Is It Cheaper to Pay for Cybersecurity Now, or to Pay Ransom to Criminals Later?

Breaching enterprise systems and holding their data hostage is a growing threat to organizations everywhere. Governments are fighting back by putting the onus on custodians to protect their data or face hefty fines. Even so, bad actors show no signs of backing off.

New research indicates that, in the face of a ransomware attack, one in three companies would be willing to cut costs associated with the attack by willfully paying the ransom. 16% of those surveyed were not sure what to do in such a situation, and just over half said they were prepared to take a more proactive approach and invest in security to nip such an occurrence in the bud.

The numbers are not entirely surprising. An array of studies has produced similar findings, as businesses everywhere are overconfident in their ability to recover from an attack, despite having poor incident response plans in place – or sometimes none at all.

What if lives are at stake?

One third is not a small number. If 33 percent of businesses are indeed willing to cough up the Bitcoins to free up their data, they might want to know that, according to one particular study, only half of ransomware victims that pay ransom get their data back.

In an opinion piece for Inc.com, Delphi Group founder Thomas Koulopoulos makes a strong case for answering this burning question: should ransomware victims take the easy route and pay up, or adopt a long view and seek to foil attacks. His reasoning is as follows:

“If you're quick to provide an answer as to which school you subscribe to, let me assure you that it's not that easy. For example, if your loved one is in an operating room waiting for a lifesaving procedure and the hospital can't perform it unless $1,000 is paid to decrypt data critical for the operation I can pretty much assure you that you'd pay the ransom yourself. On the other hand if you're the CEO of a hospital down the street from the one being attacked (and your data is not being held hostage) you are likely to be very much against anything that will only increase the likelihood that your hospital will be the next target.”

Paying encourages a criminal business model

The FBI is also on the fence regarding what ransomware victims in the enterprise realm should do. In a notice titled Ransomware Prevention and Response for CISOs, the Bureau concedes that “whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees, and customers.”

At the same time, the agency warns that:

• Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom.
• Some victims who paid the demand were targeted again by cyber actors.
• After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
• Paying could inadvertently encourage this criminal business model.

Treat an imminent threat accordingly

A ransomware scenario leaves victims with a huge dilemma. On the one hand, paying the ransom motivates attackers to strike again, perhaps harder and with higher demands. Plus, paying does not ensure victims get their data back. On the other hand, if valuable intellectual property or actual lives are at stake, one might not have a choice but to pay up and hope the bad actors stick to their end of the bargain.

The best way to fight ransomware, however, is to adopt a proactive approach and simply take it for what it is – an imminent threat.

Ransomware is growing outside of the public view, hitting Education, Telecom, Finance, Healthcare and Transportation the hardest. The real problem for these verticals is not the actual ransom money demanded by the attackers, but downtime, reputational damage, and other collateral costs associated with the attack.

Bitdefender telemetry found at least 150 new ransomware families in 2017, with only 10% being decryptable – the rest requiring payment. The mean number of new ransomware families per month was around 12.

“Viewing ransomware as an imminent hard drive failure points toward the simplest measure you can take: keep regular, offline backups of your important data,” says Bogdan Botezatu, Senior E-Threat Analyst, Bitdefender. “This way, even if you get infected, you can always recover your important data, whether it’s photos of your cat, or millions of dollars’ worth of intellectual property.”

Besides backups, a robust incident response plan is key to keeping attackers at bay. Organizations that stand to lose millions in the face of such an attack will also want to train their staff to sniff out suspicious activity, such as unsolicited links or email attachments, as phishing is one of the most lucrative attack vectors for ransomware operators.