect assets and stop attackers breaching networks are essential. This includes:

• Educating employees on ransomware and how it gets into systems and how user accounts are targeted
• Running a regular patch management process, complemented with proactive red teaming
• Scheduling regular backups and regularly testing the backup and data recovery process
• Implementing segmentation across networks and systems to stop attacks from spreading once attackers gain a foothold

On top of this, when organizations are building out their security programs, they must focus on how best to respond to attacks to minimize disruptions. This means they must be able to understand the scale of incidents so they can run forensics quickly. This helps then understand if they can survive the attack or if paying the demand is preferable.

The overall focus of security programs must be resilience and flexibility: make it harder for attackers to breach your systems and make it possible to respond to attacks faster, so you know exactly which action to take without wasting time mulling over the question “to pay or not to pay”.