CEO and founder Crisis Team
Columnist
Share this content

Ransomware attacks: Should you pay?

Ransomware attacks are becoming more common, more sophisticated and more aggressive. Prevention and detection should be your main focus, but what do you do if this fails?

28th Sep 2020
CEO and founder Crisis Team
Columnist
Share this content
Dangerous Hooded Hacker Breaks into Government Data Servers and Infects Their System with a Virus. His Hideout Place has a Dark Atmosphere, Multiple Displays, Cables Everywhere.
istock_gorodenkoff_aweb

Ransomware attacks are becoming more common, more sophisticated and more aggressive. Prevention and detection should be your main focus, but what do you do if this fails?

When hit by ransomware, paying the ransom should always be the last resort – ransomware will continue to flourish for as long as it remains lucrative for the gangs because victims are willing to pay up. 

Unfortunately, those that do pay are normalising ransomware attacks, which risks turning them into just another business expense. You can even buy insurance that will cover them (in Europe, but not in America). 

However, such normalisation needs to be avoided at all costs. Once these attacks are seen as just another business cost, people will start to take cybersecurity less seriously and it might become harder to justify spending money to protect against ransomware. 

The cybercriminals will then have won and this will simply attract more crooks into ransomware, with attacks becoming ever more widespread and sophisticated. Paying the ransom makes everyone less safe.

What does the law say?

The UK government has not outlawed the payment of such ransoms but is clearly against any payment. As the NCSC explains, law enforcement does not encourage, endorse, nor condone the payment of ransom demands. If you do pay the ransom:

There is no guarantee that you will get access to your data or computer

  • Your computer will still be infected
  • You will be paying criminal groups
  • You're more likely to be targeted in the future

The FBI is equally clear in its guidance:

“The FBI does not advocate paying a ransom, in part because it does not guarantee an organization will regain access to its data. In some cases, victims who paid a ransom were never provided with decryption keys. In addition, due to flaws in the encryption algorithms of certain malware variants, victims may not be able to recover some or all of their data even with a valid decryption key.

Paying ransoms emboldens criminals to target other organizations and provides an alluring and lucrative enterprise to other criminals. However, the FBI understands that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers.”

Cybercrime vs cyberterrorism

Organisations also need to be alert to the designation of malware gangs as cyberterrorists. In the REvil attack on a New York Law firm, after liaising with the FBI, a spokesperson for the firm described the hackers as terrorists. The description not only significantly increased the risks for the hackers if they were caught, but also made any ransom payment impossible, leading to an impasse. 

“We have been informed by the experts and the FBI that negotiating with or paying the ransom to terrorists is a violation of federal criminal law,” the spokesperson said. “Even when enormous ransoms have been paid, the criminals often leak the documents anyway.”

It is still unclear when cybercrime becomes cyberterrorism as neither term is defined in law, but there are already laws in the UK and elsewhere against money laundering and against the funding of organised crime or terrorism. 

Given that you do not know the identity of the gang demanding a ransom or whether the funds that they are demanding will end up funding organised crime gangs or terrorists, you risk finding yourself in breach of these laws if you decide to pay up.

What if there are no other options?

Preparation provides you with other options. It is only the unprepared that run out of them. 

Best practices for protection and recovery from ransomware state you must:

  • Have an effective information security program
  • Protect data with technology best practices
  • Employ effective backup strategies
  • Educate employees to secure the endpoint

If you failed to follow best practice, then you may well not have backups that you can recover from and you may end up facing a difficult and potentially very expensive decision.

It is worth assessing the value of the data held at ransom. Some data sets are less critical and therefore recovery is not essential. You need to balance the risk to your business of losing this data (or of having it leaked or auctioned off to other criminals) against the risk and cost of paying the ransom.

And if you pay up?

If you do consider paying, the next step is negotiation – and it is worth getting specialist support for this. You need to bear in mind that those you are negotiating with are unprincipled criminals. 

Hackers are ‘without conscience’ and have recently demanded ransom from dozens of hospitals and labs working on coronavirus – even causing the death of one patient in Germany. They cannot be relied upon to hand over encryption keys following payment, and there is no guarantee that any keys will work, that data can be recovered, that it won’t be leaked or sold anyway or that they will not strike again. 

Not only will you be placing yourself on a ‘suckers list’ of organisations that can be hacked and are willing to pay, but some hackers leave back doors behind to give themselves that opportunity to return with ease.

You have been warned.

Replies (3)

Please login or register to join the discussion.

avatar
By Justin Bryant
28th Sep 2020 11:37

Here's an idea. Why not ban Bitcoin & other non-traceable crypto payments, as 80% or more is to do with criminal activity generally and banning them will massively reduce this and similar problems.

Thanks (1)
avatar
By SXGuy
28th Sep 2020 12:28

Paying is NEVER the last resort. You have no gaurentee that a payment will remove any block or encryption of your files and you are relying on the criminal actually doing what they promise.

Turn the pc off, locate a specialist who can decyper the encryption and restore the files.

Most of the time ransom ware doesn't actually encrypt anything, it just blocks you from accessing data.

Thanks (1)
avatar
By djn
02nd Oct 2020 13:43

I always thought that if we ever were caught out we would never pay.
In February an email came in with a virus which encypted our files. We took the backup from a few days before and restored the data. This took probably a week as the virus had affected quite a lot of other things. We refused to pay the ransom- in fact it wasn;t even a consideration.
Come to April this year and were hit with a ransomware virus.
The virus targeted remote desktop access weaknesses and encrypted every single file on our servers!
We spoke to our IT guys who dealt with our backups etc. They hadn't correctly fixed the backups since February and so we were in big trouble.
We spoke to data recovery experts who said 95% of the companies pay to get their data back and they always get it back. The hackers don't want to be known to not give it back or nobody will ever pay the ransom.
We had little choice but to pay the ransom in bitcoin!!
They gave us the key and we did get our data unencrypted.
We immediately moved to a hosted solution with hourly backups so if this ever happens again the most we could lose is 1 hour and we should be back up and running in an hour too.
I should add that we had firewalls and virus protection software. So, from a painful experience, please don't think it will never happen to you. I think it's probably just a matter of time.

Thanks (0)