Ransomware – Is Paying a Viable Option?

Ransomware attacks on businesses are on a steep global rise. Estimates put the total cost of this ever-present cyber threat in the $20 billion range by 2021 – nearly a 60x increase over the last 5 years (Morgan, 2019). In Q3 of 2020 the US has seen over 145 million ransomware hits, an increase of roughly 139% from the previous year (Das, 2020). These numbers show the increased prevalence of the issue and the constant threat that it poses to businesses across all industries.

The risk of ransomware attacks is here to stay. And knowing how to approach the situation if it happens to your business is critical to recovering access to stolen data and safeguard against future breaches. Still, the question remains as to whether paying up when ransomware incidents occur is a viable option or staying steadfast and working toward recovery is a better solution.

Quick Background on Ransomware

For anyone unaware of this threat, ransomware appears in the shape of malware that blocks access to sensitive data and systems through intended encryption of that data. To remove the encryption, a cybercriminal places a ransom on the compromised data and will not allow access by the affected party until a payment is made. Releasing the data, or deleting it altogether, if the ransom is not paid is a principal aspect to this threat.

These criminals can gain access to an individual computer or a shared system through email phishing schemes, security holes, or any other cyber sleuthing tactic that can easily slip under the radar and allow the perpetrator to install ransomware. It’s a digital take on a crime that has existed for ages.

Should Ransomware Payments be Made?

There are several important points that come into play when considering the proper course of action during a ransomware incident. Government and law enforcement agencies have recommended against paying these cyber ransoms for years. The main reasons for this being that payment doesn’t guarantee the release or safety of compromised data, any payments made can be used by criminal organizations to pursue continued illicit activities, and victims who pay are often targeted repeatedly.

A closer look at each of those reasons against paying ransomware threat actors is worth exploring as they all pose additional risks to a business’s data security and welfare moving forward.

Making a payment to a cybercriminal during a ransomware attack does not guarantee that the encrypted data will actually be released back to the business experiencing the threat. There are plenty of instances where a ransom is made, and more money is demanded to rid the ransomware. Even if the attacker does provide an encryption key upon payment, there is no way to tell if the data has been copied by the extortionist. Any instance of ransomware is a data and security breach and should be approached as such. Since this breach exists from the outset of the incident, paying only supports and emboldens cybercriminals.

Another reason not to pay ransomware is the fact that any of these payments can help further additional criminal activity. In fact, the Office of Foreign Asset Control (OFAC) recently released an advisory that states that any business paying a cyber ransom may violate OFAC regulations, resulting in harsh civil penalties in the shape of fines and other liabilities to a company that does pay. Not to mention ransomware payments often support nefarious crime syndicates that no business would ever want to support or justify.

Ransomware payments also increase the potential for future targeting of data breaches and other cybersecurity issues. Once a cybercriminal gains access to data through ransomware, they have infiltrated the security of a business or organization and they can use this to their benefit, regardless of whether a payment is made or not. You may think that a threat is dealt with once ransomware encryption is lifted by making a payment, only to have another data breach occur shortly thereafter or at some point down the road. Any payments made to the extortionist can be seen as a bullseye and only encourages the same criminal to attempt another attack on the same company or for others who are made aware of a willing ransom target to do the same.

Is Payment of the Ransom Demand Ever an Option?

The Federal Government and the FBI recommends against making any ransomware payments, as do many other experts and law enforcement agencies. In the digital world of today, paying a de-encryption ransom is not encouraged and can actually be illegal. Some companies do indeed fulfill the demands of cybercriminals, but this can be considered a crime (see OFAC advisory) as it supports criminal activities of many kinds.

Downtime and productivity loss are threats to any businesses inflicted with a ransomware incident. On paper, the push to make a payment is driven by the reality of needing to get back to business quickly to avoid the lost capital and profits that occur when ransomware forces things to go offline. This downtime can easily cost more than the ransom, but again payment is not recommended and can result in legal consequences.

The desire to make a ransomware payment can be strong, as it may seem like a quick and easy way to remedy the situation. The reality is that things are never quite that simple, and a business needs to consider thoroughly the consequences and risks of making such a payment. There are legal liabilities and regulations in play when data breaches involve personal information of any customer, as well.

Preparing for a Ransomware Incident

The best way to prepare and take action for a ransomware incident is not after the cyberthreat occurs, but beforehand. Critical in this preparation is regularly backing up all data so that things can be restored in the event of a ransomware breach without having to paying a ransom. This backup should be thorough and occur regularly so that a company can quickly access the needed data and avoid potential downtime.

Data breach defenses can help to thwart these attacks before they happen by implementing safeguards and educating everyone involved in your business about potential threats and how to avoid them. Having policies in place and qualified experts and attorneys available is also key to navigating issues with ransomware – before, during, and after the incident.

Being well prepared and informed prior to any cyberthreat is essential. The risks of ransomware and other potential sources of data breach are growing in both frequency and severity. Chances are, your business is going to experience a ransomware attack, if it hasn’t already happened. A defense system against these threats is crucial to keeping the security of your business and customers intact, and it is a fundamental component to navigating through data breaches when they do occur.

LibertyID is the leader in identity theft restoration, having restored the identities of tens of thousands of individuals without fail. If you retain personal information on your customers, now is the time to get data breach planning and a response program in place with our LibertyID for Small Business data breach preparation program. With LibertyID Enterprise you can now add value to existing products, services, or relationships by covering your customers, employees, or members with LibertyID’s fully managed identity theft restoration service – at a fraction of our retail price – with no enrollment and no file sharing. We have no direct communication with your group members – until they need us.

Call us now for a now obligation proposal at 844-44-LIBERTY (844) 445-4237

References:

  1. Morgan, S. (2019, Oct 21) Global Ransomware Damages Costs Predicted to Reach $20 Billion (USD) by 2021. Cybercrime Magazine.
  2. Das, S. (2020, Nov 16) 40% Increase in Ransomware Attacks in Q3 2020. Security Boulevard.