To Pay or Not to Pay
That is the question. What do you have to lose?
What have you put in place to protect that data? While certain industries are more likely to pay than others, the conversation about ransom payments won’t die.
In 2022, Statista reported that 71% of global companies were affected by ransomware, with approximately 72% of them saying that they paid the ransom and recovered the compromised data. But what does recovery look like exactly? And would you get similar results by not paying?
The problem with paying a ransom for your sensitive data is that there is no guarantee that your data, once returned, won’t come back to you corrupted, a la the Trojan-horse. You’ve heard the phrase, “there is no honor among thieves,” right?
And even when you pay, your organization may be primed for another attack. Of organizations that pay a ransom, 68% of them are hit again – and often in the same month, while they scramble to recover. In fact, if hackers see that you’re willing to pay and can find another way to get in and attack you again, they will. (Forbes)
Paying a ransom could also violate federal law, if you’re doing business with a sanctioned entity. Our own FBI urges non-payment, and ransomware attacks from foreign governments (read: Russia) are often the case, so there are political ramifications in play.
Heimdal Security, out of Denmark (one of the Top 10 rated cybersecurity firms worldwide) continues to advise both individuals and organizations never to pay the ransom.
Their reasons:
- There’s no guarantee that all your data will be decrypted. It could only be partially recovered, or not at all.
- You will never find out if your data has already been sold on the dark web.
- This practice fuels future attacks — in a nutshell, this is why ransomware attacks still work.
Heimdal is not alone in this posture. Cybelangel promotes prevention over recovery. We find ourselves in a time where attacks and payments are going up, but the skills and security measures available are as well. “Sophos found 73% of companies that were victims of a ransomware attack were able to restore their data through backups. In fact, modern offsite backups allow small businesses to be back up and running fairly quickly after identifying a ransomware attack.”
Who Pays?
We’ll give you three biggies to nibble on: one educational institution, one chemical distributor, and one global travel organization. Each paid, handsomely, and each is still around.
The University of California San Francisco paid $1.14M to Netwalker in June 2020 to recover files encrypted by ransomware in the systems of the UCSF School of Medicine. The IT staff attempted to isolate the infection, and prevented the malware from extending to the core UCSF network. The school said the attack did not affect their patient care delivery operations or overall campus network, but some scholarly work was encrypted, through the UCSF servers used by the school of medicine. They have since recovered their data. As for 2023, there have been no more attacks.
The North American division of chemical distributor Brenntag was attacked in May of 2021 and paid $4.4M to Darkside, the malicious actor behind the attack. While the damage was limited to a single segment of the company, 150GB of data was stolen, some of it sensitive data about their employees. Initially, Darkside demanded 133.65 bitcoin in ransom, which amounted to roughly $7.5 million, but ultimately $4.4 million was the payout. As of November 2022, Brennag was looking to acquire part of U.S. rival Univar Solutions, hoping to gain more of the US market and greater exposure.
In 2020, Travel Management Company CWT Global paid $4.5M in ransom to hackers using Ragnar Locker, according to a record of ransom negotiations seen by Reuters. This ransomware – dubbed Ragnar Locker — was used to encrypt data files, making them unusable until the business pays for access to be recovered. The ongoing discussions between the hackers and a CWT official remained publicly open through an anonymous chat room. CWT said it notified U.S. law enforcement and European data privacy agencies immediately. While the hackers claimed to have shut down 30,000 CWT computers, a source familiar with the investigation believed the number of compromised machines was significantly smaller than 30,000. As of Dec. 2022, CWT is back to forecasting business travel and predicts growth in 2023.
Who “Just Said NO.”
Fujifilm Europe did. In 2021, the company was attacked by a ransomware gang, refused to pay the unspecified sum, and later said that it is “highly confident that no loss, destruction, alteration, unauthorized use or disclosure of our data, or our customers’ data, on Fujifilm Europe’s systems has been detected.”
And MediBank, Australia’s largest health insurer said “pass” as well (Medibank Refuses to Pay, Publicizes the Problem). Like others, they decided that paying was only playing into the ever-growing scheme of RaaS, foreign criminals and to what end? They continue to help their members recover data.
On both sides, all of these are large enterprises making large payouts. And often they are targets of foreign attacks. Let’s not ignore the geopolitical. Not only is Russia responsible for 58% of ransomware attacks, but they also continue to foster a culture of cyber criminality, earning them the global ransomware hub award. They declare their innocence time and again, and yet a 30-nation forum on the topic in 2021, excluded Russia’s attendance.
One has to wonder: What are we saying as a nation, and a nation of businesses when we spend more energy fortifying our security and refusing payment? When do we elect for a fixed, up-front expense to fortify our security rather than paying later when we’re extorted by criminals? We don’t encourage further attacks, We are paying attention and prepared. We aren’t sitting on our hands, ready to react only.
But what about medium-sized organizations? According to Sophos, the average cost of payouts among medium-sized organizations was $170,404. Between 2018 – 2020, sums jumped from $5K to $200K.
So here’s some heartening news to leave with you: 2022 saw an increase in the fight against ransomware, and a decrease in payments, with attackers extorting approximately $456.8M from victims. WHERE’S THE UPSIDE? That number is down from $765.6M from the year before. Victims are declining to be victims.