The Ransomware Dilemma

The decision on whether to pay up when cybercriminals hold data hostage is shaped by choices leaders made long before an attack.

Reading Time: 9 min 

Topics

Frontiers

An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series
Buy
Already a member?
Not a member?
Sign up today
Member
Free

5 free articles per month, $6.95/article thereafter, free newsletter.

Subscribe
$75/Year

Unlimited digital content, quarterly magazine, free newsletter, entire archive.

Sign me up

A. Richard Allen/theispot.com

The ransomware business is booming: In the United States alone, this form of cyberattack increased in frequency by 200% between 2019 and 2021. It’s an urgent threat, but too many leaders are caught flat-footed when it happens to them. Ransomware is malicious software that uses encryption to prevent access to data on the infected machine, effectively paralyzing the computer system. The culprits behind the attack then demand payment in exchange for decrypting the files and restoring access to the infected systems. The tactic dates to the 1980s, but it became a prominent threat to businesses after 2010 with the rise of cryptocurrency, criminals’ preferred mode of payment.

It’s a threat riddled with uncertainties, which makes planning a response difficult. Many organizations just want to find the quickest way out, and that often means paying the ransom, even though the financial burden may be considerable and the outcome far from certain. In a recent study of 300 companies, 64% revealed that they had experienced a ransomware attack within the previous 12 months, and a staggering 83% of those paid the ransom. On average, only 8% of organizations that paid up recovered all of their data, while 63% got about half of it back.

Some organizations receive a demand for a second (and perhaps even higher) ransom, despite having paid the first one on time, but the worst-case scenario is when the victim pays but either never receives the decryption key or it doesn’t work as intended.1

Organizations that decide not to pay also bear costs in terms of business downtime and lost revenues. And organizations that are caught unprepared, without a reliable backup system or an incident response plan, end up suffering the most — not only financially but also reputationally.

If your organization is hit with a ransomware attack, your first step should be to notify law enforcement and, if applicable, relevant data protection authorities. But the options open to you after that depend on how well your organization is prepared to handle such attacks. This article aims to help top management teams decide what to do via six clarifying questions.

Read the Full Article

Topics

Frontiers

An MIT SMR initiative exploring how technology is reshaping the practice of management.
More in this series

References

1.What Happens When Victims Pay Ransomware Attackers?” Trend Micro, Dec. 10, 2018, https://news.trendmicro.com.

2.Ransomware Guide,” PDF file (Washington, D.C.: Cybersecurity and Infrastructure Security Agency and the Multi-State Information Sharing and Analysis Center, September 2020), www.cisa.gov; and “Protecting Data From Ransomware and Other Data Loss Events: A Guide for Managed Service Providers to Conduct, Maintain, and Test Backup Files,” PDF file (Gaithersburg, Maryland: National Cybersecurity Center of Excellence at the National Institute of Standards and Technology, April 2020), www.nccoe.nist.gov.

3. P. Hack and Z. Wu, “‘We Wait, Because We Know You.’ Inside the Ransomware Negotiation Economics,” NCC Group, Nov. 12, 2021, https://research.nccgroup.com.

4. Ö. Işik, T. Jelassi, and V. Keller-Birrer, “Five Lessons of Cybersecurity the Public Sector Can Offer,” European Business Review, forthcoming.

Reprint #:

63419

More Like This

Add a comment

You must to post a comment.

First time here? Sign up for a free account: Comment on articles and get access to many more articles.

No comments