Ransomware attacks: Does it ever make sense to pay?

Ransomware continues to plague businesses of all shapes and sizes.

Ransomware attacks: Does it ever make sense to pay?

Ransomware continues to plague businesses of all shapes and sizes.

Figures from a recent Menlo Security study, 2022 Impacts: Ransomware attacks and preparedness, show thatmore than one in three organisations experience a ransomware attack once a week, while one in ten are subjected to them daily.

Given the sheer volume of threats, many entities eventually fall victim to the barrage, leaving them to contemplate a tricky question – to pay or not to pay the ransom? 

This dilemma continues to be both sensitive and divisive. 

Official guidance from the UK’s National Cyber Security Centre (NSCS) unsurprisingly advocates a reluctant stance, stating that “law enforcement does not encourage, endorse nor condone the payment of ransom demands”. By agreeing to cooperate with criminals, firms are seen to be incentivising cyberattacks, affirming to them that there are opportunities to extract lucrative sums from their victims. 

And there are several other reasons why companies should think twice about succumbing to ransom demands. Not only is there no guarantee that a payee will regain access to their data, network or devices, but equally, those that do put up funds are likely to leave themselves with a greater target on their back.

Paying by no means offers immunity. New threat actors could be more likely to attack you as a proven payee, and the successful attacker may repeat the process and demand from you again. Indeed, any successful threat actor is likely to try to maintain their foothold on your network so that they may steal and encrypt your data again in the future for further ransom.

Why many firms consider paying

There are, therefore, significant risks in cooperating with criminal groups. Yet at the same time, there is no law against doing so, and in certain scenarios it may be a cost effective, attractive or even logical option. 

Often, the greatest financial damage incurred from ransomware attacks is not the ransom demand itself, but the downtime that a business can experience. Statistics show that the average length of interruption following ransomware attacks is currently around 20 days, for example. 

Malicious actors often leverage double extortion tactics, exfiltrating a target’s data in addition to encrypting with the intention of leaking it should a victim not cooperate. If attackers follow through on this, organisations could face extreme reputational damages and a mass exodus of customers. 

From faster and cheaper recovery to reduced reputational damages, cooperation is an avenue that continues to be both considered and actively explored. 

According to Menlo’s findings, only a minority say that they would never pay a ransomware demand. While one in three admit they are worried about the risk of paying a ransomware demand and not getting their data back, nearly two thirds of respondents say they would pay a ransomware demand.

Improving preparedness

For those that opt to make a payment, there are several steps that should be taken to protect key interests. 

Firms should conduct a complete security evaluation to detect and eliminate all elements, scripts and backdoors that might remain on the network or endpoints post-payment, for example. Further, they should also implement an appropriate action plan outlining exactly how to respond to ransomware attacks. 

This should detail who needs to be informed in the event of an attack, including legal authorities that need to be notified within stringent time windows. It should also outline the technical aspects of a response strategy that are available (such as backups) and means of establishing the severity of an attack. And it should be meticulously and regularly tested to ensure effectiveness should a real event occur. 

Equally, organisations should draw on external support to supplement any internal preparations.

Insurance stands as a good option in enabling firms to protect their financial security – one that’s being actively leveraged by many firms already. According to Menlo’s survey, more than three in four organisations have some form of cyber insurance in place. 

However, many companies are currently underestimating the potential cost of recovery. While the perceived cost of an attack currently stands at $326,531, industry figures show the average total cost of recovery from a ransomware attack in 2021 was in fact $1.4 million. 

With the average insurance pay out being $555,971, it is critical that organisations work to recognise the true potential impact of an attack and ensure their coverage is able to meet the true cost as opposed to the perceived cost of an attack.

Finally, companies should also look to be more proactive and implement effective protection mechanisms to better thwart attacks in the first instance.

This needs to be begin with an embrace of zero trust. While traditional security models allow hackers to move freely through internal systems without resistance, zero trust demands that all traffic be continually verified

To achieve zero trust effectively, we advise embracing isolation technology – a solution that ensures all active code from the internet is executed in isolated cloud containers, thereby removing the risk from web and email attack vectors.

With isolation technology, no malicious content can ever reach its intended target. 

Mark Guntrip
Mark Guntrip

Share via
Copy link