Last year, CNA Financial Corporation, one of the biggest US insurance companies reportedly paid hackers$40 million following a ransomware attack, while Colonial Pipeline paid hackers $4.4 million for a decryption tool to restore its operations. This was despite the FBI and the Department of Homeland Security recommending that companies not pay the ransom.
In 2021, the average mitigation cost of a ransomware attack was $1.85 million, with organizations and companies experiencing 21 days of downtime on average following an attack, and 80% of victims who paid a ransom experiencing another attack soon after.
The question is what your organization will do if it is attacked by ransomware. Will you pay for data or system recovery? Should you pay? What happens if you pay?
What happens if you pay?
Theoretically, if organizations pay the ransom, the attackers will provide a decryption tool and withdraw the threat to publish stolen data. However, payment doesn’t guarantee all data will be restored.
On average, only 65% of data was recovered, and only 8% of organizations recovered all data. Some experts say that 80% recovery is the best you can hope for. And if the encryption keys work, there’s still a lot of work to be done. Data recovery can take weeks, especially if most of it is encrypted. For example, HSE, the Irish health service still needs the support of the Irish Defence Forces to restore systems. Two months after the initial attack, only 3,933 servers out of 4,891 were recovered and only 69,000 out of 83,000 affected devices were cleaned up.
The main reasons why businesses pay ransoms are:
- Faster recovery time. If a company chooses not to pay, data restoration can take along time and the company could face long, costly operational downtime.
- Damage to businesses. The harm a company suffers can include revenue loss, reputational harm, and so on.
- Excessive recovery costs. Paying a ransom is a business decision. If the costs to recover from a ransomware attack exceed the ransom payment, the most economical choice is to pay it.
- To protect customer or employee data. Some attackers threaten to release data they exfiltrated to pressure companies to pay.
What are the potential legal and commercial risks of paying ransoms?
While committing a ransomware attack is clearly criminal activity, it is generally not a crime to pay a ransom note unless the payer knows or reasonably suspects that there is a connection to terrorism or that it would violate sanctions regimes. In April 2021, the United States imposed sanctions against 32 Russian organizations and officials involved in cybercrime “and other acts of disinformation.” These sanctions are said to have been partly in response to a series of cyberattacks, including the attack on SolarWinds Corporation.
Understanding whether is is okay to pay a ransom is further complicated by increased sanctions imposed on Russia for invading Ukraine. In addition, new legislation introduced in early 2022 known as “The Strengthening American Cybersecurity Act” also requires notification from critical infrastructure owners to report if they have made a ransomware payment.
This “hard reality” perspective is reflected in recent changes made to the FBI’s official guidance on ransomware threats.
“…the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”
However, paying a ransom can be risky business for several reasons, including:
- Attackers are more likely to strike again. Payment could encourage further ransomware attacks, especially if the hackers know their demands will be met.
- Ransom payments end up funding criminal activity. Ransomware is on the rise partly because of the economics and ease of exploitation.
- You could face criminal penalties under anti-bribery laws. There is an argument that a person who makes unlawful payments to a “foreign public official” (for example, in the case of state-sanctioned ransomware attacks) could be prosecuted under relevant anti-bribery legislation.
- You can face fines/enforcement from data protection regulators. Severe penalties may apply under data protection laws if personal data is compromised or unavailable and this is not managed correctly.
- You can face fines/enforcement from other regulators. If you are in a regulated industry, substantial fines and other enforcement action may also apply if an incident is not handled properly.
What happens if you do not pay?
You find yourself in the very same position the ransomware attacker first put you in by encrypting all your files to “twist your arm” into paying.
Depending on what kind of ransomware infection you have, there is some possibility that a decryptor already exists for that particular strain; less likely, but not unheard of, is the possibility that an experienced analysis team may discover a way to decrypt your files.
A lot of ransomware is poorly written and poorly implemented. It may be that all is not lost as it first might seem.
Projects like NoMoreRansom can be a very valuable resource when evaluating a course of action if faced with a ransomware attack.
If your data backup system is robust you are in a much better position to rebuild your environment, and it may not be as painful to move forward without paying.
Organizations cannot prevent every possible ransomware attack. The best thing you can do is assume you will be hit and have plans in place that enable a quick response.
This is the perfect time to double down on your cybersecurity posture. It’s a great idea to have an independent company perform a cyber resilience review to determine the current risk to your environment.
This includes running through exercises about what happens when an attack occurs. Doing so may reveal unexpected problem areas. For example, one organization found that it took much longer than anticipated to write a press release about an attack, highlighting the need for a pre-written statement.
It’s also important to strengthen backups and test restores forall critical businesses. Assuming the backups work, the cost of recovery will always be less than paying the ransom for an uncertain outcome.
Furthermore, make sure executives are fully briefed on the topic and involved in decisions. The more they understand the risks, the better prepared they will be to decide and justify it in the face of scrutiny.
Treat ransomware as a business decision. If the problem is visible across the organization, there will be fewer surprises if you do get hit. This will facilitate more informed decision-making in the response, including deciding whether you should pay.