Ransomware: Should Companies Ever Pay Up?
Ransomware is a major threat, and no business is "too small to target." So what should you do after an attack? Is negotiating with criminals ever the answer?
March 31, 2022
In a world increasingly rocked by cyber threats, ransomware is one of the most prolific. Stories about the Colonial Pipeline attack and strikes against JBS have earned massive news coverage. No business is "too small," thanks to a rise in cyberattack automation.
What happens, then, when ransomware strikes your business? Do you pay up quickly to control the damage, or is it possible to fully recover on your own? And does paying a ransom really solve the problem?
Anticipate Attacks and Prepare Accordingly
We posed these questions and more to a panel of experts in cybersecurity and managed services delivery at the Acronis #CyberFit Summit in Singapore.
The panel was unanimous: While no organization can become immune to cyberattacks, a proactive defense strategy is crucial.
"With the proper [backup and disaster recovery] systems in place, most businesses … are able to get back to work," says Kenny Tay, General Manager at Cloudable Solutions, a Singapore-based provider of managed IT services. "But for businesses who have not planned for these events … they may not have the tools to get their data back, and they may have to negotiate with the cybercriminals."
Evolving Threats Create New Challenges
As data backup and disaster recovery becomes commonplace, cybercriminals are shifting their tactics. Modern ransomware often attempts to disable security software and delete or encrypt backups, rendering victims unable to recover. Even if you can "get back to work," it's not always the end of the problem.
Double extortion tactics, in which ransomware operators steal data from infected systems before encryption, have become widespread. Cybercriminals threaten to publicly release this data — which often contains sensitive information, like customer profiles or trade secrets — if their ransom demands are not met. Naturally, this adds considerable pressure on victims to pay up.
Is Paying a Ransom Ever the Right Move?
With the business itself at risk, an underprepared victim may see little choice but to negotiate for the restoration of their data and systems. But this is an expensive prospect that comes with no guarantees.
"From a law enforcement perspective, we would not recommend you pay," says Jacqueline de Lange, Interpol Head of Africa Cybercrime Operations Desk. "If you make a ransomware payment … you are involved in a criminal activity. You could be funding organized crime syndicates — it could be a terrorism organized crime group — and [you risk running afoul of] anti-money laundering legislation."
The ransom resolution process can be painfully slow. After last year's attack, Colonial Pipeline's owners paid $5 million in ransom, yet the decryptor they received was so slow that they ended up relying on their own backups.
The US Department of the Treasury advises organizations to focus their resources on defensive and resilience measures, noting that paying a ransom only emboldens attackers and may introduce legal risks to the victim. Conversely, any actionable measures you've taken to proactively reduce your risk posture can be seen as "mitigating factors" that limit your liability for the leak of sensitive data resulting from a ransomware attack.
Prepare Now for Ransomware
"Whenever an organization faces this kind of event, it's a bit of a wake-up call," says Bryce Boland, Head of Security, ASEAN, at Amazon Web Services. "A lot of what happens next comes down to how you've prepared."
The panel agrees that the first steps in any ransomware incident plan should always be to contact law enforcement and convene your legal and security teams for a risk assessment and forensic investigation. In many jurisdictions, reporting data breach events (including ransomware strikes) to the local authorities is a legal obligation.
If you've established comprehensive data backup and disaster recovery capabilities — and put them to the test — you could be in a strong position to restore business operations without paying up. But that doesn't mean the threat is over.
"One of the key things you need to understand is how did the attacker get in? — and what did they do? — because you might only be seeing the tip of the iceberg," says Boland. "But what else have they done? They might have left backdoors, they may have left additional malware in place, they may have stolen all of your credentials … having an understanding of all of the things that have happened is part of any response to a breach."
Ultimately, the best defense is a proactive approach to security. It's critical to act in anticipation of ever-growing attacks and adopt solutions that support complete cyber protection. A solid cyber resilience plan enables organizations to respond quickly and keep any business continuity interruptions to a minimum, while a cyber-insurance policy can help to offset costs associated with recovery, forensics, and legal defense.
For more insights and advice from today's industry leaders, discover more on-demand sessions from the 2021 Acronis #CyberFit Summit World Tour.
About the Author
Candid Wüest is the VP of Cyber Protection Research at Acronis, where he researches new threat trends and comprehensive protection methods. Previously, he worked for more than 16 years as the tech lead for Symantec's global security response team. Wüest is a frequent speaker at security-related conferences, including RSAC and AREA41, and is an adviser for the Swiss federal government on cyber-risks. He holds a master's in computer science from ETH Zurich and various certifications and patents.
You May Also Like