Anti-Ransomware Coalition Bound to Fail Without Key Adjustments

International pledge to reject ransomware demands misses the most important way to combat cybercrime: prevention.

Shmuel Gihon, Security Research Team Leader, Cyberint

January 16, 2024

4 Min Read
Broken padlock sitting on a laptop keyboard with a large key that says "Ransomware"
Source: Olekcii Mach via Alamy Stock Photo


Ransomware is a pervasive issue affecting businesses of all sizes and industries, and the best way to respond remains hotly debated. While much fanfare coincided with the announcement of a US-led, 40-country coalition to collectively reject the payment of ransoms to cybercriminals, it's more a symbolic gesture than a practical solution.

The initiative is nonbinding, ignores the pressure of payment created by the SEC's four-day reporting window (which threat actors are already taking advantage of), and doesn't take a preemptive approach.

The most effective solution to the ransomware challenge isn't an international agreement; it's an enhanced understanding of potential threats and better preventative security measures.

For Some Companies, Paying Ransoms Is Just a Drop in the Ocean

The Colonial Pipeline ransomware attack in May 2021, which was deemed a "national security threat" because the organization moves oil from refineries to industry markets, revealed that it is better for some businesses to simply pay the ransom demanded by attackers. Cybercriminals stole nearly 100GB of data from Colonial Pipeline and threatened to leak it if the ransom wasn't paid, resulting in the company ponying up the $4.4 million ransom (most of which has since been recovered). For critical infrastructure organizations like Colonial Pipeline, restoring operations and services and regaining control of sensitive information is critical, meaning making swift payments to hackers following an incident is often the most efficient way to reduce the damage to the business.

The year of the ransomware attack, the Colonial Pipeline Company had $3.1 billion of assets, and the prior year generated a net income of $420 million on $1.3 billion of revenue. Given the damage to reputation and productivity in the days the pipeline was down, paying the ransom was akin to dealing with a frustrating but nowhere near bank-breaking speeding ticket. For companies like Colonial Pipeline, these incidents are simply the cost of doing business. 

Nevertheless, the potential cost to reputation and the climbing costs of ransom demands mean that even large organizations with funds to spare must combine efforts to combat cybercrime. The international alliance's intentions appear to be just this; however, the approach is ineffective. A proactive effort that meets cyber threats with strength and prioritizes preemptive techniques with threat intelligence provides organizations with cybersecurity postures that are two and a half times more likely to be effective.

SMBs Have a Huge Potential Risk

Private small and midsized businesses (SMBs) face arguably an even greater challenge than their large enterprise counterparts. The Conti ransomware group revealed that cyber groups adjust their demands for each victim: the higher the victim's annual revenue, the lower the percentage of revenue demanded. Although the ransom demands for SMBs might be smaller monetary amounts, they typically represent a higher percentage of their annual revenue, thus causing a larger impact on the business.

SMBs typically spend an average of $38,000 to recover from a security breach, including costs associated with a temporary pause in trade, excluding any ransom payments. Given that the average annual revenue for small businesses falls within the range of $44,000 to $1 million, the feasibility of making ransomware payments may be in question.

The alliance's response to the ongoing debate on how to counter the disproportionate influence of cybercriminals over legitimate organizations complicates what should be a straightforward solution. The solution to the growing challenge of ransomware lies, undoubtedly, in better cybersecurity that prevents ransomware attacks from occurring in the first place. Combined with increased action from law enforcement to apprehend attackers and deter cybercrime, ransomware groups will face a more even challenge.

Proactive Security Is the Way to Counter Rising Ransomware Threats

Verifying whether businesses do or don't pay ransomware demands isn't always practical; however, estimates suggest that 46% of organizations pay ransomware extortion, and 26% of organizations that use backups to restore data also pay. Preventing ransomware payments is not a viable solution to the growing problem of ransomware, nor is it the most effective. Only 18% of cybersecurity expenditure is dedicated to prevention, with averted attacks saving companies hundreds of thousands of dollars ($682,650 per breach on average). Savings with proactive and preventative initiatives exist across businesses, with companies that adopt threat intelligence into their existing security systems seeing 32% lower costs in security expenses overall.

The international alliance, while a symbolic resistance to ransomware demands, misses the critical point in combating rising ransomware crime: security. Organizations must invest in better cybersecurity practices, threat intelligence, and proactive initiatives to prevent ransomware attacks in the first place and lessen the impact when or if they become victims. Empowering organizations to resist extortion tactics through preventative measures rather than relying solely on the decision to pay or not pay ransom demands is the real solution. It should be the focus of initiatives and alliances of the present and future.

About the Author(s)

Shmuel Gihon

Security Research Team Leader, Cyberint

Shmuel Gihon currently serves as the Security Research Team Lead for Cyberint, the leading provider of actionable threat intelligence, where he helps customers and is regularly quoted in the media for his threat actor insights. Prior to his current role, Shmuel served as both a Researcher and Cybersecurity Analyst and in Cyberint and other firms.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights