To pay or not to pay ransom settlements

Payment does not guarantee files will be recovered. It may also embolden adversaries to target other organizations, encourage other criminal actors to distribute ransomware, and fund illicit activities that could potentially be illegal.

Ransomware is one of the top threats facing organizations and individuals today. In fact, according to a recent survey, 85% of organizations are more worried about a ransomware attack than any other cyber threat. Anyone can unwittingly initiate a ransomware attack by simply clicking a link or downloading a malicious file. And while often someone may feel desperate and want to pay the ransom or a ransomware settlement to regain access to critical data, it is a decision that should be considered very carefully.

It's like kids stealing a bookbag and demanding lunch money to give it back. Cybercriminals are doing the same thing to organizations after successfully deploying ransomware and taking sensitive data hostage by encrypting it. Unfortunately, in many cases doing more than demand a ransom.

The stakes are higher for an organization that’s attacked. An organization’s survival may depend on getting the encryption key from the cybercriminals to decrypt and get back their stolen data. But the dilemmas seem surprisingly similar for both sets of victims.

Should You Pay Ransomware Attackers?

Whether you should pay the ransom, in either case, comes with the fear that you won’t get your bookbag back or the encryption key after paying. It is hard to put any faith in the goodwill of bullies or cybercriminals. Instead of returning your stuff (information) you likely want to keep private, they could simply empty your “bookbag” and all of its contents, including sensitive data, on the internet for all to access and use.

Or they could give your data to another bully or criminal to do what they will with it. In this instance, paying doesn’t solve your problem and makes you considerably poorer. In other words, paying the ransom could mean your organization has no “bookbag” and no “money for lunch. And perhaps, worst of all, you now have a reputation as an easy mark and a “payer” that can be easily and frequently bullied.

The Problems Paying Ransom Creates

An organization doesn’t want to have a reputation as a payer in the cybercriminal underworld, because that could be the equivalent of painting a target on their back.

While we appreciate that some organizations may have no option but to pay ransomware attackers, we recommend not doing so unless you absolutely must take the risk because if you don’t, your business is guaranteed to fail. In addition to becoming a repeat victim, paying the ransom emboldens the bad guys and funds more of their future attacks on you and others.

Is Paying Ransom Illegal?

Victims of ransomware attacks who feel compelled to pay cybercriminals often wonder if it is illegal. There is no law against paying the ransom when an organization’s data and systems are taken hostage. However, it is strongly discouraged by those of us in the cybersecurity industry to pay cyber ransoms or succumb to extortion demands.

Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to distribute ransomware, and fund illicit activities that could potentially be illegal.

Can Law Enforcement Help?

The mission goals of legal authorities and your organization may not entirely align in all cases when enforcement might be prioritizing an investigation, and your organization may prioritize a return to business processes and tasks. Regardless, law enforcement can be a great asset, but they should be part of your organization’s incident response plan, not in place of one your executive leaders have considered, IT and InfoSec staff, and legal teams, among others. 

Looking for help after an attack is a key problem and the definition of “reactive.” You never want to get to the point where you must pay the ransom. The best way to avoid ransomware attacks is to have a good defense.

How to Prevent Ransomware Attacks

The best practice for organizations and individuals to protect themselves from ransomware attacks is to incorporate these actions into your cybersecurity defense posture:

  • Take cybersecurity training seriously and encourage employees to do so as well
  • Avoid clicking on suspicious links and practice good cyber awareness
  • Download only from trusted sources
  • Scan emails for malware
  • Employ firewalls and endpoint security products that are integrated with actionable threat intelligence
  • Back up important data
  • Use a VPN when on public Wi-Fi
  • Have an incident response plan in place

What to do if you are the victim of a ransomware attack

Organizations can limit ransomware’s impact by taking quick action. First, you must isolate the ransomware. This can prevent horizontal attacks, where the ransomware spreads from one device to another via network connections.

To isolate the ransomware, you must shut down the infected system. Then disconnect anything that links the infected machine to the network or other devices on the network. By "pulling the plug" on the system, you can stop the further spread of ransomware. This is when the initial implementation of segmentation is really helpful to make this process a lot easier and more effective.

Next, you need to figure out what malware has infected your system with ransomware. It’s typically not just a ransomware attack. Ransomware is usually the last part of a bigger attack. Understanding what kind of malware is involved can assist the security incident response team in crafting a solution or, in some cases, use a decryption key already available for certain malware.

Data recovery

To successfully recover data, your organization needs to have a data recovery program set up before an attack. If backups are scheduled for several times a day, a ransomware attack might only cost your organization a few hours.

Whether you use cloud services or on-premises hardware to make copies of your data doesn't matter. It doesn’t matter. You just need to be able to access the backup files from an unaffected device. 

- The author is Vice President of Sales, India, SAARC, and Southeast Asia at Fortinet.

Image Credit: Identity theft photo created by standret, Freepik


Add new comment