Ransomware: Is There an Alternative to Paying the Ransom?

May 25, 2021
Backup, Data Protection, Disaster Recovery, IT Security

If your organization was struck by ransomware, would it pay the ransom? And if so, how much would it be willing to spend to minimize downtime and retrieve stolen data?

According to statistics gathered by threat researchers at Palo Alto Networks’ Unit 42, the average ransom paid by victim organizations in the US, Canada and Europe almost tripled from $115,123 in 2019 to $312,493 in 2020.

A survey polled 5,400 IT decision makers in mid-sized organizations in 30 countries across Europe, the Americas, Asia-Pacific and Central Asia, the Middle East, and Africa reported an average ransom payout of $170,404. While $3.2 million was the highest payment out of those surveyed, the most common payment was $10,000. Ten organizations paid ransoms of $1 million or more.

For a lot of large companies, that may seem like a deal. After all, it’s considerably less than the $4.4 million that Colonial Pipeline paid to recover its stolen data after cybercriminals held up its business networks with ransomware in early May 2021.

Despite the panic buying that led to gas shortages and long lines at the pumps and the pressure to get things back to normal, Colonial Pipeline was lucky. It was able to retrieve its data after paying the ransom. That’s seldom the case.

The Case for Not Paying Ransoms

A study that reported that the number of organizations that paid a ransom increased from 26% in 2020 to 32% in 2021, also revealed that only 8% managed to get back all their data.

There’s never a guarantee that cyberattackers will follow through with releasing the hostage data. Even when they do, the decryption keys to recover information can be complicated. As was seen earlier in 2021 with the DearCry and Black Kingdom ransomware, attacks launched with low-quality or hastily compiled code and techniques can make data recovery especially difficult, if not impossible.

Cybercriminals also can’t be trusted not to come back again in the future – or just to publish the stolen data anyway.

The bigger issue, however, is that encourages more attacks. Once a company is known to pay a ransom, it becomes a target for future attacks. Successful attacks also inspire cybercriminals to go after similar types of organizations – and even branch out to other targets.

There’s also the reality that even after paying a ransom, organizations hit by ransomware still have a lot of mitigation and recovery to do after an attack.

While cyber insurance may cover the cost of a ransom payment, it can’t cover the hassle and downtime, much less any impact to employees, customers, vendors and other stakeholders. It can’t do anything to repair a damaged reputation. It also can’t protect against future attacks. Any future attacks are likely to be even more costly as ransomware claims usually are followed by increased premiums.

Not surprisingly, the FBI, as well as law enforcement agencies and security experts, warn against paying a ransom in response to a ransomware attack. To further dissuade ransomware payments, the US Treasury Department is offering official guidance as well.

In an advisory published October 1, 2020, it warned that organizations that pay ransoms, as well as any companies or contractors that work with them to facilitate ransom payments, could be subject to fines. That includes companies that provide cyberinsurance, insurance, incident response, and digital forensics as well as all financial services that help facilitate or process ransom payments to certain identified notoriously high-profile cybercrime organizations, or entities in certain countries.

The Costs of Downtime and Recovery

Nonetheless, it’s easy to see why some companies might take the risk of paying a ransom. Remediation costs, including lost orders, operational costs, and more, grew from an average of $761,106 in 2020 to $1.85 million in 2021. This means that the average cost of recovering from a ransomware attack is now 10 times the size of the average ransom payment.

According to the CEO at Colonial Pipeline, it will cost his company far more — tens of millions of dollars — to completely restore its systems over the next several months. That’s because recovering from a ransomware attack is about more than just decrypting and restoring data. Whole systems need to be rebuilt from the ground up.

There’s also operational downtime to consider. It’s not just the loss of productivity associated with downtime that causes costs to escalate quickly. Issues ranging from compliance penalties to damaged company reputation also come into play.

The practical method is to add your labor costs per hour to the revenue you would lose every hour that your labor force could not work. But you also need to consider these costs:

  • Facilities & Utilities — You’re still paying to keep the lights on even though nobody can get any productive work done. And, you’re paying rent and/or maintenance on your physical plant as well as on all the equipment you lease, etc.
  • Lost Business — How many of your customers might be trying to place an order while your systems are down? How many might lose patience and place that order elsewhere? How many might never return? How much lost business does that represent?
  • Cost of Lost Data — Whatever causes the downtime can also cause data loss, which can cost you customers. If those customers and their data are protected by any governmental regulations, your lapse in compliance may also result in stiff penalties.
  • Cost to Recover — Experiencing downtime means somebody must do something to restore uptime. How much does that cost?

The Solution to the Ransomware Dilemma

Bottom line: Downtime is going to be costly. So is recovery. The costs and negative effects resulting from data that is stolen, can’t be recovered or that gets published are hard to predict but likely to be extremely damaging. It seems like a no-win situation.

However, there are options. They entail minimizing the chance of a ransomware attack happening in the first place, and mitigating the effects if one does happen.

Employing security best practices is a must. Keep up to date on patching. Make sure your systems are regularly monitored. Employ vulnerability scanning to detect and address issues. Train and frequently test employees on security protocols. Have a tested disaster recovery plan in place.

If you don’t have the necessary resources in-house to implement the necessary tools and techniques for dealing with ransomware, reach out to third-party companies that specialize in IT security. If you’re using cloud services, seek out solutions offered by your cloud service provider (CSP) such as remote monitoring and advanced firewall services. Also make sure that the infrastructure that powers your CSP’s cloud services are HIPAA and PCI compliant, as that indicates they meet stringent security requirements.

Talk to a solution engineer at US Signal today to discuss your specific situation. Contact us today to get the conversation started.

For more information on ransomware and how to deal with it, download US Signal’s free eBook – Ransomware: Enemy at the Gate

Additional Ransomware Resources

To learn more about ransomware, check out these articles below from our blog or visit our resource center for whitepapers, e-books and more!