Should Organizations Pay a Ransomware Demand?
As technology has continued to advance, organizations are more dependent on assuring network uptime to support both critical and basic business functions. Mirroring this evolution, the tactics, techniques, and procedures of cybercriminals continue to advance as well.
In recent years, ransomware attacks have become increasingly prevalent, as have double extortion trends where sensitive data is first exfiltrated and then used as leverage to compel victim organizations to pay ever-increasing ransom demands.
Ransomware attacks are costly, both in dollars and to an organization’s brand, and in some cases can present an existential threat to businesses. This is why ransomware is no longer simply considered an IT security issue, it is the single greatest risk to any organization today.
In this article, we will explore why experts disagree on whether businesses should pay ransomware demands and why paying may not be the answer.
Understanding Ransomware Attacks
Before we dive into the debate on paying ransomware demands, let's first understand what ransomware attacks are. Ransomware is a type of malicious software that encrypts a victim's systems and data, rendering them inaccessible. Cybercriminals then demand a ransom in exchange for the decryption key that will unlock the victim's files.
Ransomware attacks can be devastating for businesses. The loss of important data can lead to significant financial losses, damage to reputation, and loss of customer trust. This is why it's essential for organizations to understand the specific risk that ransomware poses to their operation and consider whether to not a ransom payment is in the best interests of all stakeholders before a ransomware attack impacts their organization.
Ransom Demands: To Pay or Not to Pay?
In recent years, the debate on whether to pay ransom demands or not has become a contentious issue among experts. The simple answer would seem to be that organizations should never pay a ransom demand, which would significantly diminish the financial incentives for these attacks. In most circumstances that would be the logical approach, but it may not be the right approach for every organization.
For example, it may be within the risk parameters for a retailer to refuse a ransom demand even though downtime is costing the organization revenue while recovery efforts are underway. But what about a hospital who urgently requires access to systems where any delays could pose a risk to human life? In these cases, the decision on whether to pay a ransom demand is more complicated.
This is why experts are divided on whether organizations should pay ransomware demands. Those who advocate for paying the ransom believe that it's the quickest and easiest way to regain access to valuable data and is the best way to reduce the overall impact of an attack. They argue that the cost of paying the ransom is often lower than the cost of restoring data from backups or the potential financial losses incurred from delayed recovery.
On the other hand, those who oppose paying the ransom argue that doing so only encourages cybercriminals to continue their attacks by reinforcing the financial incentives that drive ransomware attacks.
They point to examples where paying the ransom did not guarantee that the victim's data was restored or cases where the data was corrupted during decryption. They also point out that most victims who paid a ransom demand were attacked again, often by the same threat actor who demands a higher ransom payment knowing the victim is likely to pay.
Why Paying May Not Be the Answer
While paying the ransom may seem like a quick fix, it may not be the best solution for businesses and individuals. Paying the ransom only supports the criminal activities of cybercriminals, leading to an increase in ransomware attacks.
Additionally, paying the ransom does not guarantee that the victim's data will be restored. There have been instances where victims have paid the ransom, but the cybercriminals did not provide the decryption key or provided a faulty one, leaving the victim without their data and their money.
Also, even if the victim's data is restored, paying the ransom may result in further attacks. Cybercriminals may see the victim as an easy target and continue to target them with future attacks.
Finally, paying the ransom does not address the root cause of the problem, which is the vulnerability of the victim's systems to ransomware attacks. Instead of paying the ransom, victims should focus on implementing preventative measures to protect their data from future attacks.
Preventative Measures to Protect Against Ransomware Attacks
To protect against ransomware attacks, organizations should implement the following preventative measures to assure organizational resilience in the face of a ransomware attack, and reduce the likelihood that they are confronted with the choice of whether or not to pay a ransom demand:
- Endpoint Protection (EPP): Deploy an anti-ransomware solution alongside existing Endpoint Protection Platforms (EPP/DR/XDR) to bridge the gaps in ransomware-specific coverage
- Patch Management: Keep all software and operating systems up to date and patched
- Data Backups: Assure critical data is backed up offsite and protected from corruption in the case of a ransomware attack
- Access Control: Implement network segmentation and policies of least privilege (Zero Trust)
- Awareness: Implement an employee awareness program to educate against risky behaviors, phishing techniques, etc.
- Procedure Testing: Plan and prepare for failure by running regular tabletop exercises and ensuring all stakeholders are ready and available to respond to an attack at all times
- Resilience Testing: Regularly test solutions against simulated ransomware attacks to assure effective detection, prevention, response, and full recovery of targeted systems.
The debate on whether to pay ransomware demands or not is a contentious issue among experts, but each organization must take into consideration their own specific situation when making the decision.
While some advocate for paying the ransom, others argue that it only encourages cybercriminals to continue their attacks. Paying the ransom may also not guarantee the restoration of the victim's data and may lead to further attacks.
Instead, victims should focus on implementing both preventative and organizational resilience measures to protect their data from future attacks and assure the organization is ready to respond effectively to a ransomware attack. By taking these measures, organizations can reduce the potential impact of a ransomware attack.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).