Ransomware… to Pay or not to Pay??

May 26, 2021
by Johannes Kaupe

As a company is expected to be hit by Ransomware every 11 seconds in 2021, it’s not unreasonable to be thinking about options should this happen to you. With your systems offline, apps and website not working, and the knock-on effect of not being able to transact – you just want normality back – and the easiest way to get that is pay the ransom. Or is it?

Paying the ransom does not guarantee the decryption key will be provided straight away – the hackers might ask for an additional payment before they hand it over. And even if they do hand it over there is no guarantee it will work – less time will be spent on the cure – shutting you down and getting control is the primary objective – recovery is secondary.

There is also a moral aspect – paying the ransom rewards the criminal behaviour and encourages them to continue the activity – even if they don’t hit you again – they will be targeting their next victims.

The UK Home Secretary Priti Patel echoed these views while speaking at the National Cyber Security Centre’s (NCSC) CYBERUK 2021 virtual conference and warned that the government does not support victims of ransomware paying the ransom. Of course, that’s easier said than done when your business is being held to ransom and losing $100k revenue every day!

And if your business operates primarily online, and an attack renders the internet being unusable the cost impact could be crippling. According to Merchant Machine, a UK-based payments information service estimates Amazon would be out of pocket to the tune of $44 million per hour! This is an extreme example, but you get the picture.

It is becoming evident that the ransom payment is only part of the cost to a company – whether it is paid or not, and usually it’s not the largest cost.

Besides the cost of lost business mentioned above (and this can be much more depending on size of company), there are also disgruntled customers – not only those who can’t be supported, but also those whose personal data may be compromised. Besides financial penalties for not meeting SLAs, there may be legal repercussions from compromised customers. There is also negative publicity and longer-term damage which is harder to put a $ figure on.

But a bigger cost which can have $ attributed to is the cost of recovery and remediation. Files are inaccessible and systems are down until you find the root cause and remediate the situation. That’s if you have software that will tell you exactly what happened and when it happened? Do you know exactly what needs to be recovered? It will take time to investigate logs and figure out what happened.

Not a problem you say, IT can just recover from the last backup. But that is not instant, it will take time to restore all the files. Assuming you have the best backup system in the world, but it’s more likely that your backup system is either undersized, underpowered, or funded fully in next years budget. But even if your backup is up to scratch, you still don’t have any idea what happened or when it happened – and of course, until you know this, the ransomware is still active on your system, and recovered files can be encrypted again – payment round 2!

So, to find all this out, you may have to employ an external consultancy to figure it out, and these costs can run rise very quicky, very often at 6 figures. Let’s hope they’re feeling generous…

So here is a conservative estimate for the costs of a hypothetical attack – assuming you manage to get back up and running in 2 days (which is probably wishful thinking in most cases):

Lost revenue from 2 days downtime $ 200,000
SLA failure penalties over 2 days $ 40,000
Consulting fees $ 100,000
Ransom $ 100,000

I don’t offer any direction on whether you should pay the ransom or not, but what is clear is that the costs could be astronomical based on what you see above – this is very conservative, and the ransom would be higher, as well as the time taken to remedy the situation.

I do say that companies need detailed and robust ransomware protection plans in place, which consist of endpoint security, firewalls, central file services protection, clearly defined IT policies controlling access and permissions for Apps and Data, and regular reviews of all these solutions. There should also be a similar robust recovery plan in place, should an attack take place.

The security team should also deliver regular employee training on being vigilant, not leaving their workstations or mobile devices unattended, which sites to avoid, how to identify scams and phishing emails, thus ensuring employees don’t become compromised – and the next Insider Threat.