Contemplating payment in lieu of a ransomware attack is a precarious decision at best. It’s a problematic situation with few options. In a previous article we outlined the reasons why you may want to pay a ransom to decrypt your data. However, while paying the ransom is a tempting option that can certainly bail you out of a hideous predicament, it’s a quick fix that may have lasting consequences. Here are some of the main reasons to not pay a ransom.
You Will Likely Be Attacked Again
The old saying “there is little honor among thieves” is evident within the ransomware community. Paying the ransom doesn’t guarantee the decryption key, and many firms report being asked to pay additional ransoms after the initial ransom payment.
Perhaps the worst consequence of giving in to those thieves is that you’ll likely be attacked again. The adage that when you incentivize something you get more of it certainly applies to ransomware. Once the word gets out that your firm is receptive to paying ransoms, expect a line of threat actors to come knocking. According to a 2021 report, 4 out of 5 organizations that paid a ransom were attacked again. Nearly half of those were attacked by the same threat actors.
You May Not Get All Your Data Back
According to Kaspersky, only about a quarter of ransomware victims get all their data back. So you’re paying to get all your data returned, but in most cases, you’re not getting what you pay for. The Kaspersky data is sobering, including this nugget for those who paid up: “Half (50%) lost at least some files, 32% lost a significant amount, and 18% lost a small number of files. Meanwhile, 13% who did experience such an incident lost almost all their data.”
In the end, it’s worth asking if you should pay any ransom at all, given that it’s only a 50-50 proposition that you’ll get all your data back.
Paying the Ransom Still Requires Work
Paying the ransom gets you a decryption key, and that’s about it. You then have the laborious task of decrypting and restoring the encrypted data without a manual or how-to-video. Unfortunately, restoring your data is only the first of many required steps.
- You must ensure that your network environment is clean by examining all your systems for the presence of malware and malicious code that the attackers deposited prior and during the attack.
- You must find out how the attack was launched, to secure the exposed avenue of attack and other exploitable vulnerabilities used by the hackers. This may require bringing in an outside cybersecurity team with the experience and knowledge to get this done quickly.
- You need to confirm whether users accounts, group memberships, and account privileges were modified, and if so, return them to their proper configuration.
- You must confirm whether any data was exfiltrated during the attack. If that data includes personal or sensitive information of employees, customers or third parties, you’ll be obligated to contact those whose information was compromised, and fulfill any required compliancy obligations your organization may fall under.
The need to secure your IT estate as quickly as possible cannot be overstated. According to the U.K.’s National Cyber Security Centre, an unnamed organization paid more than $6 million to recover their data after a ransomware attack. In one aspect, they were lucky in that they able to recover all their data. Unfortunately, they didn’t put any effort into identifying the root cause of the attack. Yhou can guess what comes next—weeks later, the same cybercriminals launched a second attack using the exact same mechanisms used in their initial attack. The organization once again signed over a large sum of money to get their data back.
Avoiding the Question
In the end, paying the ransom may get you operational again and save you from the ordeal of restoring your data from backups, but it doesn’t relieve you of the burden of performing your due diligence.
Recovering from a ransomware attack is an exhausting process, regardless of whether you pay the ransom or not. It’s a classic example of how an ounce of prevention is worth a pound of cure. Securing your network as well as your backup systems from ransomware in the first place is the best way to avoid the question of paying a ransom in the first place.