Your Business was Hit by Ransomware. Should You Pay to Get Your Data Back?
 

The shutdown of an energy pipeline. Open warnings from the White House to businesses. All point to ransomware — one of the biggest cyberthreats companies face today.

In fact, ransomware is a national threat, so much so that U.S. government officials, such as Energy Secretary Jennifer Granholm, have suggested legislation be passed that bans companies from paying a ransom.[1] Such laws are critical to discouraging cyberattackers from continuing to attack infrastructure targets, ranging from municipal governments to hospitals, they argue.

But when faced with a possible shutdown, the majority of businesses report feeling compelled to pay the ransom to retrieve their data, according to Mimecast’s State of Email Security 2021 (SOES) report. Companies concerned about their employees, shareholders and customers said getting back online is of paramount importance.

So the question of the moment is: Should your business pay a ransom — or not?

Earlier this month, the SANS Institute, which provides cybersecurity education and training, hosted a virtual debate among cybersecurity experts who assist companies dealing with ransomware incidents.[2] They discussed both sides of the “to pay or not to pay” argument, offering practical advice and recommendations for businesses and IT departments straight from the ransomware frontlines.

5 Top Reasons Companies Pay Ransomware

While the majority of companies decide to pay their ransoms, per the SOES report, the cybersecurity experts didn’t support doing so. That said, they understand the inclination, and discussed five issues and reasons that lead many companies to succumb.

1. To get the business back up and running ASAP: The biggest fear among companies is being shut down indefinitely while working to recover from a ransomware attack, which could be more damaging to the business. This is why many companies, anxious to get back online, pay the ransom.
2. To protect customers’ data: Ransomware increasingly involves double extortion, said event moderator Rob Lee, chief curriculum director at the SANS Institute. Attackers threaten not only to freeze a target’s systems, but also to expose customer data.
3. To save money: Most companies perform a cost-benefit analysis — and, in many cases, determine it’s more cost effective to pay the ransom, said Ryan Chapman, principal incident response consultant for the BlackBerry security services team.
4. To protect employees: When companies have to shut down work shifts because of ransomware, “that resonates with people who are living paycheck to paycheck,” noted Jake Williams, who has brokered million-dollar ransomware payments and is the founder of Rendition InfoSec.
5. To figure out what was stolen: Many companies don’t have a complete inventory of all the data they collect, which makes threats of exposure potentially more serious. So the only way to protect and retrieve such information is to pay.

5 Top Reasons Never to Pay Ransomware

Some organizations and governments have strict policies against paying a ransom. The SANS debate participants highlighted five top reasons to support that notion:

1. Data might not be retrieved: The Mimecast SOES report notes that while 52% of attacked businesses paid ransom, one-third of those who paid never saw their data again. In some cases, the criminals simply take the cryptocurrency and run, while in other cases the attackers’ software is flawed and unable to unlock the victim’s data. In fact, “I’ve never seen an organization get back all of its data,” said James Shank, who is a member of the Institute for Security and Technology’s (and White House-supported) Ransomware Task Force.
2. Business will be suspended, even if the ransom is paid: For companies that pay, getting back to business may still be delayed due to ransom negotiations or the time required to restart their networks. According to the Mimecast SOES report, companies that suffered a ransomware attack said they were down an average of six days; 37% said they were down for a week or more.
3. Paying ransom encourages additional attacks: There is consensus in the cybersecurity community on at least this point: “Every single ransom that’s paid emboldens other actors to play the game,” Shank said.
4. Attackers still have the data: Even after a company pays a ransom, cybercriminals still have copies of its data — and there is no guarantee they won’t release it in the future. Ultimately, this means a loss of integrity and confidentiality.
5. Ransom payments will fund other criminal activity: The cybersecurity experts pointed out that ransom funds are used to conduct other crimes, including human trafficking. “When you pay the ransomware, you have no idea how many lives are going to be affected by this,” Chapman said.

How Much Are Companies Paying for Ransomware?

Estimates for the total cost of ransomware are difficult to assess, although Lee from SANS said ransomware caused $70 billion in damages in 2020. Nevertheless, the most recent high-profile ransomware case reveals a trend: In May, Colonial Pipeline paid cybercriminals $4.4 million in bitcoin in response to an attack.[3] In addition, the average ransomware attack in 2020 was $312,493 versus just $151,123 in 2019, according to a recent report examining trends in ransomware.[4] That’s a 171% increase.

How to Prevent Ransomware?

Phishing attacks via email are companies’ No. 1 threat, according to the Mimecast SOES report, so ensuring best security practices with email and regularly communicating those practices to employees are critical.

Backing up data is also an absolutely necessary step for any firm hoping to recover from a ransomware attack. Some attackers will lurk in a company’s network for some time before launching a ransomware program, so companies should keep multiple full backups.

Finally, companies should create and maintain a detailed inventory of their digital assets, Chapman said. When companies don’t know what they have, it’s difficult to make an informed decision about whether or not to pay, he added.

The Bottom Line

The reality is this: Many companies are going to face ransomware at some point in the future. “The threat of severe ransomware attacks pose a clear and present danger to your organization, to your company, to your customer, to your shareholders and to your long-term success,” said Lisa Monaco, U.S. deputy attorney general, during a recent press conference.[5]

Indeed, ransomware and whether to pay ransom present an extremely difficult problem for companies. “Which is the least worst decision you’re about to make,” says SANS’ Lee, “and how do you inflict the least amount of damage?” While cybersecurity experts don’t all agree on the answer, they do all concur on one point: Get prepared, said Shank, “and the time to start is now."

[1] “Energy secretary backs ban on ransomware payments: ’You are encouraging the bad actors’,” NBC News

[2] “Ransomware - Do You Pay It Or Not?,” SANS Institute 

[3] “Colonial Pipeline CEO tells Senate decision to pay hackers was made quickly,” CNET

[4] 2021 Unit 42 Ransomware Threat Report, Palo Alto Networks

[5] “DAG Monaco Delivers Remarks at Press Conference on Darkside Attack on Colonial Pipeline,” Justice Department