Should I Pay the Ransom? Answering 10 Common Questions About Ransomware

Ransomware, cybercriminals, ransomeware as a service, reasons for paying the ransom

Ransomware continues to make headlines, especially as cybercriminals aligned with nation-states continue to perpetrate attacks. According to a 2022 report, attackers fall into two categories. First, sophisticated attackers who continually improve their techniques, tactics, and procedures (TTPs), learning from their mistakes and establishing their own group of highly skilled cybercriminals. Second, Ransomware-as-a-Service (RaaS) models which lower the barrier to entry so that inexperienced or less technical cybercriminals can deploy attacks.

In response to increased ransomware attacks, a group of international Ministers and Representatives representing 59 countries released a Joint Statement in October 2021. The statement detailed common priorities and complementary efforts to reduce ransomware risks, including:

● Improving network resilience
● Addressing the abuse of financial mechanisms
● Disrupting the ransomware ecosystem

While these broad plans may reduce the long-term impact of ransomware, businesses still need to address their current risks. Ransomware attack volume nearly doubled in 2021, with 73% of organizations saying that at least one attack targeted them in the preceding 24 months. This number represents a 33% year-over-year increase, indicating that ransomware remains a fundamental business concern.

In this article, we’ll answer some questions about ransomware so that you can make informed decisions and protect your business.

Should I pay the ransom?

As unsatisfying as it may be, the answer to this question is “it depends.” Often, companies need to make difficult decisions, balancing their business needs with legal or regulatory requirements.

Additionally, system outages impact companies and industries differently. For example, a manufacturer may need functioning systems to ensure employee physical safety. Meanwhile, an online business may be able to afford downtime and lost revenue.

Being armed with facts can help you make a more informed decision. The same research that found attack volume nearly doubled also noted the following:

● 80% of companies who paid a ransom were victims of a second attack
● 68% of companies who paid once were hit again in less than a month for a higher ransom
● 54% who paid still reported system issues or corrupted data after decryption

Is paying the ransom illegal?

In September 2021, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) released an advisory listing potential sanctions risks associated with making and facilitating ransomware payments.

OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List) includes groups that deploy ransomware attacks and those that facilitate the payments. Financial institutions are required by law to block payments to anyone on the SDN List.

The OFAC advisory applies to ransomware victims and any company that engages with them, including:

● Cyber insurers
● Digital forensics and incident response
● Payment processors, including depository institutions and money services businesses

Will cyber insurance cover a ransomware payment?

Over the last year, cyber insurers changed their position. Many stopped selling coverage while others increased premiums in response to rising attack numbers. Further, in light of the OFAC advisory and sanctions, many won’t be able to pay a ransom if the ransomware gang responsible for the attack is on the SDN List.

What is a double-extortion ransomware attack?

Ransomware has been around since the late 1980s. However, the traditional attacks only encrypted data so that businesses wouldn’t be able to use it. In response, organizations started implementing more robust data backup strategies.

Cybercriminals evolved their methodologies so that ransomware attacks would remain a viable business model. A double extortion attack is when cybercriminals encrypt data to disrupt business operations and steal sensitive information. They hold the stolen information “ransom,” threatening to leak the information unless the company pays the ransom.

How is a ransomware attack different from other cyberattacks?

As double-extortion attacks become the norm, it’s essential to understand how they differ from other types of cyber attacks.

Typically, cybercriminals deploying ransomware are financially motivated. They steal just enough data to make you nervous, but they don’t want to linger in your systems.

Traditional cyber attacks focus on long-term goals, like stealing customer information for identity theft or gaining access to intellectual property.

Why do companies pay the ransom?

Most companies choose to pay the ransom because they’re worried about reputational and revenue impacts. With news organizations reporting ransomware attacks, companies worry they will lose customer trust and business.

The concerns are well-founded. Research found that 21 out of 40 data breaches resulted in worse stock performance in the six months after a data breach. The data didn’t stop there. After two years, the average stock price underperformed the NASDAQ by 11.9%. When companies pay the ransom, they often seek to mitigate these revenue risks.

How are ransomware and cryptocurrencies linked?

Whether true or not, many cybercriminals believe that cryptocurrency gives them more anonymity, making it harder to trace. Since many traditional banking systems don’t deal in cryptocurrency, cybercriminals use these payment forms as a way to evade law enforcement.

Noting that these virtual currency exchanges are critical to the ransomware ecosystem, the US Treasury Department added one cryptocurrency platform, SUEX OTC, S.R.O, to the SDN List because it facilitated ransom payment transactions.

This sanction makes paying a ransom more difficult because any company working with a sanctioned cryptocurrency company faces potential enforcement actions, like fines.

Does a company need to report a ransomware attack to law enforcement?

Whether you need to report the attack or not depends on your industry. No federal law requires all victims to report a ransomware attack to law enforcement. In a heavily regulated industry, like healthcare or financial services, you may be required to report the ransomware attack under data breach notification requirements.

How does a company report a ransomware attack?

Reporting a ransomware attack can help law enforcement disrupt the cybercrime ecosystem. The Federal Bureau of Investigation (FBI) suggests that companies report an attack by:

● Contacting their local FBI field office
● Submitting a tip online
● Filing a report with the FBI’s Internet Crime Complaint Center (IC3)

What prevention and business continuity strategies can help reduce a ransomware attack’s impact?

A robust cybersecurity program focusing on cyber resilience may reduce the impact of a ransomware attack.

Some prevention methods include:

● Anti-virus solutions
● Preventing users from downloading unknown or unauthorized software
● Cyber awareness training focused on phishing risks
● Applying security updates to software and operating systems as soon as possible

Some business continuity strategies include:

● Regularly backing up data
● Verifying backup integrity
● Securing backups

Mitigate Ransomware Risks with Securicon

Although you won’t be able to find a silver bullet to protect you from a ransomware attack, you can mitigate risks and be best postured to protect, detect, respond, and recover from them. Identifying and remediating security weaknesses and having organizational ransomware response playbooks before an attack makes a cybercriminal’s job more difficult. When you architect secure networks and systems, cybercriminals are less likely to move laterally from one system to another. When they can’t steal sensitive data, you thwart their double-extortion goals.

Securicon’s professionals can help you define, deliver, implement, and manage an information security program that mitigates ransomware risks and prepares you to respond when they occur. Our experienced, knowledgeable staff uses architecture designs and security policies based on insights gained in the field – not theory. Acting as a trusted advisor, we help customers cost-effectively manage risk, operating as extensions of their internal cyber-security teams so they can balance information and operational security needs.

Contact us to learn more!