When organizations downplay security by claiming they’ll “just pay the ransom to make it go away”, they’re assuming that cyber insurance will take care of it. The problem with this approach is that ransomware attacks rarely begin and end with the ransomware. It’s not like one day you get a virus and then the next day someone is in your environment. These attacks typically unfold over weeks, months, and even years.
The Standard Attack Vector
Often there is an initial attack vector that a cybercrime group uses to get into your environment and deploy malware to maintain persistent access. Then they start digging deeper and wider to get access to privileged accounts so they can access your critical systems. Once they’ve penetrated your systems, they’ll mine your environment for data (like payment information and social security numbers) that they can re-sell.
After they’ve stolen anything that can be sold, they’ll sometimes put up your system for auction to adversaries who will then take the malware attack vector to see if they can extract even more value from you by taking away your systems’ availability.
That’s where ransomware is deployed. Typically, when the organization contacts their cyber insurance company, they start negotiations with the adversary. But then this is when organizations should discuss internally whether to pay the ransom or not.
Should you pay? It depends. It’s a business decision. If you have adequate backups, and you can restore and recover your environment, then you probably don’t need to pay the ransom unless the ransomware group is threatening to leak your data. But for those organizations who kept their backup server online and can’t access it because it was encrypted by the adversaries, then they may have to pay the ransom to get back up and running.
Note: paying the ransom will not immediately stop the attack and restore your systems. You will still have to remove the initial attack vectors and infections in your systems and ensure there aren’t any other backdoors into your environment.
Understand Your Adversaries
When most people think of the bad actors who are perpetuating these incidents and attacks, they imagine them in a dark room with a hoodie on, targeting innocent companies in the middle of the night. This caricature misses the sobering reality that these adversaries are cybercrime groups that often operate like traditional businesses with staff, roles, hierarchy, leadership, and management. Some even have 24/7 call centers that you call to negotiate ransom payments. They’re illicit; they’re underground; they’re criminal; but they’re run like businesses.
Often the group initially compromising an environment (through phishing, vulnerability, etc.) is in the business of reselling that access to other cybercrime groups. They’re a broker of access. In some cases, they may be extracting direct value by stealing financial information and data. Or they may just resell access to the environment. When you think about it like a business, it helps you understand how to answer that key question, “Should we pay the ransom?”
Paying the ransom may give you access to your data again – presuming that you have lost that access. But even if you pay the ransom, and the adversary does the “honorable” thing and lets you decrypt your data, that has nothing to do with the first group who originally gained access to your environment. That ransom payment does not remove persistent access, backdoors, or malware infections. The payment to one group does not resolve changes to your configurations. Paying the ransom resets your systems to the state they were at just before the encryption – a state that is known to be compromised.
The Initial Cyber Attackers Have ZERO Incentive to Not Re-Sell Access to Your Environment
If you pay the ransom, you might have a false sense of security that you don’t have to clean your data and patch your systems. You may think you won’t get hit again. But if you do pay the ransom and you decrypt your data, all you’re doing is resetting the environment back to the exact position it was in at the point in which the ransomware was deployed and your data was encrypted.
Think about it: why would the group that sold access to your environment remove their entry into your system? They’re still in your environment; they’re behind your firewall; they’re still in the initial infection; they can still make money on you by reselling access to someone else (after all, now they know you’ll pay). The challenging work of cleaning up your environment needs to be done whether you pay the ransom or not.
FAQ: How do cyber insurance companies handle paying the ransom?
A: In the past, insurance companies were willing and able to pay ransoms (and frequently did so). But cyber security insurers are increasingly discontinuing paying ransoms, and there’s also significant governmental pressure to not pay ransoms. It’s getting more and more difficult to pay a ransom. Cyber insurance will help you pay for the investigation and restoring your impacted environment. But paying the ransom is only applicable in a quarter of actual incidents. Cyber insurance is important to help you defer some of those costs, but you’re never going to be able to completely remediate every single risk in your environment. There are some risks you will have to try to mitigate down to a manageable level. Will your insurance company be willing to pay a ransom? It depends on your insurance policy, your situation, and your laws and regulations.
Ransomware Only Accounts for ~25% of all Malware-Related Incidents
Ransomware is not the biggest threat out there – nor is it responsible for most incidents – but it’s typically very public and can have rippling effects. There are far more malware incidents stemming from phishing compromises and other incidents. From data theft to Cryptomining, there are a lot of diverse types of attacks and ransom payments have no impact on the vast majority.
Security is a Business Risk
Paying a ransom will often cost the same or more than recovery without paying the ransom, but there are cases where paying the ransom will be the only access to the data. Just understand that paying the ransom is not all that’s required to recover from a ransomware attack. Once the ransom is paid, you must still go through the recovery, restoration, or rebuilding process. Organizations must budget for security. It’s a business risk that must be managed just like any other.