Ransomware is a serious threat for organizations of all sizes. Cyber criminals steal files and demand a ransom for the decryption key, which allows the organization to get their files back. Criminals target companies, municipalities, hospitals and others, scaling their demand to what they believe the victim can pay. They even hit small businesses, assuming the business won’t have a backup routine and they will have to pay the ransom demand rather than risk losing critical files.
Should Businesses Pay a Ransomware Demand?
There’s a theory saying if a business pays the ransom for their files, they will get them back. Otherwise, the crime wouldn’t pay as victims would see paying the ransom is futile. Nevertheless, the FBI says companies should not pay. Paying does not guarantee cyber criminals will provide the decryption key. Paying may also leave the business open to additional attacks as they become known as an easy target. Recent studies show 20 percent of organizations which pay the ransom never get their data back.
What happens When Companies Refuse to Pay the Ransom?
Cyber criminals behind the Maze Ransomware strain erected a website where they listed at least eight companies that refuse to pay the ransom. They also published proof of their successful attack, embarrassing companies that managed to keep the breach out of the news. If ransomware attacks are data breaches, it forces companies to follow their State’s data breach notification laws and industry-specific federal laws.
In May 2019, the City of Baltimore refused to pay a $76,000 ransom demand, payable in Bitcoin. The mayor said the city would just have to find the money somewhere to rebuild their network. As a result, the city had to pay over $18 million to restore their systems. This does not count the cost of preventing additional attacks.
Should Companies Report a Ransom Demand to Law Enforcement?
Businesses should contact the FBI’s Internet Crime Complaint Center (IC3), regardless of whether they can restore their files without paying the ransom. The FBI needs as much information as possible to investigate cyber criminals and the tactics they use. Healthcare providers in the United States must report demands for ransom to the Department of Health and Human Services.
What’s the First Thing an Organization Should Do After Receiving a Ransom Demand?
After reporting the demand to the FBI’s local field office, a company must enact their business continuity plan. This includes having an organization’s IT department or an outside company isolate the malware. Next, a company can restore their data from the backup, which should be stored offline or in the cloud. Organizations with backup plans have been able to recover their data without paying a ransom in more than half of the recent ransomware attacks.
Next, companies must inform investors, customers and other affected parties regarding what happened. Explain which data is in the hands of cyber criminals and how the company is taking steps to handle the situation. Companies that act immediately and are transparent regarding the data breach fare better in the public eye.
Why Companies Should Avoid Handling Ransom Demands on their Own?
In 2016, Uber allegedly paid $100,000 in Bitcoin to cyber criminals to delete the 57 million user files they stole. Uber employees found two of the three men responsible for the ransomware attack and instead of alerting law enforcement, they had the men sign nondisclosure agreements. Uber didn’t disclose the hack to law enforcement until 2017, a year later, when new CEO, Dara Khosrowshahi, took over. U.S. Attorney David L. Anderson in San Francisco charged Uber’s former Chief Security Officer Joseph Sullivan with obstruction of justice. Having been a former federal prosecutor specializing in computer crimes, Sullivan should have known better.
How Many Companies Pay the Ransom?
About three-quarters of companies who have never been hit with a ransomware demand say they wouldn’t pay. Once targeted by ransomware, two-thirds of companies pay, according to an IBM study. Cyber criminals are becoming more sophisticated; they only ask for a ransom they believe the company will see as reasonable compared to losing sensitive data. Companies also consider the loss of their reputation compared to the cost of paying the ransom. Rebuilding confidence in a brand is an expensive and time-consuming task.
How Do Companies Pay the Ransom?
Bitcoin was the only option when the first ransomware attacks began. The virtual currency is nearly untraceable, as are Western Union payments demanded by some cyber criminals. Ransom demands have evolved since Bitcoin’s price has become so volatile. Today, many actors behind the latest attacks want Amazon or iTunes gift cards.
Large and small companies are equally at risk as ransomware is increasingly easy to implement. Cyber criminals don’t have to be genius coders; Ransomware-as-a-Service is as cheap as $39 on the dark web. Criminals can attack numerous organizations, making thousands of dollars even after paying the RaaS provider their cut.