For many businesses, it’s a worst-case scenario.
You open your laptop and try to access your latest presentation, report, or financial statement. However, when you click on the files, all you see is gibberish and error messages.
On your desktop, you discover the dreaded ransom note with instructions: “If you want your files back, you must pay $250,000 in Bitcoin. If you don’t pay within 24 hours, your data will be destroyed for good.”
What would you do? Most cybersecurity experts will advise you not to pay. Let’s be real though: there is no hard-and-fast rule about paying a ransom—especially when the clock is ticking and dollars are burning. Some examples:
In each scenario, the company had to make a call based on their unique circumstances. They also did so with no guarantee that the hackers would actually provide them with a decryption key, or that it would work properly.
Whether you ultimately decide to pay or not, it’s important to take every scenario into account and make an informed decision.
Law enforcement generally recommends against paying ransoms. While paying a ransom might seem like a quick fix, it’s a risky decision with no guarantee of success. Here are the reasons most experts advise against paying:
In some cases, decryptors provided by hackers will make the situation worse. For example, the Prolock ransomware attack corrupts files larger than 64 MB, leading to 1 byte of data loss per Kb for larger files. If victims paid the ransom, they would still suffer significant data corruption and losses.
Nearly half of ransomware victims who paid the ransom (46%) regained access to their information, only to discover that their data was corrupted. In fact, 3% of victims that paid didn’t receive any of their data back at all.
Here’s another scary stat from the whitepaper quoted in the first point: 78% of victims who paid the ransom were breached again, and 63% faced an even bigger ransom demand than they did before.
When you make a payment, you send a message to hackers: you’re not only unprepared for an attack, but you are willing and able to pay an exorbitant price to get your files back.
Bear in mind that when you are paying a hacker group, you’re effectively funding a criminal organization. The group may even be involved in domestic or international terrorism.
That is why the U.S. government discourages ransomware payments and is willing to penalize organizations that pay ransomware attackers. It’s enforced by the Office of Foreign Assets Control (OFAC), a department within the Treasury. OFAC maintains a list of sanctioned individuals and organizations. If the ransomware attacker is on this list, paying them is considered “material assistance,” which violates sanctions. Strict liability applies, which means an organization can be penalized even if it didn’t know the attacker was sanctioned.
Many ransomware attackers go further than just holding your data for ransom. There’s a tactic called “double extortion,” whereby attackers steal a copy of your data before encrypting it. They then hit you with a double threat:
In other words, paying only gives you back control of your encrypted data, but it doesn’t guarantee they’ll destroy the stolen copy. Bear in mind that even if you pay ransom, you may still suffer from all of the fallout of a data breach—including loss of revenue and reputational damage—because of this tactic.
Let’s say you decide to take the risk and make the payment anyway. In the ideal scenario, the attackers will provide you with a decryption key so that you can restore your information. Unfortunately, this ideal scenario rarely plays out in real life. A very small percentage of companies get all of their data back.
Usually, you’re able to restore most of the lost data. But encrypted files aren’t easily recoverable, decryptors often crash, and data recovery is a slow and laborious process. And even if you do pay, your information could still end up on the dark web.
Remember, the people that hit you with ransomware are criminals; they’re already committed crimes by even putting your company in this position. Thinking they won’t commit another crime if it benefits them is naive, because what else do they have to lose?
If you do decide to make a payment, there are a few things you should consider:
Your incident response (IR) team or insurance agency may have a negotiator on staff. Find out if that’s the case before you enter into a retainer so that you know who to turn to in the event of an emergency.
You may think about having a Bitcoin wallet set up and funded as part of an IR plan so that you can make a quick payment. Sourcing crypto on short notice can be difficult.
Find out what your insurance will cover. You may have cyber insurance in place, but you have to know what you are covered for before making any payments. Some insurers will not cover ransoms paid.
Ransomware attacks happen everyday. Listen to the advice of your IR team and ransomware negotiator. It may seem obvious, but they have your best interests at heart and should handle the negotiation from start to finish. They may even advise you not to pay the ransom because the group that hacked you has a reputation for providing broken keys or selling data regardless of receiving the ransom.
Remember, even if you do pay, you haven’t officially recovered your data yet. It can take weeks to get back up and running. And according to some research, paying the ransom may even double your recovery cost.
We would strongly recommend not making a payment, but every ransomware attack should be evaluated on a case-by-case basis. Your business and the well-being of your customers may depend on you paying the ransom. For example, if you work in the medical field, there’s the possibility your patients’ lives may depend on it.
Weigh the pros and cons before making a decision. Reach out to experts and find out what your insurance covers. Yes, you may be able to retrieve most of your data and get back to business quickly. And you may even do the math and find out it’s cheaper to pay a ransom than to hire data recovery specialists to get you back up and running.
However, it’s important to note that most ransom payments aren’t the silver bullets the cyber crooks may say they are. You may still lose your data (and a significant chunk of cash) after paying.
The best thing you can do is start implementing preventative measures and contingency plans beforehand. Backup your data, apply the principle of least privilege and access controls to limit the damage, and cultivate a cyber-aware culture at work.
If you can avoid a ransomware attack altogether through stronger preventative measures, you might never have to face this impossible question.
*** This is a Security Bloggers Network syndicated blog from Blog – Coro Cybersecurity authored by Kevin Smith. Read the original post at: https://www.coro.net/blog/should-you-pay-a-ransomware-attacker