It’s the question that professionals advising on ransomware attacks must dread answering - should an extorted business pay up?
When commercial ransomware started pestering UK and US businesses around 2012, the answer was an emphatic ‘no’. Paying would only encourage repeat attacks and reward a business model that succeeded when victims could be picked off one at a time. In an important sense, a ransom paid was also an encouragement to attack others in turn.
There was also the small practical worry, backed up by anecdote, that paying ransoms didn’t guarantee that decryption would be forthcoming.
But someone out there is paying on a scale security companies and law enforcement are struggling to understand. According to the FBI ransomware netted $209 million (£160 million) in the first quarter of 2016 alone, although how much of this is from businesses as opposed to individuals is impossible to say. Ironically, an FBI representative last year appeared to suggest that paying ransoms might be a rational response in some circumstances.
There is no evidence that UK firms are more likely to pay up than those in other countries, but it is clear from those numbers that a meaningful number of individuals and companies are holding their noses and paying up for something.
What makes victims pay?
The big issue for businesses is not simply the ability to recover data (almost all will have layered backups) but the time this takes to reinstate. For individual PCs, it might be minutes each but for a server running an important database it could run to days. In this world, delay often means lost revenue.
Smaller business will also have backups but probably with gaps covering the last week or two of operation. Getting that data back, usually work invoices, is less likely to be possible, leaving paying the ransom as the only option.
The UK makes an interesting test case for these pressure points. According to a new survey by Trend Micro of around 300 IT UK decision makers, 74 percent believed they wouldn’t pay up if infected by ransomware despite the fact that when it happened two thirds of the 44 percent affected admitted they had.
Put bluntly, slightly under half of the firms surveyed had been affected by ransomware since 2014, of which the majority paid up despite being in a well-resourced sector that should have better options.
The stats are surprisingly high; older estimates of victim percentages usually run to a few percent at best although these tend to be based on consumer ransomware attacks. Businesses are clearly in a different category because they value data more highly and have considerations that go beyond being asked to pay sums Trend reports as being around £500 to £1,000 per attack.
A separate recent estimate by Kaspersky Lab put the percentage of smaller businesses paying up at 34 percent based on an international survey of 3,000 firms.
“When faced with a ransom situation, most organisations simply cannot afford to part with the encrypted data and are forced to fork out the requested amount, often more than once,” said Trend’s Bharat Mistry.
“Caving in to the demands of cyber-extortionists only reassures them of their strategy and perpetuates the threat cycle.”
The punchline is that a meagre 44 percent of those who paid the ransom got their data back. According to Trend. If that’s correct, paying a ransom demand is more like a bet than a data recovery strategy. Anecdotes confirm this with the case of a US hospital in Kansas being only an extreme example of the problem. The institution paid the initial ransom but the attackers just returned to ask for a higher figure.
Trend reports that affected businesses spend an average of 33 staff hours fixing an attack which hints that some are using ransoms as a parallel strategy in the hope it might shorten this time period. Other motivations include worries over being fined if data is lost, the high confidentiality of encrypted data and the fact that the ransom is seen as being for a small amount.
Of course if the data has been touched by ransomware then its confidentiality is moot. The decision to pay as a way of preserving its privacy is little more than a comfort blanket based on happy delusion.
The danger is this is that little by little, businesses are coming to see ransomware as cost of doing business to be filed in the same category as other security threats they’ve got used to such as breaches, insider malevolence and even DDoS attacks. This holds obvious dangers because it perpetuates attacks used to develop and fund other forms of cybercrime.
From each business’s point of view, extortion is an inconvenience to them alone. But it is also a major hazard for whole sectors and eventually parts of entire economies. Paying up has wider costs.
If Trend’s figures are representative, payment fails as often as it succeeds, from which one might conclude that a better strategy is to invest the money in the next attack, not the one of the moment. That means standing back from the problem and taking specialist advice. This will cost more in the short run but will reduce the effect of a future attack which is now a question of when not if.
Ransomware: why paying extortionists is a 50-50 bet - advice for businesses
- Contact the police, regardless. This will be confidential and offers them useful intelligence on attacks. Trend believes the police are able to offer some practical help in half of cases.
- Smaller businesses considering paying ransoms should factor in that the fact of payment might be traded on cybercriminal forums, generating future even more targeted attacks.
- All firms should include space for specialists as part of their ransomware recovery plan. For large firms this will mean carrying out an independent possibly forensic assessment of the weakness that allowed and attack to get inside the company. For small firms it could simply be about buying a support contract from a security firm to offer crucial advice on what to do and not do during and after an attack.
- There are numerous technical responses to mitigate ransomware but one of the least mentioned is simply subnetting servers and PCs to minimise the spread of ransomware around a company. It is often working out how far ransomware has spread that takes up the time and not simply cleaning PCs and restoring encrypted data.
- Paying a ransom is a bet that will deliver nothing at least half of the time. Bear that in mind when imagining an ideal plan B.