But paying the ransom likely means they will be back up sooner than otherwise and it negates a whole lot of other issues. I am not saying every victim should pay the ransom. Obviously, if we keep doing that ransomware will never stop. But if you think paying the ransom is mostly about getting a decryption key then you’re not thinking about ransomware correctly. It’s changed. And paying the ransom is often still the best choice even if you have great backups. Here’s why:
You Still Get More Usable Data
First, the victims that do pay the ransom have an overall better data recovery rate. The same report above that said only 8% of victims that pay the ransom get their all their data back also concluded this, “The researchers found that, on average, victims who pay the ransom recover about 65% of their data, while 29% of respondents said they recovered less than 50% of their data.” So, if you want a better chance of recovering more of your data without recreating it or doing without it, pay the ransom.
Faster Recovery Time
I know many victims who philosophically and ethically refused to pay the ransom. I applaud them. However, many of them were still down or not fully operational far longer than the victims that paid the ransom, on average. I know of many victims who did not pay the ransom who were down months and were still not fully operational nearly a year later. I haven’t heard that from victims who paid the ransom.
Data Exfiltration Is a Huge Worry Now
Over 70% of ransomware now exfiltrates a victim’s confidential data, files, logon credentials, and email before launching the encryption process. Most ransomware gangs spend weeks to months surveilling the victim, reading C-Level emails, and trying to figure out the “crown jewels” of the organization. Then they steal the confidential information and threaten to release it publicly, or to hackers, if they are not paid. A backup is not going to save you.
An organization’s vital, confidential data is released all the time. It happened to DC Metro police recently. The ransomware group got mad because the victim’s initial negotiation amounts were too low. The ransomware group released the vital information on recent police recruits (including their personal identifying information) and internal reports with confidential information I am sure the police would not want released.
Ransomware gangs just want to get paid. They will do whatever they can to the victim…encrypt files, denial-of-service attack them, steal and post information, attack their employees, attack their customers, attack their partners…whatever it takes…to get the victim to pay. Every ransomware group would be glad to not to have do any of these things if meant they would be paid. They are also just as willing to cause as much pain and embarrassment as possible to get paid. And if you don’t pay, they will make it as painful as possible as a lesson to the current and other victims.
And when they attack your employees, customers, and partners, they let them know that the only reason they are attacking them is because the original victim didn’t pay. They say the original victim didn’t care about them and their data enough to stop the ransomware attack and didn’t care about their personal information enough to pay the original ransom. It must cause some reputational issues with the original victim.
What ransomware is doing beyond just encrypting files isn’t new. The new class of ransomware, which I dubbed Ransomware 2.0, started showing up in November 2019. I first wrote about these issues back in January 7, 2020. The only thing that has changed is the percentage of ransomware that started to deploy these additional tactics. Today, it’s over 70% of all ransomware, and it’s likely far higher than that. Heck, if all ransomware does is encrypt your files when it goes off, consider yourself “lucky”.
Less Likely to Be Hacked by the Same Group Again
One of the biggest questions I get about ransomware is if the ransomware group will hack the victim again even after they pay the ransom? After all, they are criminals, who can trust them? Well, if ransomware criminals re-attacked the victims that paid them, no one would pay them. It’s in the ransomware group’s own best interests to not re-attack the same victims after a ransom has been paid. In fact, most ransomware groups keep track of who has paid the ransom and purposefully avoid them. I’ve heard of victims being re-hit by the same group, complaining to the group that they already paid the ransom, and the ransomware group helping to quickly unlock their files.
Conversely, I’ve heard of a lot of victims who didn’t pay the ransom who were hit again by the same group, but the second time is always much worse - more servers encrypted, more damage, more pain, higher ransom request.
And this is not to say that some victims that paid the ransom don’t get hit again by the same ransomware family. There are unscrupulous ransomware gangs who have no “thief’s honor code”. But it happens more often because the ransomware is being used by multiple “affiliates” and another affiliate accidentally hits the same victim again because they entered through another IP address or business unit of the same company that wasn’t on the ransomware groups “do not target again” list. Mistakes happen. And once the group has successfully hit a victim, again or not, some don’t back down. But it’s clear that the victims that do pay the ransom are usually not hit again by the same group.
What happens far more often is that a victim pays the ransom to one ransomware group and is then, weeks or months later, hit by a completely different ransomware group because they did not get secure enough to keep other groups out. You must close all your vulnerabilities if you want to stay secure. Paying the ransom is not a “Get out of Jail Free” card that all the other ransomware groups will respect. Paying the ransom only gives you that “right” within the same ransomware group. Most victims who pay the ransom will not be hit again by the same ransomware group. That’s the best we can say.
Paying the Ransom Is a Business Decision
Paying the ransom or not is usually a business decision. It even involves figuring out if it is legal to pay the ransom to the group requesting it based on your country’s laws. It is not to be taken lightly. But paying the ransom is about far more than getting a decryption key. You should have already decided ahead of time, before you are hit by ransomware, if you will pay the ransom. That’s senior management and legal decision. But make sure they understand all the facts and ramifications so they can make the best decision for the organization.
Your Only Defense Is Prevention
It is clear that a good backup and even paying the ransom will not protect you if you get hit by ransomware. Your only defense is to prevent it from happening in the first place. It can be done. Organizations do prevent ransomware from getting a foothold in their organization. How do they do it?
First, they focus on the key methods that hackers and malware use to get into most organizations. That means fighting social engineering, better patching, and good password policies. Fighting these three things will do more to prevent ransomware attacks than everything else. Heck, just concentrating on fighting social engineering, far better, will reduce the most cybersecurity risk to your organization of anything you can do. Social engineering and phishing is the number one way that most organizations get compromised by cybercriminals, but most organizations do not focus their mitigations as if that key fact were true.
You need to use your best combination of layered defenses, including policies, technical defenses, and controls, to prevent your organization from being compromised by social engineering and phishing. How can you do that? Glad you asked. You can download KnowBe4’s Comprehensive Anti-Phishing Guide here.
We are in a terrible era where hackers, malware, and especially ransomware, is running amok. It is going to be many years before it starts to get under control. It’s going to take not only better defenses, but a very tough-to-surmount geopolitical agreement. Ransomware will not get under control until the countries that give cyber safe havens to these types of criminals are forced to crack down on them. That is not happening anytime soon.
Till then, your best defenses are to fight with renewed vigor social engineering, better patch, and have a good password policy. Doing far better at these three things will do more to significantly reduce your exposure to ransomware than anything else you can do. Prevention, not backups, are the keys. Make sure management is aware of the changes in ransomware and how data encryption is not the only threat. Management needs to be aware of what paying or not paying the ransom means so they can make their best decision.
KnowBe4 is the world’s first and largest New-school security awareness training and simulated phishing platform that helps you manage the ongoing problem of social engineering.
The KnowBe4 platform is user-friendly and intuitive. It was built to scale for busy IT pros that have 16 other fires to put out. Our goal was to design the most powerful, yet easy-to-use platform available.