Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

12:45 PM

Pledges to Not Pay Ransomware Hit Reality

While risk analysts and security experts continue to urge companies to secure systems against ransomware, they are now also advising that firms be ready to pay.

When a Florida town of 35,000 paid a $600,000 ransom to regain control of its computer systems and critical services — from e-mail access to management of a water-pumping station — critics immediately warned that paying ransomware operators would only lead to more attacks.

Yet businesses and city governments need to stay operational. While risk analysts and security experts continue to recommend that companies keep focused on securing their systems and speeding incident response to minimize the impact of crypto-locking ransomware, they are now also recommending that companies be prepared to capitulate.

In a June 5 report, for example, Forrester Research published a guide to paying ransomware, advising its audience to consider third-party firms that negotiate with cybercriminals to ensure the best outcome.

"Our recommendation is to work with someone who is essentially a specialized breach coach for ransomware," says Josh Zelonis, senior analyst for cybersecurity and risk at Forrester. Companies need to "go through a staged process to make sure that you are building a rapport with the actor and ensuring that they are able, and willing, to decrypt the data — to essentially deliver a 'proof of life.'"

The list of municipalities that have been hit with ransomware is growing. Baltimore, Maryland; Atlanta, Georgia; Riviera Beach, Florida; and Albany, New York, have all faced the decision of whether or not to pay. Some, such as Riviera Beach, decided they had no other choice but to meet the ransomers' demands. Others, such as Atlanta, reportedly refused and faced massive clean-up bills.

The list of companies that have had to deal with crypto-locking ransomware is even longer. Large companies, from Merck to Fedex to Renault, wrote down hundreds of millions of dollars from the WannaCry and NotPetya attacks. Now, clients of some managed service providers are facing ransom demands after attackers gained control of their administrative portals. Paying $17,000 in 2016, Hollywood Presbyterian Medical Center got off fairly lightly. 

"I don't think you can make a blanket statement of 'pay the ransom' or 'don't pay the ransom,'" says Adam Kujawa, director of the research labs at security firms Malwarebytes. "If you have failed to segment your data or your network, or failed to check your backups or other measures to get your company back on track quickly, then you will have to deal with the fallout."

One problem for companies: Ransomware operators have shifted away from blanketing consumers and businesses with opportunistic ransomware attacks and now almost exclusively target business and municipalities. Along with that shift, the cost of ransoms has quickly grown because such organizations can afford to pay. Now, many organizations are faced with seven-digit ransom demands, Zelonis says. "That's a heck of a payday," he adds.

The increase in ransom demands is driven by attackers' targeting and research on victims, he says.

"It is interesting because the other thing we are seeing is that these actors are not just looking at your infrastructure and where your backups are to make sure that you cannot recover from backups," he says. "A lot of the actors are looking at a company's annual revenue to figure out what they can afford to pay."

For companies that want to stick to their pledge to never pay ransomware operators, that intent needs to start before an incident — with preparation. Organizations need to focus on security, incident response, and recovery to minimize the cost of a ransomware attack. Incident response exercises are key, Zelonis says. 

Yet cybercriminals have become more savvy. They will often spend time in a target's network looking for the most sensitive data and making sure they can compromise the backups, as well, he says.

"The ransomware market from two or three years ago has totally evolved," Zelonis says. "[Cybercriminals] are understanding where you are backing things up and going after those systems. This is a full-scale breach."

The Forrester report advises companies to invest in cyber insurance as a way to offset at least some business risk. Organizations should also test their ability to recover from a massive data loss event using their backups.

"A harsh reality is that a majority of organizations aren't testing their ability to recover a single system from backups, much less validating they have the ability to recover potentially hundreds of systems at the same time," the report states.

To be most responsive in the case of a ransomware incident, companies need to have a plan for acquiring cryptocurrency or have a fund already in place, as well as have an incident response provider on retainer and select a ransomware specialist, the report stated.

The focus for companies is to stay in business, so even for companies that could recover all of their data, it is often easier — and cheaper — to just work with the attacker to restore the data.

"If you are losing data, that will cost you more to recover or to deal with the fallout of losing it, and you are dealing with the cybercriminal and they are willing to negotiate, then you are in a situation where paying might not be the worst idea in the world," Malwarebytes' Kujawa says. "It's not what we like to do, but at the end of the day, a business needs to stay in operation."

Related Content


Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
6/24/2019 | 9:49:11 AM
And if .....
Suppose .... A server failed or data center went offline, you cannot pay ransom to recover that event.  So what to do?  Gee, isn't that what a recovery and backup plan is supposed to do?????  And what is any damn different from a ransom attack to a failed RU-42 rack full of servers?   Except exfiltration of data = NOTHING.   So give up people and just have a back account set aside for ransom and heaven forbid planning for any other eventuality.  The only one thing IT needs to worry about -ever- is a ransomware attack and otherwise things never, ever go down ..... right?
Simon Hunt
Simon Hunt,
User Rank: Apprentice
6/24/2019 | 9:12:31 AM
To pay, or not to pay.
The difference is, we know any payment will be used to commit further crimes, in particular, "real world" crimes like drug manufacturing, people trafficking etc. Plus any payment inspires other criminals to follow suit. https://www.bromium.com/wp-content/uploads/2018/05/Into-the-Web-of-Profit_Bromium.pdf
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-14
A heap buffer overflow read was discovered in upx 4.0.0, because the check in p_lx_elf.cpp is not perfect.
PUBLISHED: 2021-05-14
A Zip Slip vulnerability was found in the oc binary in openshift-clients where an arbitrary file write is achieved by using a specially crafted raw container image (.tar file) which contains symbolic links. The vulnerability is limited to the command `oc image extract`. If a symbolic link is first c...
PUBLISHED: 2021-05-14
A UI misrepresentation vulnerability was identified in GitHub Enterprise Server that allowed more permissions to be granted during a GitHub App's user-authorization web flow than was displayed to the user during approval. To exploit this vulnerability, an attacker would need to create a GitHub App o...
PUBLISHED: 2021-05-14
Apache Traffic Server 9.0.0 is vulnerable to a remote DOS attack on the experimental Slicer plugin.
PUBLISHED: 2021-05-14
Firely/Incendi Spark before 1.5.5-r4 lacks Content-Disposition headers in certain situations, which may cause crafted files to be delivered to clients such that they are rendered directly in a victim's web browser.