Is it wise to pay a ransomware ransom? What happens when companies pay a ransom to recover data?

Ransomware ransom

What happens when a ransomware attack demands a ransom payment from a company? Should we decide to pay or not to pay? When a company is attacked by ransomware that compromises its operations or threatens to disclose sensitive data, it may be thought that it would be better to pay the ransom and end the nightmare into which it has plunged. Is it wise to pay a ransom? What happens when companies pay a ransom to recover data?

Ransomware attacks are getting more powerful every day. Cybersecurity experts claim that cybercriminals are good at finding holes in corporate computer systems.

Typically, ransomware attacks prevent the victim from gaining access to their data again and demand a ransom payment.

Experts disagree on the best course of action to take when it comes to deciding whether or not to pay a ransom. The FBI and Homeland Security advise against paying the ransom as it encourages further criminal behavior.

After payment, what happens?

In theory, after paying the ransom, the victim should receive decryption keys and a promise not to use or publish any data stolen from the attacked computer system. Payment, however, does not guarantee that you will be able to restore the situation before the attack.

Business leaders should keep in mind the statistics relating to these cases, before making the decision to pay, which tell us that in reality only 65% ​​of data is recovered and only 8% of companies manage to recover all the data :

  • Encrypted files often cannot be recovered. Decoders provided by the attacker may malfunction or crash;
  • Data recovery can take several weeks, especially if it has been heavily encrypted;
  • There is no guarantee that the stolen data will not still be resold in the future or leaked to the Dark Web;
  • Unfortunately, paying the ransom does not guarantee that systems will be repaired or data will be recovered. You cannot believe all the promises made by the extortionists, they are not interested in the difficulties that the company will have to overcome to return to normality;
  • Statistics say that companies that have paid the ransom are more likely to suffer a second attack, as the criminals know that the IT system has weaknesses and that the management is willing to pay.

While some experts believe that companies should never pay ransomware claims, others argue that each situation is unique. These cyberattacks can endanger the very survival of the enterprise, so executives must be left to make their choice.

There is no simple or one-size-fits-all solution

Paying the ransom also carries a technological risk. According to a study by Cybereason, 80% of ransomware victims who paid the required ransom were subsequently subjected to another ransomware attack.

Most companies that pay a ransom do so because, following a ransomware attack, claims for damages could exceed the amount extortionists demand. For example, the loss of customer data could lead to lawsuits by customers for invasion of privacy on the one hand and a drop in billings on the other.

Or you prefer to pay the ransom because operations are compromised, as happens for example in hospitals, where the suspension of activities is measured in human lives.

This is also known by ransomware organizations, which have a predilection for attacks on public services such as healthcare and transportation, the failure of which can throw a nation into chaos.

However, ransomware groups have been known to return to target well-known companies that have already paid the first time because they believe it is an easier financial gain. It is a fact that victims who pay are targeted repeatedly.

Therefore, companies must objectively evaluate their ability to resume operations and refine their IT system and defense policies in order not to be as vulnerable as the first time, and with the near certainty that a second ransomware attack will occur .

Contact a ransomware broker

One way to better manage the ransom payment is to get the assistance of a ransomware broker. These new professional figures are often part of Incident Response (IR) service companies or lend their services to insurance companies that insure cybersecurity risks.

This decision and the associated choice of mediator must be made before the ransomware attack. Organizations should inquire about the availability of negotiation services and any associated fees before signing the cyber insurance contract or entering into an IR consulting contract.

In the event of a ransom-demanding ransomware attack, the company's management could immediately solicit the services of the mediator, so as not to approach the situation blindly.

Often the mediators have had previous experiences with the same criminals and each of them follows several cases at the same time. From direct experience they know how to set up the negotiation, what can be conceded to criminals, what they are "sincere" about and what one should not believe at all. And also, thanks to their experience, the brokers know if they are criminals who have collected the ransom money on other occasions without returning the data, so they will advise against paying. Or I am aware that with the appropriate negotiating tactics it is possible to obtain a significant "discount" on the amount of the ransom.

Another preventive choice to make before suffering a ransonware attack is to keep a certain amount of Bitcoin in a cryptocurrency wallet to be able to pay the ransom if necessary. This type of payment is the most common in ransom payment.

Often a broker can make payment arrangements on behalf of the client. However, if the ransom note is eight digits or higher, the victim must be aware of where and how they can get such amount of Bitcoins in a timely manner. Ransomware criminals are unwilling to wait long.

Therefore, to avoid last-minute confusion, this procedure should be established in advance of the ransomware assault and documented in the IR plan. Sometimes the broker can help you find Bitcoin availability.

In some cases ransomware attackers ask for payment in Monero, a cryptocurrency that is more difficult to trace. This complicates matters even more, as it is quite difficult to source large amounts of Monero in the short term.

What to do after payment

After recovering from a ransomware attack, the organization should take appropriate precautions to prepare for a second attack by creating and modifying response and recovery scenarios for various types of attacks.

When recovering from a cyberattack, you need to act quickly and your best chance of success is having a well-planned and structured response. But according to recent research, only 54% of businesses with more than 500 employees have a comprehensive recovery plan in place. According to Cybnet statistics, 77% of companies do not have a cybersecurity attack response strategy in place. This is a worrying trend.

It may be time for any business that has something to lose to not hesitate and consider the utility of creating a recovery plan after a cyber attack.

error: Content is protected !!