When hit by ransomware, a company has two options to consider: pay the ransom demand and hope they get their data back, or don’t pay the ransom demand and hope to get their data back. I need to be very clear that neither option is guaranteed to fully recover compromised data. While criminals may provide ‘guarantees’ that, should you pay the ransom, you will get your data back, we have to remember criminals are by their very nature not the most honest or trustworthy people.
While I fully empathize with organizations hit by ransomware and I understand the lure of the ‘easier’ option of paying the ransom, I urge organizations not to take this route.
By paying the extortion demand an organization is, in effect, funding criminal activity. Any monies paid simply motivates the criminals to continue to develop the sophistication of their attacks and to seek other victims they can exploit. Criminals will continue to employ ransomware while it proves to generate revenue for them. If you cut off, or even disrupt, their income, criminals will move to other types of attacks. There is evidence that cyber-criminals are now targeting companies they know are more willing to pay ransom demands. These are companies who were already victims of previous attacks, or they are companies with cyber insurance cover.
There is also no guarantee that paying the extortion demand will result in the encrypted data being recovered. Criminals may simply take the ransom payment and not provide the decryption keys, or even if they do provide the decryption keys, the data when decrypted may not be in the same format and structure it was before the attack. According to Sophos’ The State of Ransomware Report, the cost to remediate a ransomware attack for those who pay the extortion fee is double that of those that do not pay.
Furthermore, paying the ransom does not mean the attack is over. Criminals have become more emboldened by victims paying their demands that they are now adding additional extortion demands. So on top of extorting money from victims to recover their data, criminals will demand payment to not release any stolen data they have onto the internet.
Those organizations who are known to have paid ransom demands are sending a clear signal to those attacking them, and indeed all other criminal gangs, that the organization is an ‘easy mark.’ In effect, paying a ransom could invite further attacks as cyber-criminals know the organization has a history of paying.
Law enforcement agencies, at national and international levels, state that companies should not pay any extortion demands. They see directly the damage criminals are doing and how the money they get is being used to target more and more entities and systems.
Finally, there is the regulatory environment that victim organizations need to pay attention to. Under the EU GDPR and the Data Protection Act, a ransomware attack can be classed as a data breach. When criminals have encrypted data within the organization, that organization no longer has control of that data and therefore has suffered a data breach. Depending on the type and amount of data impacted, the attack may need to be reported to the regulator. In addition, US and EU authorities have issued trading sanctions against individuals suspected to be behind ransomware attacks or sanctions against jurisdictions in which the criminals are located. So paying a ransom demand could cause more problems for an organization than it solves.
Ransomware is a major threat to organizations and the overall economy. It is clear it is a threat that, as an industry, we are failing to deal with. The most effective way to deal with the threat is not by tackling the symptoms of the problem but by dealing with the cause. Dealing with the cause requires us to disincentivize the criminals behind these attacks. That starts by not paying their ransom demands, thus stifling their financial motive. This may mean government issuing more regulations to make it difficult or even illegal for organizations to pay extortion demands, including preventing cyber insurance firms paying out on ransom demands. Ultimately, what is required is supporting law enforcement agencies with the tools, training, personnel and international legal frameworks to enable them to disrupt criminal operations by taking down their botnet infrastructure and by ultimately finding those behind the attacks and arresting them.
We cannot deal with the ransomware threat by paying our way out of it via extortion demands; we need more robust cybersecurity in place, effective backup strategies and the proper supports and funding given to those agencies tasked with making our online world a safer place.
For an opposing viewpoint, take a look at Adam Darrah's counterpoint to Brian's argument here.