With ransomware attacks on the rise, many businesses are trying to decide if they’ll have to pay ransom to decrypt their files or if they can hold firm against attackers.
In recent years, ransomware attacks have evolved from simple malware deployment and extortion to a multilevel Ransomware-as-a-Service (RaaS) business model. Double extortion attacks further increase the risk. All of these developments combine to make organizations more vulnerable.
According to the CRA Ransomware Study: Invest Now or Pay Later, 43% of companies surveyed have experienced at least one ransomware attack in the last two years (2020–2021). Furthermore, 32% of the respondents admit that they cannot prevent ransomware attacks since cybercriminals are too sophisticated and well-funded.
When a company is hit by ransomware, leaders are faced with a difficult decision: should they give in to the demands of the attackers and pay the ransom? Or, should they remain firm, refuse payment, and risk losing crucial data?
Ethical Side of Things
Before deciding whether or not to pay the ransom, various ethical issues must be considered. The first reaction might be that paying the ransom will allow the business operations to resume as soon as possible. While this may be true in some cases, it may also lead to the threat actors demanding a second payment after witnessing how quickly the first arrived. Paying the ransom immediately encourages more attacks on both the victim and other companies, posing more moral concerns.
Before making a decision on payment, there are some questions about data exfiltration that must be answered. First and foremost, businesses must always keep in mind that they are dealing with criminals, and it is possible that the data may not be returned. Beyond that threat, even if the data is retrieved, the victim is still responsible for data breach notification. Only if high-value data is collected, such as trade secrets or future strategic business plans, is it worth the immediate risk of payment. Getting that information back before the threat actors disclose it is probably worth the ransom payment.
Considerations for Data Encryption
Data encryption attacks are another type of ransomware attack. Instead of stealing data, hackers just lock the company out. Payment is not required if organizations maintain adequate backups. Payment may be requested if not. The cost of the ransom versus the price of a complete data rebuild is an essential consideration. It’s also vital to remember that decryption isn’t instantaneous and may not restore data entirely, so company operations will be affected regardless of the decision.
Victims must remember that the opposing party in the negotiation is a criminal organization that will exploit businesses in every way it can. Because there is no legislation regulating negotiations, victims must rely on the criminals to act in good faith when it comes to payment. There are also long-term consequences. Paying a ransom immediately marks the company as willing to pay a ransom, making them a target for future attacks. There is also the ethical question of rewarding and funding criminal activities, which must be addressed. Finally, paying a ransom carries legal risks that the government may enforce.
What can Enterprises do to Prevent This?
Cybersecurity is not a technical issue with technical answers. Cybersecurity is a business issue. It’s about aligning people and money to make the best decisions possible. Leaders must be aware of the company’s goals and how they relate to the threats that impact their future. In 2022, a risk-based approach to cybersecurity is desperately needed.
Most board members and executives are scared by the idea of a ransomware attack. An attack on an unprepared enterprise that is well-executed can create huge operational interruption and necessitate a payment to a criminal group. Internal discussion is critical when determining whether or not payment should be made. It’s better to come prepared with the actual costs of the event and devise a strategy for minimizing the loss.