There is no getting around it; ransomware is here to stay.
Ransomware is a type of malware (malicious software) that can be designed in many harmful forms. Cyber crooks use it to block and lock users from their computers and files until a ransom is paid. With many high-profile ransomware attacks in recent news headlines, we have all become familiar with these incidents. Ransomware has evolved over the years with the addition of data exfiltration, threat of reputational harm, and even the addition of distributed denial-of-service (DDoS) attacks to force the unwilling payer to meet ransom demands.
But is paying the victim’s only option? What happens if they don’t?
Why Businesses Want to Pay
Realistically, no business wants to pay a ransomware demand, and insurers strongly discourage any form of ransom payment. The more money cyber criminals receive, the more incentive they have to continue their profitable attacks. Paying a ransom is often a last resort and purely a weighted financial decision.
There are several reasons why a company may need to consider payment as an option. Paying the ransom amount may seem like a better choice if...
- Data loss could be catastrophic
- They lack a comprehensive data backup system
- Reputational harm could be detrimental to future operations
- The company is an anchor in a large-scale supply chain with multiple dependents
Every day a business is not running is a day they are losing money — and with each passing day, the potential for reputational harm increases. The more time that passes, the more difficult it will be to eventually restart operations and make up that lost revenue.
In the case of large companies, they have more to consider than their own fiscal welfare. A prolonged shutdown of a nationwide meat supplier, or one of the biggest fuel suppliers, has real consequences for the economy. We saw a glimpse of that with Colonial Pipeline, as flights were grounded and some gas stations experienced shortages amid panic buying. However, just as in the Colonial Pipeline case, paying a ransom does not mean that operations will return to normal, or the threat of data release will be removed.
Why Leaders Shouldn’t Pay
While organizations may have valid reasons for wanting to quickly pay a ransom, no insurer, law enforcement, or government agency recommends that companies pursue this course, and for good reason.
For starters, there is no guarantee that the locked information will be released. A recent report showed that a shocking 92% of organizations who paid the ransom did not get all their data back. Only 29% were reported to recover half of the full data exfiltrated.
When you make a payment, you may only be paying for the hope that the hacker does not leak the stolen data. In the Colonial Pipeline attack, the bad actors received the ransom payment and sent a deficient decryption key, thus leaving Colonial Pipeline to ultimately restore from their backups.
Part two of this blog series will focus on the legal issues surrounding ransomware, as well as how you can prevent these attacks.
Please reach out with questions.
Want to learn more?
Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.
About the Author
Allen Blount leads the Cyber Team at Risk Strategies, where he guides clients on navigating cyber risks such as ransomware attacks. He specializes in both cyber insurance and tech E&O (errors and omissions). Before his insurance career, he practiced law.
