Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

5/12/2021
10:00 AM
Connect Directly
LinkedIn
RSS
E-Mail vvv
100%
0%

Why You Should Be Prepared to Pay a Ransom

Companies that claim they'll never pay up in a ransomware attack are more likely to get caught flat-footed.

Mike Tyson used to say, "Everyone has a plan until they get punched in the face." It's much the same with ransomware attacks: No matter how much you insist that of course you'd never pay a ransom, your plans go out the window the first time you see all your organization's computers showing that "You've been hacked" screen. 

The truth is that organizations are increasingly paying ransoms to recover their data. In fact, 70% of businesses hit by ransomware attacks wind up forking over thousands of dollars to their attackers. Even local governments have paid ransoms to regain access to vital services. No matter how much we tell one another that we'd do things differently, the reality is that when your data disappears and you start losing clients or missing deadlines, you'll pay virtually any price to put things right. 

Related Content:

8 Ways Ransomware Operators Target Your Network

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Planning Our Passwordless Future

Rather than virtue-signaling with a blanket "We never pay" statement, organizations need to be realistic about the specific circumstances in which they'd pay a ransom. If you're a hospital and people will die if you don't get your computers back online STAT — yes, it's better to pay up. If you're in a less critical field, and it's just a question of waiting around while your backups come online, maybe you can ride it out without paying. 

But either way, it's important to be honest — with yourself, your C-suite, your directors, and other stakeholders — about how you'd respond to a successful ransomware attack. When you're clear and pragmatic about the circumstances in which you'd pay a ransom, you can make more meaningful plans. That starts with including the cost of ransom payments — and for the fines you'll have to pay if you give cash to cybercriminals — in your IT budget. Your CEO might not enjoy budgeting for Bitcoin transfers to hackers, but it's better to plan ahead than to be blindsided by unanticipated costs. 

A clear-eyed approach to the ransomware threat also makes it easier to handle the PR fallout from an attack. That's partly because you can plan ahead, and figure out how to create a crisis communications strategy that's aligned with the reality of the situation you find yourself in. Just as importantly, though, it's far easier to explain your ransom payments to customers and shareholders if you've been upfront about the risks you face, and haven't previously claimed that you'd never, ever pay to retrieve stolen data. 

Perhaps the most important reason to be honest about your ransomware response strategy, though, is that it gives you full visibility into the true cost of ransomware attacks, which in turn allows you to make more realistic cybersecurity ROI calculations. When you know how much a ransomware attack will cost you — including the ransom, the fines, and the potential damage to your brand — then you can make smarter and more informed decisions about how much you should be investing in cybersecurity designed to keep your data safe.

It's always better, after all, to make sensible investments in security upfront and avoid getting hacked in the first place. But unless you're correctly assessing the potential impact of an attack — including the inevitable cost of paying a ransom to recover your data — it's impossible to figure out how much you should really be paying to try to keep yourself safe. Without that kind of clarity, it's also impossible to weigh the value of each year in which you successfully fend off ransomware attacks on your organization — a key step toward justifying your investments in cybersecurity to shareholders, board members, or the rest of the C-suite. 

Accepting that there are circumstances in which you'd pay the ransom also makes it easier to differentiate your data and adopt a defensive posture that's tailored to the actual value of the data you're trying to protect. If there's some data you would pay a ransom to recover, and other data that you could easily do without or reconstruct, then it doesn't make sense to use the same defensive systems to protect both datasets. Instead, invest to protect your most valuable data and ensure that it's securely fenced off from your less valuable and less robust broader data ecosystem.

That's really the key insight I'm trying to communicate: not that you should always pay ransoms, nor that reflexively paying the ransom should be your default response if the worst happens, but rather that you should be clear-eyed about what your data is really worth to you. 

Pretending that you'd never pay a ransom is pointless posturing. Instead, aim to be realistic and upfront with your stakeholders and to implement security solutions (and, yes, post-ransomware payment strategies) that are proportional to the value of the data you're trying to protect. It's by thinking clearly about the costs involved that you'll ultimately be best able to take the necessary steps to keep your data safe.

Christopher Muffat is Dathena's Founder and CEO. He has over 14 years' experience in information security risk management, including leading the internal SwissLeaks digital forensics investigation for HSBC and thereafter acting as Head of Information Risk Management for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Simon Hunt
50%
50%
Simon Hunt,
User Rank: Apprentice
5/14/2021 | 10:58:32 AM
To pay or not to pay.
Paying a cyber ransom doesn't end there - that money is then used to fund attacks on other organizations, fund drug trafficking, human trafficking, guns, terrorism, and other similar criminal activity. You're not giving money to a teenager sitting in their mother's basement. 

Paying has huge societal and moral implications - it's not just a "business risk decision". 
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Enterprises are Attacking the Cybersecurity Problem
Concerns over supply chain vulnerabilities and attack visibility drove some significant changes in enterprise cybersecurity strategies over the past year. Dark Reading's 2021 Strategic Security Survey showed that many organizations are staying the course regarding the use of a mix of attack prevention and threat detection technologies and practices for dealing with cyber threats.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-41152
PUBLISHED: 2021-10-18
OpenOlat is a web-based e-learning platform for teaching, learning, assessment and communication, an LMS, a learning management system. In affected versions by manipulating the HTTP request an attacker can modify the path of a requested file download in the folder component to point to anywhere on t...
CVE-2021-41153
PUBLISHED: 2021-10-18
The evm crate is a pure Rust implementation of Ethereum Virtual Machine. In `evm` crate `< 0.31.0`, `JUMPI` opcode's condition is checked after the destination validity check. However, according to Geth and OpenEthereum, the condition check should happen before the destination validity check. Thi...
CVE-2021-41156
PUBLISHED: 2021-10-18
anuko/timetracker is an, open source time tracking system. In affected versions Time Tracker uses browser_today hidden control on a few pages to collect the today's date from user browsers. Because of not checking this parameter for sanity in versions prior to 1.19.30.5601, it was possible to craft ...
CVE-2021-42650
PUBLISHED: 2021-10-18
Cross Site Scripting (XSS vulnerability exists in Portainer before 2.9.1 via the node input box in Custom Templates.
CVE-2021-41151
PUBLISHED: 2021-10-18
Backstage is an open platform for building developer portals. In affected versions A malicious actor could read sensitive files from the environment where Scaffolder Tasks are run. The attack is executed by crafting a custom Scaffolder template with a `github:publish:pull-request` action and a parti...