Ransomware: To Pay or Not to Pay?

The face of disaster is changing. Cyber-attacks, such as ransomware, are becoming an increasingly prevalent threat to small and medium-sized businesses. Kris Schulze and James R. Slaby explain why protecting your data is more critical than ever before and question when it’s right to pay a ransom…

Cyber-criminals and nation-states are continuously developing and expanding upon their attack methodologies, targeting organizations with double-extortion ransomware attacks, COVID-themed phishing attacks and opportunistic attacks enabled by the mass move to remote working. 

Unfortunately, traditional disaster recovery (DR) plans likely won’t cut it. Getting your data back after a successful ransomware attack requires a highly customized disaster recovery strategy, plan, and capabilities – which is why cyber-attack recovery is a more complex use case.

An adaptive risk management strategy that incorporates the data into a functional and agile approach is the key to better protecting your business.

Take Preventive Measures

Preventing cyber-attacks with a proactive approach is a company’s best course of action to avoid the possibility of becoming a victim in the first place. Prevention requires three main areas of focus:

Kris Schulze is a Content Marketing Specialist and Disaster Recovery Advocate at Acronis.
Kris Schulze is a Content Marketing Specialist and Disaster Recovery Advocate at Acronis.

Knowledge – Educating your end-users through cybersecurity training and testing breeds caution. When they know and understand the risks to their actions, you minimize the risk to your business.

Technology – Cyber-criminals are institutionalizing, using advanced technologies and strategies to gain access to your data. Use cybersecurity best practices and cutting-edge technologies to defend your end-points.

Recovery – Nothing disarms a bad actor better than the ability to rapidly restore clean copies of your backed-up data, systems, and applications.

Expect the Unexpected

You probably haven’t needed to plan for a situation like ransomware before. While you should make sure your critical data is properly protected, you must also take measures to recover it when it is corrupted or encrypted. It’s never a question of ‘if’ it will happen to you; it is a matter of ‘when’.

Your two-year-old disaster recovery plans are no longer sufficient to address new obstacles. You need to look for issues you haven’t previously thought about or solved before. Ransomware will test the boundaries of typical disaster recovery scenarios.

To prepare for a ransomware attack, be prepared for the unexpected by:

  • Educating users. Phishing is still the number one attack vector. Less clicks on suspicious links or attachments yield big returns.
  • Diversifying and protecting backups. Backup files and processes are common targets and, when compromised, can significantly impede recovery efforts.
  • Identifying proper RPOs and RTOs. Calculate how much it costs you to lose an hour, half a day, a day, or a week of data for your top-tier applications. You cannot weigh the cost of paying versus not paying a ransom otherwise.
  • Applying that same calculus to DR planning. Get an economic understanding of the ROI of switching over to failover resources and resuming operations from a specific recovery point - and the value of a swift recovery time.
  • Adding ransomware attack scenarios to your DR exercises. Conduct tabletop exercises (TTX) and live drills, including non-IT teams like compliance, legal, public relations, investor relations, and human resources.
  • Determining the threshold. Include a cost/benefit analysis exercise in your TTXs and drills to identify the tipping point where paying the ransom may be less costly than attempting recovery.
  • Establishing a contingency plan. Find out where and how to source cryptocurrency if you need to pay a ransom.
  • Deploying technology. AI-enabled anti-ransomware measures can stop attacks before they take root.
James R. Slaby serves as Director, Cyber Protection at Acronis, where he focuses on the conjunction of IT security and data protection
James R. Slaby serves as Director, Cyber Protection at Acronis, where he focuses on the conjunction of IT security and data protection

Ransom or Recovery?

Paying a cyber-criminal’s ransom may be perceived as the only immediate option for your business, but it is no way to guarantee that you’ll regain access to encrypted data. It is essential to make a ransomware payment decision carefully and to consider all of the associated risks.

It is far better to contain the ransomware and execute your restore-from-backup or disaster recovery failover plans to resume operations as quickly as possible. You may still have to pay a ransom for other reasons (see below), but minimize the impact of the attack on business operations first.

If threatened with other pressure tactics to pay – exfiltration of sensitive business data stolen before the encryption attack (double extortion), for example,  or a denial-of-service attack (DDoS) that could bring down web-facing systems – consider the economic damage of those scenarios against the ransom demand. It may still make sense to pay to keep sensitive data private to avoid regulatory sanctions or lawsuits.

And finally, conduct detailed forensic analysis to determine what went wrong so any vulnerabilities can be remediated. Ransomware victims are recognized as having poor defenses and are often targeted again.


This article was co-authored by Kris Schulze and James R Slaby. 

Kris Schulze is a Content Marketing Specialist and Disaster Recovery Advocate at Acronis. A writer and marketing professional, she has published pieces on a wide variety of topics in B2B technology, including data privacy, disaster recovery, and ransomware. LinkedIn Twitter

James R. Slaby serves as Director, Cyber Protection at Acronis, where he focuses on the conjunction of IT security and data protection. Prior to Acronis, Slaby was an industry analyst covering IT security, cloud computing, and networking at Forrester Research, HfS Research, Yankee Group, and The Info Pro. With over 300 published IT research reports, he has been quoted in The Economist, Wall Street Journal, New York Times, and countless tech publications. Slaby has also held campaign, solutions, vertical and product marketing roles at a variety of tech vendors, including Sonus, Acme Packet, Bay Networks and Motorola.


Brought to You by

What’s Hot on Infosecurity Magazine?