Ransomware: To pay or not to pay? 5 factors to consider

Posted by Craig McDonald on May 28, 2021 9:34:40 AM

Ransomware to pay or not_Image

Your customers' business data is being held hostage, encrypted with only their attackers holding the keys. So, should they pay up the ransom, or try to recover without handing over company profits to cybercriminals?

The question has become even more pertinent for businesses given the recent proliferation in ransomware attacks. In April 2021, the U.S. Department of Justice announced the creation of a new task force dedicated to curtailing the growing threat of ransomware, heralding 2020 as “the worst year ever” in ransomware attacks. Indeed, many intelligence experts, like Microsoft, noted an “uptick in the volume of ransomware attacks” in 2020. The company stated that ransomware was “the most disruptive cybercrime threat of the past year”, highlighting that ransomware infections had been the most common reason behind Microsoft’s incident response (IR) engagements from October 2019 through July 2020.   

2020 may be over, but ransomware threats continue to make headlines. A recent example is the ransomware attack on Colonial Pipeline, a crucial fuel pipeline in the United States. The Guardian called it the “worst-ever cyber-attack on US infrastructure”. The attack led the Biden administration to invoke emergency powers as part of an “all-hands-on-deck” effort to avoid fuel shortages. The company’s CEO confirmed it paid the $4.4 million ransom to attackers, stating it was “the right thing to do for the country”.  

The temptation to pay is all too real, evidenced by the recent ransomware attack on Garmin.The tech company experienced rolling outages for multiple days, including parts of Garmin Connect services, pilot apps, their website and call centers. Amid all these disruptions, who wouldn’t be tempted to resume operations as soon as possible? Garmin’s systems were finally back to normal after over a week, reportedly following a multi-million dollar settlement through a ransomware negotiator.  

On the other hand, there are companies like LG and Xerox that didn’t pay the ransom after falling victim to a ransomware attack. Unfortunately, their files were leaked slowly online. 

So just how do companies decide when to pay up and when to call a ransomer’s bluff?  
 

What do the authorities say? 

The authorities’ advice is to simply report, but not to pay. 

The FBI’s official line is that “The FBI does not support paying a ransom in response to a ransomware attack”. Their justification? That paying doesn’t guarantee an outcome and that it also encourages more attacks in the future. Both of which ring true.  

The Australian Cyber Security Centre (ACSC) adopts a similar stance, saying it does not recommend paying ransoms:  

“Paying a ransom does not guarantee decryption of data. Open-source reporting indicates several instances where an entity paid the ransom but the keys to decrypt the data were not provided. The ACSC has also seen cases where the ransom was paid, the decryption keys were provided, but the adversary came back a few months later and deployed ransomware again. The likelihood that an Australian organisation will be retargeted increases with every successful ransom payment,” the ACSC stated in a recent report.  

What would Liam Neeson do? 

We’ve all seen Liam Neeson in Taken, or at least heard his famous quote bandied about: 

“If you are looking for ransom, I can tell you I don't have money. But what I do have are a very particular set of skills; skills I have acquired over a very long career. Skills that make me a nightmare for people like you...” 

Now, it’s unlikely that your customers are going to email your ransomware contact and say anything similar to that, or that they are actually an ex-CIA operative experienced in tracking down cybercriminals and making their lives a “nightmare”. However, like Neeson, the attack on their business may have you seeing red, fired up and ready to make some sort of move. 
 

5 factors to consider in the event of a ransomware attack 

My advice? I don’t recommend paying, but it’s not always black and white. The business must decide what’s best based on their own specific circumstances. This may involve discussions with CISOs and consultants who are experienced in cyberextortion and ransomware payouts to help your customers evaluate the pros and cons of paying a ransom that are specific to their particular business.  

Here are a few questions that are designed to drive and enhance that conversation. As you continue supporting your customers to help them mitigate the growing threat of ransomware, share these with them to boost their awareness of the issues at hand when deciding to pay or not to pay, a ransom in the event of an attack, enabling them to limit the extent of damage caused. 

1. Is your data recoverable? 

Make double, triple, quadruple sure that you can’t recover your data before considering payment. In Sophos’ The State of Ransomware 2020 survey, they report that a staggering 94% of organisations whose data was encrypted, got it back - with 56% getting it back via backups vs 26% paying the ransom. There are also decryptors, ransomware removal tools, and other known reversal methods that you should try first. Ask your team to check the particular ransomware variant that’s hit your business to see if it’s possible. 

2. Are you covered by cyber insurance? 

If so, check the terms of your coverage. The Sophos survey reports that 94% of the time that a ransom is paid, it’s due to being covered by insurance. This may well be why many companies end up satisfying their attackers’ ransom demands. That’s certainly what Bloomberg had to say about the $40 million paid by insurance on behalf of CNA Financial after it was hit by a ransomware attack. 

3. What’s the extent of the data that’s under ransom? 

Forensic security can help you uncover the extent of the data that has been encrypted or stolen. By knowing exactly what is at stake you can make a decision as to its importance. You might be very tempted to pay an attacker for healthcare records or locked up critical infrastructure, but not be too worried about stolen marketing campaigns. 

4. How credible are the attackers? 

Do a bit of reconnaissance on your attackers and try and gauge their next moves. Do they have a history of leaking the data under threat? Do they conduct fair negotiations? A professional firm can help you with this step if playing detective is outside of your current capabilities. 

5. Can you afford the fee vs how much for recovery on non-payment? 

This is a major one. Can you afford the ransom (or a negotiated fee)? What if that fee just disappeared into thin air without you receiving anything in return? This, too, is a viable outcome, after all. And how much will it cost to recover from the incident if you don’t pay? Putting a dollar-cost on recovery (especially with things like reputational damage) can be tricky, but necessary to tabulate here. 

The climate for cybercrime is continuing to evolve, with new tactics making the decision to pay or not to pay, an even murkier one. KPMG, for example, states it is seeing cybercriminals “move towards more creative ways of extorting ransoms. These include ‘double extortion,’ where ransomware encrypts your data and forces you to pay a ransom to get it back and then sends your data to the threat actor, who threatens to release your sensitive data unless further ransom is paid”.
 

Keeping businesses protected 

Prevention is always better than a cure, and the best defence is to encourage businesses to proactively boost their company’s cyber resilience levels to avoid being hit by ransomware in the first place. The fact that a staggering 94% of malware attacks are delivered by email, makes email an extremely important vector for businesses to fortify.  

No one vendor can stop all threats, so it’s crucial to remind customers that if they are using Microsoft 365 or G Suite, they should also have a third-party email security specialist in place to mitigate their risk. For example, using a third-party cloud email solution like MailGuard.    

Being hit by a ransomware attack can cause businesses significant financial losses and a hit to their reputation, especially following a tough pandemic-ridden year which resulted in many businesses struggling to keep the lights on. By taking time to assess the situation and exploring all recovery options at hand, your customers can make the right decisions and successfully navigate the ransomware payout dilemma.  

 

Talk to us

MailGuard's partner blog is a forum to share information and we want it to be a dialogue. Reach out to us and tell us how we can serve you better. You can connect with us on social media or call us and speak to one of our consultants. 

Australian partners, please call us on 1300 30 65 10 

US partners call 1888 848 282 2 

UK partners call 0 800 404 8993 

We’re on Facebook,Twitter and LinkedIn. 

 

Topics: Ransomware Business security partners technology ACSC Garmin 2021 payout ransom Colonial Pipeline

Something Powerful

Tell The Reader More

The headline and subheader tells us what you're offering, and the form header closes the deal. Over here you can explain why your offer is so great it's worth filling out a form for.

Remember:

  • Bullets are great
  • For spelling out benefits and
  • Turning visitors into leads.

Subscribe to Email Updates

Recent Posts

Posts by Topic

see all