Ransomware: To pay or not to pay, that is the question

State of the ransomware attack. The good, the bad and the ugly…

In some ways, the devastating ransomware attacks of the last two years have empowered security officers to obtain the budgets they need to upgrade their organizations’ cybersecurity preparedness and establish more robust security programs to cover people, technology, and procedures. The brazen nation-state backed attacks on major companies and critical infrastructure brought cybersecurity issues to primetime news, and increased awareness as well as the desire to act amongst company boards, CEOs, and major branches of government.

At the same time, the last year and a half has made things more challenging for cybersecurity officers and easier/more productive for cyber offenders. The workplace has changed due to COVID-19. Since February 2020, many organizations around the world have altered the way they operate, encouraging their employees to work from home on a part time or full-time basis, thus expanding the cyber-attack surface exponentially, and adding numerous cybersecurity shortcomings.

Ransomware is all about gaining access to company systems, encrypting, or stealing data, oftentimes threatening to sell it unless a ransom is paid. The problem is that even if the ransom is paid, cyber criminals may or may not provide the code key to release the files. Perhaps that’s why approximately 80% of victims ultimately choose not to pay the ransom. Beyond that, 80% of businesses choosing to pay, experience a subsequent ransomware attack, 46% believing it to be caused by the same attackers.

Additionally, attackers are accessing company networks and remaining there for months, undetected. Oftentimes, these attacks are accomplished not just by encrypting files, but by threatening to ruin a company’s reputation by letting everyone know they have full control of their systems.

Given the fact that none of us can really “trust” cyber criminals to return our files once we pay the ransom, the question arises – should we pay the ransom or not? And if not, what else can we do? Our answer is NEITHER. We’ll get back to that in just a moment.

Rise of the ransomware specialist

There is tremendous collaboration among cyber criminals today in realizing ransomware success and it isn’t necessary to be an expert on every level of the cyber kill chain. Attackers have specialties, and some sell their sophisticated tooling in shopping carts on the darknet. ransomware as-a-service if you will. That service is then purchased by someone who is good at gaining access into organizations and makes the tooling encryption ready. In turn, they might choose to share that information with a monetization expert, to maximize profits. Pretty soon, perhaps a hacking group is formed. And so, the level of specialization and sophistication of attacks has increased. Attackers collaborate, they know what to look for, how to find it and how to move laterally around the organization. In many attacks in the last few years, it is suspected that these groups are working from nation-states that are fully aware of the activities and do nothing to stop them, effectively supporting them.

To learn more about how to defend your organization from ransomware, click here.

The Awakening

In recent months we have seen an awakening of sorts both in the private and public sectors in the US. President Biden signed an executive order requiring federal institutions to upgrade their cybersecurity programs and highly encouraging enterprises to take the necessary steps to protect their assets.

Then the US Department of Justice announced that it would be treating ransomware attacks with the same priority level as it handles terrorism cases.

Congress, among other initiatives related to cybersecurity, is working on the need for companies providing critical services to have cybersecurity protections in place to improve the security posture of government, critical infrastructure, and organizations in the private sector.

Additionally, efforts have been made to disrupt ransom payloads. In April of this year, the Institute for Security + Technology (IST) released a report from its Ransomware Task Force encouraging voluntary information sharing on ransomware attacks, launching public awareness campaigns on ransomware threats, exerting pressure on countries that operate as safe havens for ransomware operators (such as Russia, China, etc.) and incentivizing the adoption of security best practices through tax breaks.

Still, these initiatives will take time. And right now, everyone is vulnerable to a nation-state grade cyber-attack. None of us can afford to be complacent.

Let’s get back to the question of paying ransom. Or not.

Let’s call this animal by its name. If your systems have been hacked, the question is no longer relevant because no matter what you do, damage control is in order. Our recommendation to all companies is to start acting right now as if you have already been attacked or are about to be attacked because chances are high that this is indeed the case.

In our next blog post we will share our recommendations on what to do right now to build a ransomware strategy for resilience. If you follow them, you will see that if you take correct proactive actions now, even if you have been attacked, outcomes need not be catastrophic to the business, and oftentimes, it is possible to mitigate the outcomes of ransomware dramatically, regardless of ransom demands.

Mitigating ransomware attack outcomes doesn’t mean an organization won’t be hacked. It means less business downtimes, more productivity, and having choices in regards to how attacks are handled so that regardless of paying ransom, the company can recover and even thrive.

Learn more about building a ransomware strategy with RansomCARE here.

Questions? Ask us anything here.