Imagine this: You’re staring at the screen and your computer is unresponsive. All that is displayed is an ANSI ransom note that confirms your fears.
You’ve fallen victim to ransomware. You’re now being asked to pay or say goodbye to your files forever. Should you pay the hackers or not?
The Conventional Wisdom: Don’t Pay
One can understand how scary a ransomware attack can be. Some people just pay the ransom so that they can get their files back, resume their lives back to normal and end the nightmare.
Most security experts, however, advise against paying ransom. There are several reasons for this, but the biggest is that paying the ransom doesn’t guarantee you’d get your files back.
By July 2019, there were already close to two dozen city, state, and county governments that fell victim to ransomware attacks for that year alone. However, rather than continue being held hostage and paying ransoms, more than 200 mayors have signed an agreement not to pay. So, if you do decide to do the same thing, you are in good company.
According to the CyberEdge Group’s Cyberthreat Defense Report, 45 percent of ransomware victims paid their attackers in 2018. However, out of those who paid, only around 60 percent recovered their data.
It’s a gamble for you to send the attackers money, not knowing if you’d ever get the files back. There are many reasons why attackers are not giving access back to people who have paid. It can be because their initial intention was just to scare people into paying the ransom, without any real intention to let their victims decrypt the files and recover their data.
In other cases, it’s poorly written code that makes the decryption process fail.
Prevent Them from Earning Money and They’d Stop
Paying the attackers will also make ransomware more profitable for them, and it will encourage them to attack other people, or even launch another attack against you in the future. The idea is that if nobody will pay the ransom, then attackers will just lose heart.
The Federal Bureau of Investigation doesn’t advise victims to pay. However, they do recognize that businesses and individuals might be paralyzed by a ransomware attack and not be able to do anything. In such circumstances, the FBI writes that you may decide to give in and pay the ransom. However, the FBI requests that you inform and work with them as they investigate the incident whether you pay or not.
What Happens When You Don’t Pay
What happens to victims when they are hit by ransomware and they do not pay? A Bleeping Computer report found that out of all ransomware victims:
- 8 percent did not pay and lost their data
- 53 percent did not pay, but they recovered their files
As you can see, there is only a very small percentage of those who choose not to pay and lost their data. It’s all a matter of being adequately prepared for an attack by backing everything up.
However, if you do find yourself staring at a menacing message on your screen, don’t bust out those credit cards or checkbooks just yet. You can still hire a professional to try and decrypt your files.
You can also visit the No More Ransom website, and if you’re lucky, they might have a decryption tool for the particular variant of ransomware you’re dealing with. This website is the work of law enforcement agencies and IT security firms, such as the Netherland’s National High Tech Crime Unit, the European Cybercrime Centre, McAfee, and Kaspersky.
How to Secure and Protect Your Business from Ransomware
Preparing for a ransomware attack, no matter how remote it may seem, can help save you a whole lot of money. According to the Infosec Institute, an attack can cost up to $55,000, on average.
A more recent ZDNet article reports that the average ransom victims paid in the first quarter of 2019 is more than $12,000 – nearly double the $6,733 that was paid per incident just the previous quarter.
The most expensive ransomware attacks are related to the Ryuk ransomware, which fetched an average of $286,557 per incident. Ryuk attackers targeted big businesses that couldn’t afford any lengthy downtimes.
Not only does it save you from spending unnecessarily, being prepared will give you the option of not paying cybercriminals to get your file back. How do you prepare?
1. Educate your employees.
Most malware and ransomware are delivered via e-mail. Attackers will try to trick employees into clicking a link that will download malicious code onto their machines. Once the code is opened, the attackers now have access to computers in your office.
As such, you should train your employees on how to detect a phishing e-mail, as well as what to do when they do receive one.
Another area you need to educate your employees on is social engineering. This happens in the real world where cybercriminals befriend employees to gain their trust and carry out the attack. It could be an attacker giving a flash stick to an employee, which can infect any computer it was inserted into.
2. Use only the latest versions of apps or software.
Attackers will try to look for unpatched software and services on your system. For instance, the WannaCry malware was spread using vulnerabilities in the SMB protocol. What makes the WannaCry incident more interesting is that it was totally preventable: the attack happened more than two months after a patch was released that would have wiped out the vulnerabilities in the SMB protocol.
3. Monitor and detect your systems.
Ransomware is relatively easier to detect. Some malware are written so that they are not detectable for a very long time. As such, advanced persistent threats don’t use up too much of your computer’s resources and stay under the radar most of the time while silently stealing your data.
Ransomware is the opposite. It needs to open, copy, encode, and then delete your files. All of these happen in minutes. Too many operations in that short time is not normal behavior, and as such, ransomware is pretty easy to detect. If you have a program that monitors API calls used by ransomware to do all these operations, you can easily detect and shut it down.
4. Make sure your security solutions are up to date.
Most businesses already have standard security programs installed on their computers, but these are not regularly maintained and sometimes even disabled. For example, antivirus software needs to have its virus definitions regularly updated. It also has to run a periodic scan.
Making sure that your security solutions are maintained and used regularly can help prevent or detect a ransomware attack.
5. Back everything up automatically.
If you think about it, ransomware attacks will only succeed if you pay. And you need to pay only when you don’t have copies of your files.
When you have a regular backup of your files, you can easily recover from ransomware attacks even when you don’t pay. You can wipe out the infected machine, re-install your operating system, and restore your backup.
You may lose some work, but it’s a whole lot better than losing all your files or paying a lot of money for a chance to recover your data that might not pan out.
6. Understand how ransomware attacks are carried out.
E-mail phishing, RDP ports, and social engineering – these methods are how most attackers deliver ransomware into your systems. You should keep yourself updated on the most common attack vectors that are being used by cybercriminals and take steps to prevent any attacks in the future.
When it Makes Sense to Pay
Conventional wisdom tells us not to pay because there is no guarantee that you’d get your files back. And the average ransom is so expensive. But more recent statistics show otherwise, and may show a more accurate picture for the small or medium-sized business owner.
ZDNet’s report shows that 96 percent of those who pay the ransom will get the decryption tool. However, only 93 percent were able to recover the data. The likelihood that you’d get your data back also depends on the kind of ransomware that was used to attack you. Ryuk only had an 80 percent recovery rate, while another malicious code known as GandCrab had an almost perfect 100 percent recovery rate.
Ransomware, Corp.: Cybercriminals are Now Operating Like Legit Businesses
Attackers are now acting like any respectable business would, writes ZDNet’s Danny Palmer. You now have ransomware attackers that have customer service agents, resellers, franchises, and training programs. Most even use collaboration tools, very much like how legitimate businesses are run.
That means that ransomware attackers now care about their reputations. There is literally very little benefit for them if they don’t give you the decryption tool after paying ransom. They don’t want to be known as the organization that didn’t follow through on its promise. If the current victim doesn’t get their files back, future victims are more likely not to pay the ransom. But there’s still a risk. If you pay the attackers now, other organizations might see you as a target and work on making you fall victim to their hijacking.
The bottom line is that you can see a ransomware attack as a business transaction. It’s easy for law enforcement and third parties to advise you to take the high road and refuse to pay, but you will probably not be altruistic when your files are held hostage.
A Trend Micro report found that while 66 percent of companies say that there is no chance that they’d pay a ransomware demand, 65 percent of these companies did pay the ransom when they were hit.
The thing is, you might be presented with inflated averages on how much ransom is demanded. Attackers are more likely to demand a low ransom, something that your business can put together even in a short time. We’re talking about a range that can be as low as $100.
You can also get discounts for acting fast. Sometimes, the ransom demand is even cheaper than having to go through the trouble of reconstructing your lost files, especially if you factor in the cost of lost productivity and not being able to operate while you get the data back up.
To Pay or Not to Pay?
The question of whether to pay or not to pay the ransom after you have been hit and crippled by a ransomware attack is to treat it like any business purchase or partnership decision. Do the benefits outweigh the cost? If so, then pay.
This means that cyber insurance might be an essential part of your strategy. “You can hedge against business disruption and cybersecurity costs with a good insurance plan,” explains Sidd Gavirneni, CEO and Co-Founder of Zeguro. “The threat landscape continues to evolve, so more businesses are realizing the importance of having insurance protection should an attack occur. Cyber insurance can cover losses such as customer and employee data loss, business interruption and extortion, regulatory fines and penalties, and more.”
There is nothing better than prevention when it comes to ransomware, but if you do find yourself a victim, it’s best to be prepared.