Ransomware: should your company pay?

Representational image of a cybercriminal making a ransomware attack
(Image credit: Future)

Falling victim to a ransomware attack and being threatened with a ransom will never be an ideal situation. You will be forced to make a challenging judgment call, often under high pressure, and with limited time to decide. In situations like these, preparedness goes a long way.

About the author

Mark Harris is Senior Research Director at Gartner.

Despite the FBI and Department of Homeland Security warning companies to avoid paying ransoms, Colonial Pipeline paid hackers $4.4 million in ransom this year for a decryption tool that restored oil operations. This decision was extremely controversial, and the company’s CEO was later brought before US Congress to testify that the debilitating impact to the country’s fuel supply drove the decision.

This situation, like many others, triggers a point of reflection: What how would your organization handle a ransomware attack? Should you, and would you, pay to retrieve your data back or restore your systems?

Choosing whether to pay the ransom is challenging, and a decision that must be made carefully at the board level, not by security and risk leaders – understanding what happens if you pay is key to making that decision.

So, what happens if you pay?

Hypothetically, if a company responds to the ransom and pay, the attackers will provide a decryption tool and renounce their threats of publishing stolen data. Unfortunately, however, the payment does not guarantee that all your data will be restored – attackers may simply take their money and run. Due to this, executives must thoroughly consider the realities of ransomware, including:

  • Typically, only 65% of the data is recovered, with only 8% of organizations managing to recover all their data.
  • Encrypted files are usually unrecoverable. Attacker-provided decrypters may crash or fail, causing files to be lost forever. In that scenario, your IT security team may need to build a new decryption tool by extracting keys from the tool the attacker provides.
  • Recovering data can take many weeks, or months, especially if a significant amount of it has been encrypted.
  • There is no guarantee that the hackers will delete the data they’ve stolen. Instead, they may possibly sell or even reveal the information if it is valuable.

The realities of ransomware

For cybercriminals, ransomware is a sustainable and lucrative business model – and it puts every organization that uses technology at risk. Rather than recovering from backups, in most cases, it’s easier and cheaper to simply pay the ransom. However, the flipside of that approach is that supporting the attackers’ business model will only lead to more ransomware.

Generally, law enforcement agencies advise companies not to pay to discourage this kind of criminal activity. In many cases, paying a ransom to cybercriminals would be illegal, due to its funding criminal activities.

Prior to engaging with or negating with attackers, the best approach would be to consult law enforcement, a professional incident response team, and regulatory bodies.

Prepare now

There is no way to prevent ransomware attacks from ever happening. Therefore, the best approach would be to assume you will be the victim one at some point and set up a viable framework and game-plan to ensure a quick and effective response.

This would include going through simulation scenarios and exercises for what happens when an attack occurs, and how to best respond. An example of how these practice scenarios is helpful was seen with several organizations, who found that it took far longer than expected to write a press release about an attack, emphasizing the necessity to have a pre-written statement prepared for these occasions.

It is also essential to reinforce backups and test restores for all essential business. If backups work, assuming the cost of recovery will always be less than paying the ransom for an uncertain outcome.

Regrettably, most companies do not test restore until after they’ve been hit with a ransomware attack, at which point it is far too late.

Moreover, the better business executives understand and are awareness of the risks, the better prepared they will be to make a well-founded decision and rationalize it in the face of scrutiny.

Approach ransomware as a business decision. If the problem is discernible across the organization, and all employees are trained to deal with it, there will be less room for error if you get hit.

Here at TechRadar, we feature the best encryption software and cover the best malware removal software.  

Mark Harris is Senior Research Director at Gartner.