Three Things to Consider Before Paying the Ransom from a Ransomware Attack

This week I will be answering a question on the minds of many CISOs and company executives: If we are the victim of a cyber attack, should we pay the ransom?

I’ll share three things to consider before you pay a ransom. But first, let’s talk about what’s been going on in the world of ransomware lately.

Ransomware Is Getting National Attention

Ransomware has been having its 15 minutes of fame in recent weeks after these type of attacks have hit the mainstream media.

The Colonial Pipeline attack caused 1970s-era lineups at gas stations up and down the East Coast when the company turned off the pumps after a ransomware attack.

A month later, meatpacker JBS Foods, which produces a quarter of US beef, was forced to shut down its production until the company paid an estimated $11 million to release both the North American and Australian operations.

The US government is taking notice: Federal authorities clawed back the bitcoin paid to the Colonial Pipeline hackers and The White House issued an open letter to businesses with tips on how to defend themselves from ransomware attacks.

Many Woodruff Sawyer clients are already familiar with the security controls the National Security Council referenced in that letter since we have been discussing their importance for a while now.

Is Insurance to Blame?

Ransom payments are a touchy subject in the insurance community. Most media stories about ransomware attacks will include a quote or headline blaming the cyber insurance community for exacerbating the problem by paying the ransom.

The premise being that a company is more willing to pay a ransom because the insurance exists and that the ransomware attackers are being enriched by the insurance companies collecting ever-higher premiums for taking on the risk.

To say that I disagree with the premise is an understatement.

Like many of our colleagues in the cyber insurance industry, we’ve handled a high volume of ransomware incidents. In most instances, whether there was a cyber insurance policy to cover the cost of the ransom was not a factor in deciding whether to pay the ransom.

Three Things to Consider Before Paying a Ransom

Here are the three things that companies need to consider before coughing up the cash:

1. Can We Restore from Backups?

This is always the first question to ask when becoming a victim of a ransomware attack. For a while, many companies ignored the ransom demand, restored the data from the backup, and went on their merry way.

It was a good approach for a short while until hackers upped their game. They started locating and encrypting the backups before they launched the ransomware. Once a company has no clean backup to restore data and network, they have no choice but to pay the demand.

The takeaway? Best practices are to have good backup procedures in place, including off-line backups stored separately from the network. I’d also recommend a CISO go through testing a system restoration from backups to make sure the process is ironed out before a live event.

2. Was Any Data Taken That Would Be Catastrophic to the Company?

Another method attackers have used lately to compel ransom payments is stealing and exfiltrating data from a company before deploying their ransomware. This way, even if a company has good backups, they may pay a ransom if the data stolen is highly sensitive or its release would greatly damage confidence in the company moving forward.

(The ransomware demands on Apple after one of their suppliers was hacked included leaking schematics for products in development. To prove their commitment, the hackers leaked some at an Apple launch event.)

This is known as a double extortion attempt – where the attackers extort you to get your network access back and also to ensure your data is returned. And yes, it does beg the question: How do you really ensure the data is returned or destroyed once it is stolen from you?

3. How Long Will it Take to Get Our Company Back to Business if We Don’t Pay?

“So, what happens if we don’t pay?” That question eventually makes its way to the table. What are the potential costs if the demand is ignored?

When determining whether to pay a ransom, many companies perform financial analysis as the final step. Sometimes, the damage from the ransomware attack is so severe, and the downtime involved to restore the network is too detrimental to the company and more costly than the actual ransom.

Just ask the city of Baltimore: They refused to pay a $76,000 ransom in 2018. So far, it’s cost an estimated $18.2 million to fix the mess—the ultimate game of “pay me now or pay me later.”

Final Thoughts

Ransomware attacks aren’t showing any signs of slowing down, and it is an aspect of cyber risk that can have catastrophic and existential consequences for some companies.

Cyber insurance has certainly supported a large number of companies that have been hit with ransomware, covering their first-party response costs like IT forensic investigations and legal services.

And yes, cyber insurance has reimbursed many companies that have chosen to pay the ransom demand. But rarely has the existence of cyber insurance weighed into the decision to pay or not.

For more insights like this, check out the Cyber Notebook or get more Cyber Dan insights by subscribing to our YouTube channel.