To Pay or Not To Pay? That Is the (Ransomware) QuestionBusinesses around the globe continue to fall victim to ransomware. For some, choosing to pay the ransom is actually a cost savings.
From Albany, New York, to Atlanta, Georgia, to Del Rio, Texas, cities across the US have been hit with ransomware attacks. But attackers aren't only targeting cities. Businesses around the globe continue to fall victim to ransomware, with notable recent attacks hitting Norsk Hydro and AriZona Beverages.
A popular method of attack due to its ease of deployment and profitability, ransomware has become more targeted, and the impact on victims can be much more disastrous. New strands of ransomware and different mitigation tools are changing the way organizations are impacted by an attack.
Though industry experts have long advised not to pay, some companies have had to choose between bankruptcy and paying the ransom. Others, however, are able to wipe everything and rebuild from backups. This all begs the question: What are companies actually doing when they suffer a ransomware attack?
Why Some Quietly Pay
For good or ill, many organizations are quietly paying the ransom when they have been infected, according to Chris Duvall, senior director at The Chertoff Group, which provides security and risk management advisory services. For some organizations, choosing to pay the ransom is actually a cost savings.
The ransomware attack that hit the City of Atlanta on March 22, 2018, affected nearly 4,000 of the city’s computers, networks, and workstations, resulting in an estimated $17 million in damages, according to the Atlanta Journal Constitution. "If we look at Atlanta and how much it has cost to replace systems and applications, we see there is a financial incentive to sweep an attack under the rug and move on," Duvall says.
Deciding to pay the ransom isn't always a financial decision, though. From a business perspective, companies that have had important data encrypted in an attack will sometimes choose to pay the ransom just to get back up and running.
"Where the data is very important to the day-to-day job and business as usual, starting the next day without the data available could mean no business," says Justin Harvey, managing director and global lead for the incident response practice at Accenture Security.
A different company could live a day or two without access to its data, as was the case with the City of Albany, which suffered a ransomware attack on March 30, 2019. Though city officials worked for days responding to the attack, most services remained available throughout the investigation.
If an organization has lost all of its systems, however, there is greater incentive to pay the ransom. But paying the ransom doesn't mean a company gets its data back. There is still a degree of risk. Attackers may give you the encrypted keys, but Duvall says that level of scrambling can impact files so that even when decrypted, integrity issues could corrupt the database.
What should happen in an emergency is ideally outlined in an incident response plan, which involves everyone from senior leaders to legal and communications, all the way down to the technical staff.
However, what often happens is that an incident response plan is developed, a compliance box is checked, and everyone returns to business as usual. Until a ransomware attack hits. "When 300 servers have been locked up is not the best time to dust off the incident response plan," Duvall says.
It's not uncommon for organizations to be ill-prepared for a cyber disaster because no one has really properly rehearsed for a crippling targeted destructive attack. As a result, when faced with an attack, network administrators respond by quickly deciding what to turn on and off or what to block. The response is sometimes so immediate that senior leadership isn't involved, leaving the network admins hoping they made the right decisions.
"We have only had one client pay the ransom from all the cases we do," Harvey says. "This client chose to pay the ransom after being hit very hard on an enterprise level. They couldn't even figure out what tapes to request from their backup company because the destruction was so prevalent even the metadata on a file had been encrypted and destroyed."
Is Backing Up Enough?
Theoretically, an organization that is well-prepared could survive a ransomware attack without having to pay the ransom. But what actually happens down in the trenches doesn't always play out according to plan.
For organizations that have a more mature security model, ransomware is just a nuisance because they are able to wipe everything and recover from backups. "If you do backups right, a simple attack shouldn't hurt too much," says Ofri Ziv, Guardicore Labs' head of research. The problem is that attackers are becoming savvy.
"Cybercriminals render attacks in two phases," Ziv says. "First, they get hold of as many machines as they can, and they try to get access to backups as well. Then they execute the attack after getting everything, which can leave the victim with no option other than to pay."
Companies that have good backup procedures might be able to recover without paying. "The problem is that companies invest in backups but never test it,” according to Ziv. "We do see investments in backups, but it's not in the place we expect it to be in order to cope with such an attack."
Trusting that they have taken all the right steps to defend against threats does not mean that companies are no longer at risk, says Sam McLane, chief technology services officer at Arctic Wolf. "Most organizations are doing the bare minimum that is considered acceptable security hygiene. The companies that are below that bar are the ones that are paying."
Organizations that have built layered defenses are better positioned to recover more quickly from an attack. According to McLane, the stronger the defenses, the harder it is for an attacker to be successful, and companies that are well-versed in incident response are better positioned to quickly recover from a disaster.
(Image: Adobe Stock)
Kacy Zurkus is a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus is a regular contributor to Security Boulevard and IBM's Security Intelligence. She has also contributed to several publications, ... View Full Bio