Your business data is being held hostage, encrypted with only your attackers holding the keys. So, do you pay up the ransom, or try to recover without handing over company profits to cybercriminals?
The question has become even more pertinent for businesses given the recent proliferation in ransomware attacks. In April 2021, the U.S. Department of Justice announced the creation of a new task force dedicated to curtailing the growing threat of ransomware, heralding 2020 as “the worst year ever” in ransomware attacks. Indeed, many intelligence experts, like Microsoft, noted an “uptick in the volume of ransomware attacks” in 2020. The company stated that ransomware was “the most disruptive cybercrime threat of the past year”, highlighting that ransomware infections had been the most common reason behind Microsoft’s incident response (IR) engagements from October 2019 through July 2020.
2020 may be over, but ransomware threats continue to make headlines. A recent example is the ransomware attack on Colonial Pipeline, a crucial fuel pipeline in the United States. The Guardian called it the “worst-ever cyber-attack on US infrastructure”. The attack led the Biden administration to invoke emergency powers as part of an “all-hands-on-deck” effort to avoid fuel shortages. The company’s CEO confirmed it paid the $4.4 million ransom to attackers, stating it was “the right thing to do for the country”.
The temptation to pay is all too real, evidenced by the recent ransomware attack on Garmin. The tech company experienced rolling outages for multiple days, including parts of Garmin Connect services, pilot apps, their website and call centers. Amid all these disruptions, who wouldn’t be tempted to resume operations as soon as possible? Garmin’s systems were finally back to normal after over a week, reportedly following a multi-million dollar settlement through a ransomware negotiator.
On the other hand, there are companies like LG and Xerox that didn’t pay the ransom after falling victim to a ransomware attack. Unfortunately, their files were leaked slowly online.
So just how do companies decide when to pay up and when to call a ransomer’s bluff?
What do the authorities say?
The authorities’ advice is to simply report, but not to pay.
The FBI’s official line is that “The FBI does not support paying a ransom in response to a ransomware attack”. Their justification? That paying doesn’t guarantee an outcome and that it also encourages more attacks in the future. Both of which ring true.
The Australian Cyber Security Centre (ACSC) adopts a similar stance, saying it does not recommend paying ransoms:
“Paying a ransom does not guarantee decryption of data. Open-source reporting indicates several instances where an entity paid the ransom but the keys to decrypt the data were not provided. The ACSC has also seen cases where the ransom was paid, the decryption keys were provided, but the adversary came back a few months later and deployed ransomware again. The likelihood that an Australian organisation will be retargeted increases with every successful ransom payment,” the ACSC stated in a recent report.
What would Liam Neeson do?
We’ve all seen Liam Neeson in Taken, or at least heard his famous quote bandied about:
“If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you...”
Now, it’s unlikely that you’re going to email your ransomware contact and say anything similar to that, or that you’re actually an ex-CIA operative experienced in tracking down cybercriminals and making their lives a “nightmare”. However, like Neeson, the attack on your business may have you seeing red, fired up and ready to make some sort of move.
5 factors to consider in the event of a ransomware attack
My advice? I don’t recommend paying, but it’s not always black and white. The business must decide what’s best based on their own specific circumstances. This may involve discussions with your CISOs and consultants who are experienced in cyberextortion and ransomware payouts to help you evaluate the pros and cons of paying a ransom that are specific to your particular business.
Here are a few questions that are designed to drive and enhance that conversation. Including these in your incident response plan will help you become more aware of the issues at hand when deciding to pay or not to pay, a ransom in the event of an attack, and enabling you to limit the extent of damage caused.1. Is your data recoverable?
Make double, triple, quadruple sure that you can’t recover your data before considering payment. In Sophos’ The State of Ransomware 2020 survey, they report that a staggering 94% of organisations whose data was encrypted, got it back - with 56% getting it back via backups vs 26% paying the ransom. There are also decryptors, ransomware removal tools, and other known reversal methods that you should try first. Ask your team to check the particular ransomware variant that’s hit your business to see if it’s possible.2. Are you covered by cyber insurance?
If so, check the terms of your coverage. The Sophos survey reports that 94% of the time that a ransom is paid, it’s due to being covered by insurance. This may well be why many companies end up satisfying their attackers’ ransom demands. That’s certainly what Bloomberg had to say about the $40 million paid by insurance on behalf of CNA Financial after it was hit by a ransomware attack.
3. What’s the extent of the data that’s under ransom?
Forensic security can help you uncover the extent of the data that has been encrypted or stolen. By knowing exactly what is at stake you can make a decision as to its importance. You might be very tempted to pay an attacker for healthcare records or locked up critical infrastructure, but not be too worried about stolen marketing campaigns.4. How credible are the attackers?
Do a bit of reconnaissance on your attackers and try and gauge their next moves. Do they have a history of leaking the data under threat? Do they conduct fair negotiations? A professional firm can help you with this step if playing detective is outside of your current capabilities.5. Can you afford the fee vs how much for recovery on non-payment?
This is a major one. Can you afford the ransom (or a negotiated fee)? What if that fee just disappeared into thin air without you receiving anything in return? This, too, is a viable outcome, after all. And how much will it cost to recover from the incident if you don’t pay? Putting a dollar-cost on recovery (especially with things like reputational damage) can be tricky, but necessary to tabulate here.
The climate for cybercrime is continuing to evolve, with new tactics making the decision to pay or not to pay, an even murkier one. KPMG, for example, states it is seeing cybercriminals “move towards more creative ways of extorting ransoms. These include ‘double extortion,’ where ransomware encrypts your data and forces you to pay a ransom to get it back and then sends your data to the threat actor, who threatens to release your sensitive data unless further ransom is paid”.
Keeping your business protected
Prevention is always better than a cure, and the best defence is to proactively boost your company’s cyber resilience levels to avoid being hit by ransomware in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.
I strongly recommend adopting a multi-layered approach to your email security. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat.
Even if you have an email security solution in place, explore other solutions to layer your email defences and to protect your brand, your people and your data. No one vendor can stop all threats, so don’t leave your business exposed. If you are using Microsoft 365 or G Suite, you should also have third-party solutions in place to mitigate your risk. For example, using a third-party cloud email solution like MailGuard to complement Microsoft 365. For more information on how MailGuard can help defend your inboxes, reach out to my team at firstname.lastname@example.org.
Being hit by a ransomware attack can cause businesses significant financial losses and a hit to their reputation, especially following a tough pandemic-ridden year which resulted in many businesses struggling to keep the lights on. By taking time to assess the situation and exploring all recovery options at hand, your business can make the right decisions and successfully navigate the ransomware payout dilemma.
Stay safe, everyone.
Should companies hit by a ransomware attack pay the ransom? Share your thoughts with me below.