The Ransomware Dilemma

The decision on whether to pay up when cybercriminals hold data hostage is shaped by choices leaders made long before an attack.

Reading Time: 9 min 

Topics

Frontiers

An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series
Permissions and PDF Download

A. Richard Allen/theispot.com

The ransomware business is booming: In the United States alone, this form of cyberattack increased in frequency by 200% between 2019 and 2021. It’s an urgent threat, but too many leaders are caught flat-footed when it happens to them. Ransomware is malicious software that uses encryption to prevent access to data on the infected machine, effectively paralyzing the computer system. The culprits behind the attack then demand payment in exchange for decrypting the files and restoring access to the infected systems. The tactic dates to the 1980s, but it became a prominent threat to businesses after 2010 with the rise of cryptocurrency, criminals’ preferred mode of payment.

It’s a threat riddled with uncertainties, which makes planning a response difficult. Many organizations just want to find the quickest way out, and that often means paying the ransom, even though the financial burden may be considerable and the outcome far from certain. In a recent study of 300 companies, 64% revealed that they had experienced a ransomware attack within the previous 12 months, and a staggering 83% of those paid the ransom. On average, only 8% of organizations that paid up recovered all of their data, while 63% got about half of it back.

Some organizations receive a demand for a second (and perhaps even higher) ransom, despite having paid the first one on time, but the worst-case scenario is when the victim pays but either never receives the decryption key or it doesn’t work as intended.1

Organizations that decide not to pay also bear costs in terms of business downtime and lost revenues. And organizations that are caught unprepared, without a reliable backup system or an incident response plan, end up suffering the most — not only financially but also reputationally.

If your organization is hit with a ransomware attack, your first step should be to notify law enforcement and, if applicable, relevant data protection authorities. But the options open to you after that depend on how well your organization is prepared to handle such attacks. This article aims to help top management teams decide what to do via six clarifying questions. Considering these questions well in advance of an attack might spur you to take some critical actions that could disarm the threat or allow your organization to respond better and recover more rapidly if an attack does occur.

1. Are you technically prepared?

When the REvil ransomware gang attacked software company Kaseya in July 2021, it took the hackers only two hours to exploit the vulnerability in Kaseya’s servers and install the ransomware in hundreds of thousands of downstream organizations. This is faster than most network defense systems can react. Adopting an “assume breach” mentality, which takes a zero-trust approach to systems and prioritizes detection and recovery processes, will enable organizations to think more proactively and focus on response as much as on prevention.

For ransomware in particular, having a thorough understanding of the status of backups in the organization is the first critical step in preparedness. Having a clean and up-to-date backup, as well as the ability to prevent ransomware from encrypting it, provides organizations with their first strategic advantage. Yet, just having backups is not enough in itself — organizations also need to confirm or improve their ability to recover using these backups in an emergency, with minimal loss or hiccups. This capability is still underdeveloped in many organizations: Fifty-eight percent of data backups fail during a restoration attempt. It is critical that organizations regularly test their ability to recover so that they don’t face an unpleasant surprise when a crisis hits. And be aware that ransomware gangs try to locate and encrypt backups. Keeping backups at an offsite location and not connected to the rest of the network makes it extremely hard to find them.

In considering preparations, organizational leaders should also confirm that their IT teams have planned detailed actions in an incident response playbook and that it is up to date, well understood by relevant staff members, and practiced often. This is essential to keeping malware from spreading, hastening recovery, and preserving evidence for law enforcement. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has provided a ransomware guide that details best practices to prevent and respond to a ransomware attack, and the National Institute of Standards and Technology provides good guidance for protecting data from ransomware.2

Decision point: If you have a clean, up-to-date backup and confirmed ability to recover, there’s no need to pay the ransom; the criminals have no leverage.

2. Do you have access to threat intelligence?

While ransomware has evolved into a multitude of types since its emergence, defenses have evolved too. Researchers who crack ransomware strains now post open-access resources online with several decryption keys. In evaluating their options after an attack, organizations should check these resources — and check with federal law enforcement authorities — to see whether a solution to their problem already exists. They should also review the threat intelligence reports offered by cybersecurity research organizations and vendors for any information about the particular criminal enterprise targeting them.

There is great value in understanding exactly whom you are dealing with, since there is no shortage of ransomware threat actors. Since the advent of the “ransomware as a service” business model, anyone can engage in this form of extortion by affiliating with a ransomware gang. Whereas some gangs are extremely selective, others offer affiliate positions to anyone willing to pay a onetime or monthly subscription fee. These affiliates can launch ransomware attacks using the gang’s name and receive a percentage of the ransoms paid. Many are only interested in increasing the volume of infections and don’t bother to send a decryption key once the ransom has been paid. Whether the ransomware gang attacking you is known to send a functioning encryption key can be a critical piece of information that informs your choice.

Decision point: If you have access to relevant decryption keys, you will likely be able to restore data without paying; if you have only threat intelligence about the culprits, that can inform whether payment is likely to yield the desired result.

3. Do you have cyber insurance, and what does it really cover?

A number of insurance companies started offering cyberthreat coverage in the early 2000s, and the market has been developing ever since. The emergence of ransomware as a significant risk has radically increased premiums: Ransomware attacks currently account for 75% of all cyber insurance claims. As a result, several major insurers, such as AXA, will no longer cover ransom payments, only the cost of lost business. And with ransomware attacks suspected of being state-funded, like the NotPetya attack in 2017, an insurer may choose to classify the attack as an act of war that frees it from its liability to pay the claims. Leaders should understand the terms and conditions of their cyber insurance policy and whether it provides ransomware coverage before they experience such an incident.

Decision point: If your cyber insurance covers ransoms, paying the ransom might make sense if you have no other way to recover your data.

4. What is your financial exposure?

Get a handle on recovery costs: Calculate how much the potential business fallout and recovery of lost data would cost your organization. Doing so will not only give you a good understanding of the trade-offs of not investing in information security but also will help you assess whether paying the ransom is an economically reasonable option should you have no others.

Decision point: If payment is feasible and less than the costs of recovery, it remains an option in the absence of other routes out of the mess.

5. What are the legal implications of paying a ransom?

In the absence of up-to-date, complete backups and a well-rehearsed recovery plan, or comprehensive insurance, some organizations will decide that their only option is to pay a ransom. But even this route may be blocked in some cases for organizations operating under U.S. jurisdiction (or where the person responsible for executing the payment is a U.S. citizen). In September 2021, the U.S. Department of the Treasury issued a reminder that making or facilitating ransom payments to cybercriminals on which it has imposed sanctions is illegal and can result in criminal prosecution. Although European authorities are also discussing putting legal restrictions on ransomware payments, none is currently in force. Paying the ransom might seem to be a reasonable way out, but it could create new legal challenges. Precise knowledge of the jurisdictional framework and the threat actor you’re dealing with is essential.

Decision point: If paying the ransom doesn’t put the organization or any personnel in legal jeopardy, it remains an option for resolving the situation.

6. Can you negotiate?

Even if organizations decide that paying ransom is the least damaging route, they should consider bringing in professional negotiators if they have established direct contact with the extortionist. We have seen instances, such as the case of the South Korean web hosting provider Nayana, where victims were able to reduce the requested ransom significantly with the help of negotiators. In some cases, the paid ransom was less than half and sometimes even only a tenth of what was originally requested.3 But it is important to note that some ransomware gangs threaten to delete the decryption key, destroying all hope of system recovery along with it, if their victims hire professional negotiators. Here, the threat intelligence we discussed earlier may be useful to assess the risk.

Decision point: If there is no chance of getting in touch with the people blackmailing you, paying the full amount or accepting the consequences of recovery might be the only option.

It bears repeating: If your organization is the target of cybercriminals, report your experience. No matter what you decide to do about paying the ransom, we encourage you to bring any ransomware incident to the authorities. A new U.S. law will require businesses in sectors deemed critical infrastructure to report ransomware attacks promptly to CISA. In Europe, the General Data Protection Regulation includes cyberincident-reporting obligations as well. Cyberattacks can be investigated more effectively if experts have access to information about similar incidents and the cooperation of affected parties. Also, in a rapidly evolving environment, the best opportunities to learn can be others’ experiences, and that requires disclosure. There are already several initiatives to promote intelligence sharing among a trusted network of peers.4

In an ideal world, the ultimate solution to the ransomware epidemic would be to not pay cybercriminals. But for many organizations grappling with the economic implications of COVID-19 or prioritizing budgets around digital transformation initiatives, cybersecurity investments are still underbudgeted. Most current spending goes to prevention capabilities, such as antivirus/anti-malware or multifactor authentication, and thus detection, response, and recovery processes are overlooked. Until every organization invests to get its cyber hygiene level up to a minimal standard, executives will have to live with the reality of ransomware threats and accept that paying a ransom is sometimes a valid choice. The suggestions in this article may not be sufficient to fully mitigate the effects of a ransomware attack on a company, but we hope that reflecting on them will help executives feel prepared and keep calm during the critical decision-making process.

Topics

Frontiers

An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series

References

1.What Happens When Victims Pay Ransomware Attackers?” Trend Micro, Dec. 10, 2018, https://news.trendmicro.com.

2.Ransomware Guide,” PDF file (Washington, D.C.: Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, September 2020), www.cisa.gov; and “Protecting Data From Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files,” PDF file (Gaithersburg, Maryland: National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, April 2020), www.nccoe.nist.gov.

3. P. Hack and Z. Wu, “‘We Wait, Because We Know You.’ Inside the Ransomware Negotiation Economics,” NCC Group, Nov. 12, 2021, https://research.nccgroup.com.

4. Ö. Işik, T. Jelassi, and V. Keller-Birrer, “Five Lessons of Cybersecurity the Public Sector Can Offer,” European Business Review, forthcoming.

Reprint #:

63419

More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

Comment (1)
david turner
The ransomware dilemma has become a growing concern among organizations in the digital age. When cybercriminals hold data hostage, organizations must decide if they should pay the ransom or not. This decision is shaped by the choices made by their leaders long before the attack. As organizations become increasingly reliant on technology, they must consider the security measures they have in place to mitigate potential cyberattacks. Organizations should prioritize the implementation of strong security controls to protect their information and limit the potential for a ransomware attack. Furthermore, organizations should consider their contingency plans in the event of a ransomware attack, including the decision of whether or not to pay the ransom.

Here is another great article I recently came across on the same topic:https://alltechmagazine.com/ransomware-as-a-service/