Weighing up Ransomware’s Biggest Conundrum: To Pay or not to Pay?

Written By Jordan Schroeder

Jordan M. Schroeder

Managing CISO

In the last year, ransomware has wreaked havoc on organisations. From the widely publicised MOVEit vulnerability to the attacks on Royal Mail and Capita, ransomware has impacted thousands of businesses, causing unimaginable destruction and financial losses.

Given this spate of attacks, when building out cyber defensive programs, business leaders want reassurance that their assets are fully protected. But, unfortunately, this is impossible.

100% protection against ransomware is unachievable, and whether they like it or not, many business leaders will find themselves on the receiving end of an attack soon.

This means security plans must not only focus on defences but also on answering the critical question of how an organisation will respond to ransomware and at what stage they will decide to pay.

So, what are the key considerations that must be made to reach an answer?

Paying the demand – key considerations

Paying funds for cybercrime activity

Paying a demand only funds the industry and fuels more attacks. Furthermore, when organisations pay a demand, this can be made public which damages customer confidence.

If you pay once, you’ll most likely get hit again

When an organisation pays a ransom demand, this circulates among cybercrime gangs and makes it likely the business will get hit again.

Sometimes you just have to weigh it all up

Sometimes, when a business is hit with ransomware, they have no chance of recovering their data or getting back online again quickly. If this is the case, organisations need to know the downtime costs when an attack unfolds. When building out security programs, organisations must understand the cost of downtime per hour and the losses they endure if a ransomware attack happens – this could relate to reputation, contractual obligations, share price and employee productivity. If the ransom demand is much less than these losses, sometimes paying the ransom can appear to be the most financially responsible option in the short term.

It’s unlikely all your data will be returned

Modern ransomware attacks don’t rely on one type of extortion. Not only do they lock up data and systems, some also include stealing information and asking for money for it not to be sold on to other parties. This is particularly effective when the attackers steal sensitive customer data. However, paying ransom demands is doing business with criminals, so if an attacker is ruthless enough to hold an organisation’s data hostage, should they trust their integrity to return it in full? Few organisations ever get all their data back, and recovery can still take months. So, paying should never be viewed as the most efficient way to get back online quickly.

Not paying the demand – key considerations

It is ethically correct not to pay

Not paying a ransom demand is the ethically correct decision. In some countries, it’s even illegal. But that doesn’t always make it the best financial decision for the business.

You are unlikely to recover all data on your own

While paying a demand may not be the recommended action, the data losses posed by attacks can be catastrophic. Complete data recovery can take months and can often mean restoring from scratch by pulling in data from different sources. While most organisations will run regular backups, there is often a window of data that does not get backed up in time and depending on the size and focus of the business, that time window’s amount of data loss can range from manageable to irreparable

If you don’t operate a sophisticated security program it could result in insolvency

In the most severe cases, ransomware can dissolve businesses. If they choose to ignore the demand, this can result in irreparable losses, which can put the company completely out of operation.



The solution

Based on the above, it’s fair to say that organisations are in a powerless position when faced with ransomware. They are entirely at the mercy of cybercriminals.

With this in mind, the best course of action comes down to a three-pronged strategy: protection, defences and resilience.

This means educating employees on ransomware, running a regular patch management process, which is complemented by proactive threat assessments, running a regular backup system that is regularly tested, and implementing segmentation across networks to stop attackers from pivoting, even if they do gain network access.

On top of this, when organisations build their security programs, they must focus on how best to respond to attacks to minimise disruptions. This should allow them to understand the scale of incidents quickly, so they can run forensics and work out the best response efficiently.

The overall focus must be resilience and flexibility. This means organisations make it harder for attackers to breach their systems but also allows them to respond to attacks faster, so they know exactly what action to take without wasting time weighing up ransomware’s biggest conundrum: “to pay or not to pay”.

Jordan Schroeder
Previous

Cyber Essentials vs Cyber Essentials Plus: Everything Businesses Need to Know
Next

Empowering Women in Cybersecurity: Shattering Stereotypes and Breaking Barriers