When data is held hostage, should you pay the ransom?
By Tim Zeilman
Vice President, Global Product Owner – Cyber HSB
properties.trackTitle
properties.trackSubtitle
Two companies decide not to pay ransomware demand but result in different outcomes
paid $0 to thieves
paid $0 to thieves
The cyber thieves who claimed responsibility for the attack demanded $70 million to restore customer information. In response, the software company's security and R&D teams developed a patch that enabled the company to unencrypt the data and restore it to customers. The software company made no payment to the criminals.
A university medical center decided not to pay a ransom in 2020, but the hospital saw a very different outcome. After many staff members reported computer access problems, the hospital’s IT group searched for malware and found instructions for contacting the thieves who snatched a trove of patient-related data.
When the university decided not to pay the ransom, it took steps to prevent all outside access to email, internet, and other main aspects of its computer network.
The decision prevented the thieves from profiting, but it wreaked havoc in the hospital. For weeks, employees didn’t have access to patient care applications, electronic health records, payroll information, and patient appointment schedules. Elective procedures had to be rescheduled, a total of 5,000 hospital laptops and computers were encrypted, and the hospital had to furlough or reassign 300 employees who couldn’t do their jobs because of the attack.
Though the hospital didn’t pay the ransom, it paid in other ways, losing an estimated $50 million, primarily from reduced revenue. The IT staff worked 24/7 for three weeks to reinstate networks and restore thousands of computers affected by the theft.
There are no easy answers
Because there are no guarantees, it’s difficult to know whether to pay the ransom
What if this happened to your business? Should you pay the ransom?
There is no one-size-fits-all answer to the question — it must be considered on a case-by-case basis. The answer is often determined by the specific situation of the victim, and their attitude as well.
The difficulty of this decision is exacerbated by the fact that there are no guarantees.
On the one hand, paying can be the direct way to recover data, get the business back on track, and limit losses. But restoring data can take weeks, decrypters provided by thieves might not work, and encrypted files might be damaged or unrecoverable.
There are ways that organizations can help prevent a ransomware attack, however, and professional support is available that can get them back to business as quickly as possible when their data is held hostage.
Some businesses may not recover
Confidential information is often the target, leaving employees and businesses stressed and exposed
Small manufacturing businesses living “on the knife’s edge,” with employees surviving paycheck to paycheck, can go out of business quickly from a ransomware attack.
Some victimized organizations - such as hospitals and physician practices - have a low tolerance for system downtime because inability to access data can lead to
harm or even deaths of patients.
Industries targeted by ransomware in Q3 2020 (Coveware)
In addition to the business impact of ransomware, the emotional effects can’t be overstated. The stressful situation can leave workers feeling vulnerable and emotionally drained, especially if confidential information has been breached.
Because cybercriminals often exfiltrate data, it makes the situation even more difficult. According to Forbes, in 70% of attacks, the criminals gain access to confidential information — personal files, login passwords, and email addresses - and demand ransom payments from the company to keep them from releasing it.
- Faster recovery time - If an organization faces a long, costly downtime while data is restored, paying the ransom can be the better, and less expensive, alternative.
- Potential damage to business - This can include revenue loss as well as damage to a company’s reputation and customer confidence.
- High recovery costs - If the long-term costs to recover from a ransomware attack are more than the ransom payment, it can make sense to pay.
- Protecting confidential data - Some attackers threaten to release customer and employee data they exfiltrated to exert pressure on companies to pay.
Ransomware is a whole-company incident. Every department is impacted, and every department wants a say in its resolution. Panic is a frequent and unhelpful component, especially if the workforce has not been prepared on how to respond.
Making the decision
Why companies opt to pay or not to pay the ransom
When an organization finds itself infested by ransomware and has lost important data, executives should ask these questions: Is the data essential to the success of the business? How quickly do we need to restore it? Will our business fail if we don’t get it back?
Companies decide to pay the ransom for several reasons:
- Faster recovery time - If an organization faces a long, costly downtime while data is restored, paying the ransom can be the better, and less expensive, alternative.
- Potential damage to business - This can include revenue loss as well as damage to a company’s reputation and customer confidence.
- High recovery costs - If the long-term costs to recover from a ransomware attack are more than the ransom payment, it can make sense to pay.
- Protecting confidential data - Some attackers threaten to release customer and employee data they exfiltrated to exert pressure on companies to pay.
Paying the ransom might not have a positive outcome:
Data might not be returned - If a company pays, there’s no guarantee that the cyber attackers will return the data, or the decryption key will work.
Potential legal issues - Depending on where cyber thieves are located, paying ransomware attackers can be viewed as funding terrorism.
It increases the number of payments - Ransomware groups often ask for a second payment: The first gets a victim company decryption keys; the second ensures that confidential data isn’t released.
It helps attackers thrive - Paying the ransom gives hacker groups additional funds to conduct future attacks.
The best defense is a good offense
These best practices can help keep companies safe from ransomware attacks
A variety of IT security best practices can increase the chances that a company doesn’t have to make this difficult decision. It’s important to employ a multi-layered approach that includes end-point monitoring, employee IT security awareness training, regular patching and updating of systems, and ensuring that data backups are current and viable.
It’s essential that companies develop a written IT security program and incident response plan. After preparing the plan, it’s important to study the guidelines and keep it in hard copy in case an attack prevents access to online resources.
Individuals in an organization can play an important role in preventing ransomware infections by being aware of phishing attacks, not accessing pirated content, and being cautious about applications designed for mobile devices.
These tactics can help keep organizations from being damaged by a ransomware attack:
- Back up data frequently - Use media that aren’t connected to the internet, such as tape backups and removable drives. Attackers can encrypt backups on a network or in the cloud. The safest, most effective plan is to have multiple backups isolated from the network.
- Use a secure email gateway - This appliance or software service protects from spam, viruses, malware, and denial of service. The gateway scans incoming, outbound, and internal emails, including attachments and URLs, for malicious or harmful content.
- Remote Desktop Protocol (RDP) - This tool is distributed with Microsoft operating systems to allow one device to remotely connect to another. Set firewalls to limit access to RDP ports and restrict users to those who need access.
- Configure cloud services to proper settings - If you can’t find information to secure cloud data on your cloud provider’s website, it’s well worth it to invest in advice from a cyber security consultant.
- Install patches and software updates - For software updates that can’t be set up automatically, establish a schedule for updating. If you don’t install patches or updates due to legacy system issues, consider doing so.
Cyber insurance provides protection
Besides covering costs, insurance offers access to professional consultants
Of course, even the best cyber security can’t guarantee that a business won’t experience a cyber attack. And many small business owners find themselves overwhelmed when their data is hijacked and held for ransom.
That’s why cyber insurance is another important tool to protect any commercial organization.
The consultants investigate the ransomware strain, predict the potential of obtaining viable decryption keys, negotiate to reduce the amount of the ransom, and facilitate payment in cryptocurrency. They also conduct Office of Foreign Assets Control (OFAC) due diligence on the payee and report the payment to law enforcement authorities.
In addition to covering the unexpected costs and business interruption that can result from a ransomware attack, a broad cyber policy can provide access to professional consultants who take control of the situation.
So, should you pay the ransom?
The decision is yours, but we’re here to help when you need us
HSB is scrupulous about not influencing our clients on this difficult decision — it’s their decision to make. Every business is different and must balance its own needs and best interests. Our approach is to arm them with as much information as possible so they can make a knowledgeable choice.