The scale and severity of ransomware is growing exponentially. And one of the biggest questions on everyone’s mind — besides ‘How do you avoid an attack altogether?’ — is the question of ‘If you do experience an attack, should you pay?’ Ransomware preys on our reliance on technology to work, access crucial services, and keep in contact with loved ones. As this connectivity continues to grow, so too will the threat of ransomware and other cybersecurity dangers.
We benefit daily from developments in technology, but while technology is making our lives easier it is also helping cybercriminals as they exploit acceleration in connectivity and poor cyber-hygiene. Just look at how the volatile, uncertain times brought about by the pandemic gave rise to high rates of cyber-crime as entire workforces took to remote working, cloud adoption skyrocketed, and digital transformation became a business imperative at scale. The sheer volume of attacks following the first lockdown was staggering, with ransomware attacks surging 400% year on year according to the FBI, and by a shocking 800% during the pandemic, according to Zohar Pinhasi, a cyber counter-terrorism expert.
But the answer to the question ‘Should you pay ransomware demands?’ may be more complicated than it seems at first. Because the decision of one organization to shell out big money to criminals can have a ripple effect that eventually reaches several other organizations, further exacerbating the problem and empowering the criminals to continue their activities.
What Is Ransomware?
Ransomware is one of the most significant security threats on the internet and one of the biggest forms of cybercrime currently threatening organizations all over the world. The term ransomware refers to a form of malicious software – known as malware – that encrypts documents and files on anything from just a single PC to an entire network, including servers.
These attacks often begin with a user inside of an organization mistakenly opening a malicious file, usually sent via email or downloaded from a malicious webpage. Larger ransomware campaigns will make use of software exploits and flaws, stolen credentials and any other possible vulnerabilities to access an organization, exploiting weaknesses like internet-facing servers or remote desktop logins to gain entry. Typically, attackers will move silently through the network until they have gained control over as much as they can––then they encrypt as much data as possible. After the encryption is completed, a message is displayed conveying what the attackers’ demands are – usually payment in the form of Bitcoins – in exchange for the key to decrypt the data.
Victims are then in a terribly difficult position. For companies of all sizes, having vital files, documents, networks or servers targeted – leaving them encrypted and inaccessible – can be devastating. In many cases this can be crippling to business productivity, like in the case of the Garmin ransomware attack, where millions of users were unable to access servers or use their smart devices. At this point, their options are either to pay the cybercriminals responsible for the ransomware attack to regain access to the encrypted network, attempt to restore from backups or hope that there is a freely available decryption key. Or, they will need to start over from scratch.
The fallout can be costly, with 50% of ransomware demands amounting to more than $50k, as well as long-lasting, with 38% of businesses experiencing harm to their brand or reputation. Ransomware is easy to produce, difficult to protect against and is a highly lucrative form of criminal activity. Not only are attack incidents on the rise, they are also becoming more and more sophisticated, with bad actors continually managing to find new and innovative ways to evade security layers. It is inevitable that most companies will find themselves facing a ransomware attack at some point, which raises the question – if your organization falls victim to a ransomware attack, should you pay ransomware demands or hold steady?
Recent Ransomware Attacks
In May of 2021, two significant ransomware cyber-attacks occurred just a week apart – the attack on the Colonial Pipeline, and the Irish Health Service Executive attack.
On 7th May, Colonial Pipeline – a major US fuel pipeline that originates in Houston, Texas, and transports jet fuel and gasoline to predominantly the Southeastern United States – suffered a ransomware cyber-attack, which took out its service for five days, and caused a shortage of supplies across the US. This attack was carried out by the hacking group DarkSide and was the latest of a number of incidents where critical infrastructure was targeted in the United States.
As is typical for this kind of malicious activity, the attack came on a Friday to capitalize on the weekend when security teams are often not at total capacity. Also, Colonial Pipeline has acknowledged that they were using a vulnerable version of Microsoft Exchange at the time of the attack which, combined with several other weak spots, indicates an overall lacking in cybersecurity.
Colonial Pipeline made the decision to pay the ransom. The company handed over a 75-bitcoin ransom – which is worth roughly $5 million – as pressure mounted to resume their services as quickly as possible. While the FBI and other law enforcement groups have typically discouraged victims of ransomware attacks from paying the ransom, in many cases victims feel they have no choice. They may not have backups or other necessary infrastructure to recover the encrypted files for themselves or may simply find that the cost of spending time dealing with the problem far outweighs the cost of the ransom – as Colonial Pipeline found amidst gas shortages and hoarding.
Just a week after this devastating cyber-attack came another, this one on the 14th of May targeting the Irish Health Service computer systems. Hospitals were forced to cancel routine appointments and a child protection IT system went down, although vaccinations were not affected. This attack left most of the country’s hospitals without computers for over a week.
There was chaos following the outage, with access to patient’s records blocked, and certain key services – including cancer treatments – hobbled as a result of the attack. The systems will likely take weeks to recover fully, leading to backlogs and increasing pressure on medical staff, during an already taxing time in the wake of the pandemic.
The criminal gang responsible claim to have encrypted and stolen 700GB of data and have also claimed that they spent two weeks in the HSE’s systems prior to launching the attack. They claim to have stolen data and have threatened to release it, causing the Irish government to issue a warning that sensitive medical information and other patient data could potentially be leaked. Officials have also warned that the potentially stolen data might be used to launch further attacks, such as phishing or social engineering, and that patients should be extra vigilant and mindful of the heightened risk.
The Irish Government made the decision – even with mounting pressure due to the challenges caused by the attack – not to pay the ransom or use diplomatic channels to obtain the decryption key. A decryption key was in fact made available almost one week after the attack on Thursday evening, and is being tested to ensure its validity. The key was given to the government by the organized crime group responsible for the attack, but as of right now their reasons for doing so are unknown.
Experts have long said that real progress against the ransomware epidemic will require more companies to say no to paying the ransom, like Ireland did. However, holding steadfast is not easy and, for some, not necessarily feasible. In fact, many ransomware groups vet their victims’ financials before deciding to spring a trap, as this gives them a better idea of how much pressure the organization will be under to pay, and also what kind of bounty they can reasonably demand.
The truth is, many organizations resort to paying digital extortion fees despite discouragement from law enforcement. So how do you know what the right decision is? Should you pay the ransom?
4 Reasons To Not Pay Up If You Are Hit With A Ransomware Attack
When organizations find themselves at the mercy of cyber-criminals after a successful ransomware attack, the question of whether to pay or not is top of everyone’s mind. Especially as there is often a small window of time available in which to respond.
It is not a security decision; it is a business decision. The goal is to come out the other side of the ordeal with as little damage as possible, but there is rarely a straightforward right answer to the question of ‘should you pay?’. Ransomware payment can lead to repeat attacks and contribute to the wider growing issue of ransomware, while not paying can mean lost revenue, loss of trust from customers, and many other unique problems – like gasoline shortages and a reduction in the quality of people’s healthcare. It’s never an easy decision, but some good reasons to avoid paying ransomware are:
You Make Yourself An Attractive Target
Paying the ransom is a bit like letting an antagonistic person get a rise out of you – all you’ve done is shown them that they can.
Cybercriminals are inevitably encouraged by news of successful extortions, and they keep tabs on who pays up and who does not. Paying may offer short-term relief from all of the devastating effects of ransomware, but once you are identified as someone who can be blackmailed, you become a very attractive target to other would-be cybercriminals or even the same ones. According to the UK’s National Cyber Security Center (NCSC), there had been a rise not only in ransomware attacks but also in repeat attacks where, shortly after paying the ransom, victims are targeted again.
The Next Ransom Bigger Than The Last
As the problem of ransomware increases, so too does the price. There is the cost of remediation, downtime, lost opportunity, reputational harm – and that’s even before paying the ransom.
Not that cybercriminals using ransomware have ever delt in small change, but the average cost of recovery for businesses have more than doubled in the last year according to Sophos’ The State of Ransomware 2021. The same report found that in 2021 the cost of recovery is around $1.85 million, a hefty increase from $761,106 in 2020. As more and more organizations have bowed to the pressure to pay, criminals have been emboldened to spike their prices, knowing all too well how desperate organizations become when faced with staggering losses in important files and data.
The economics of the situation are simple; prices are set based on what people are willing to pay. If victims say no to paying the ransom attacks will not stop, but there will be less rationale for increasing the ransom amounts.
Can You Really Trust Cybercriminals To Keep Their Word?
It is a definite risk to trust that criminals will keep up their end of the bargain. As simple as the exchange of money for an encryption key may seem, there is undoubtedly a power imbalance as they hold your valuable data hostage. How can you be sure the ransomware gang will hand over the key at all? In a discussion with business leaders and IT professionals about how their organizations were affected by ransomware researchers found that, even after paying the ransom, 17% of victims were unable to recover their data.
Some known gangs have earned themselves a better reputation than others. The CyptoWall gang is said to have great customer service, going so far as to extend deadlines and provide victims with information on how to obtain Bitcoins, which are the preferred method of repayment. They are also quick to decrypt the files once receiving the payment. Others – including CTB-Locker, Reveton, and TeslaCrypt – are somewhat less reputable. But the question remains; can you ever truly trust the word of cybercriminals, whatever their reputation?
You Add Fuel To The Fire
It is understandable why so many organizations choose to save themselves hassle in the short term by paying the ransom, but the long-term cost of this decision is that the money paid will undoubtedly become reinvested into future cybercrime.
The more money attackers have to develop more advanced varieties of ransomware, with ever more sophisticated delivery mechanisms, the more this issue will grow. The money from ransomware schemes can be used to invest in more attack campaigns, meaning that every company that chooses to pay inevitably funds future attacks and feeds the problem.
So … Should You Pay Ransomware?
There is always a reason to pay, and it’s simple – organizations need their files back. They pay because they feel they have no choice. Whether you choose to pay the ransom really comes down to straightforward business calculations.
Our view on the big question of ‘should you pay the ransom for ransomware?’ is — no. In most cases, organizations should not pay the ransom, for all the reasons we’ve covered here and more. However, we understand that there are instances where ransomware can hit so hard that the business is at serious financial and reputational risk if the data remains unrecovered. Pay or don’t pay – both versions of events are highly undesirable, so the best choice to make in the short term is to really focus on your security infrastructure to greatly reduce the chances of such an attack.
If you have been hit by ransomware, check out our recent guide on how to recover from a ransomware attack.
