Important Questions to Answer Before Paying a Ransomware Demand
The landscape of cyber threats is advancing quickly. What used to be an abstract idea and only a concern for “the other guys” is something modern businesses can no longer afford to overlook. Ransomware is a prevailing threat that is quickly taking the spotlight within organizations concerned about vulnerabilities in their existing security.
Even companies with cybersecurity practices that meet the modern definition of “best practices” have become victims of ransomware attacks. During the initial period after an attack, several important questions need to be addressed. However, bad decisions come from reacting without being informed in these frantic and confusing situations.
Today, we want to address some concerns that an organization should have answers for which may help mitigate short and long-term damage in the event a ransomware attack is successful.
Refusing to Pay - Best(ish) Practice?
Best practices in the cybersecurity community suggest never paying a ransom to cybercriminals, but many companies do attempt to recover data through this method. The simplest explanation for why is simply to get access to their networks back as quickly as possible.
Ransomware attacks have crippled local government infrastructure, enterprise-grade maritime cargo facilities, hospitals and police stations just to name a few recent examples. When executives consider the costs of paying a ransom to regain access to their data, they are often weighing the potential costs associated with prolonged outages and damages to the reputation of the organization.
According to data reported in The New York Times, 205,280 organizations submitted claims about being hacked by a ransomware attack in 2019, this is an increase of 41 percent from 2018. The actual figures may be even higher, as some organizations elect not to notify the authorities about compromised systems. The same article reported that the average payment made to release the locked files climbed to $81,116 during the last quarter of 2019.
The decision matrix for a business is more complex than it might seem from the outside. Hackers may be experiencing a higher success rate extorting money from their victims through ransomware compared to other attacks, which incentivizes more frequent and complex approaches to the devious practice.
On Ethics and Legality of Ransom Payments
As stated above, the choice to give in to the demands of a hacker after a successful ransomware attack might not be as cut-and-dry as “best practices” might dictate. So in the event that a business opts to pay, it faces some ethical dilemmas.
One fact that may be surprising is that it’s not illegal to pay a ransomware demand, which seems contradictory to some because forced encryption of another party’s data and subsequent demand for payment are a crime under the UAE Cyber Crimes Law.
So if it’s not illegal to pay a hacker to regain access to your data, is it ethical?
That’s not really our place to say today, but one argument worth considering is that paying a ransomware demand can be seen as an expense dedicated to restoring a vital piece of the puzzle required for a business to continue operations. If the cost of the ransom outweighs the full scope of problems associated with losing this data entirely, decision-makers may see this as a necessary (but scummy) cost of doing business.
On the same note, there are cybersecurity strategies worth considering that may give an organization a “security parachute” in the event of a successful ransomware attack.
Putting The Pieces Back Together After Ransomware
Based on the data available, 2019 was a year that netted ransomware hackers around $170 billion. After a company has come to terms with the ethical arguments and decides to comply with the demands of the hackers, there’s certainly no guarantee that unscrupulous individuals will keep up their end of the bargain and actually provide a means to decrypt an organization’s files.
Choosing not to pay the ransomware demand means the data remains encrypted or possibly will be deleted. But there are several solutions worth considering before closing shop and admitting defeat.
There’s a possibility that a decryptor already exists which can be leveraged against a network that is being held hostage. Ransomware has a tendency to be poorly written and deployed, which may instill some hope for an internal IT team dealing with the aftermath of a ransomware attack.
A system that has been properly backed up with redundant data backup processes running poses a much lower risk of total destruction after a successful ransomware attack.
A company that has sufficient data backup and a disaster recovery plan that’s been thoroughly tested doesn’t have the same concerns as a company that puts the puzzle together as they go. There are several ways to prevent ransomware attacks that may help an organization.
Here are a few preventative measures worth sharing:
- Scan all incoming and outgoing emails to detect threats and filter executable files from reaching end users.
- Configure firewalls to block access to known malicious IP addresses.
- Patch operating systems, software and firmware on devices. Consider using a centralized patch management system.
- Manage the use of privileged accounts based on the principle of least privilege: no users should be assigned administrative access unless absolutely needed; and those with a need for administrator accounts should only use them when necessary.
Who is at Risk?
As noted earlier in the article, there’s no such thing as the “other guy” in this modern threat landscape. The ability for hackers to design and launch ransomware attacks with ease means that an organization without the proper resources in-house to defend against these attacks should look for outside assistance. High-profile industries like finance and healthcare companies are at higher risks for ransomware and certainly carry more risk when it comes to the aftermath of a successful attack.
Would you be surprised to learn that, according to data shared by PhoenixNAP, about half of the ransomware incidents reported in 2018 involved healthcare companies? Cybercriminals will always target lucrative victims, and they have learned that healthcare providers are more likely to pay the ransom if healthcare professionals are locked out of critical IT systems.
Don’t hesitate to leverage the strength and expertise of third-party companies that specialize in cybersecurity to help bolster the potential vulnerabilities in your organization.