Ransomware: Should You Pay Up?
April 22, 2021
When it comes to ransomware, there’s only one big question: should you pay the ransom? Should you stand strong, refuse payment, and risk losing access to critical data forever? What if attackers leak your clients’ data just to punish you? Will your business be able to withstand the disruption—and the loss of client trust—if you do?
Or alternatively, do you meet ransom demands and resume operations with minimal interruption? What if your attackers show up again in a few months with an even higher price? And again after that? Will your insurance provider continue to cover the cost of multiple attacks, especially if you’ve made few, if any, changes to your security defences?
At the end of the day, you need to do what’s best for your business. But before you make any big decisions, you should have all the facts, including why paying up might not be worth it in the long run. Keep reading to learn more about hackers’ top coercion tactics, the ramifications of a ransomware breach, and whether or not you can count on insurance companies to respond.
Disclaimer: Please note that the information provided herein offers guidelines only. It is not exhaustive and does not constitute legal, insurance, or cybersecurity advice. For more guidance, please consult a lawyer, a licensed insurance representative, and/or a cybersecurity specialist.
How do attackers get you to pay?
Ransomware operators employ a number of coercion tactics to pressure victims into paying ransom demands:
- Internal Reconnaissance: Once they’re in, hackers can lurk undetected and investigate their victims for weeks, or even months, before kicking off a ransomware infection. With deep insight into an organization’s revenue, priority systems, and business plans, threat actors can determine how much to extort and pick the opportune moment to strike. If they locate the system backups, they can also overwrite, encrypt, or otherwise sabotage them to build their leverage.
- Data Exfiltration: Traditionally, cybercriminals would only encrypt data before seeking a ransom. But in a move popularized by the Maze group, it’s now become standard practice to exfiltrate, or copy, an organization’s data prior to encryption. Ransomware groups can then blackmail victims by threatening to publish or sell the files if their demands aren’t met. Data exfiltration is extremely effective and has even secured payment in cases where recovery from backups was possible.
- Double Extortion: Data theft may lead to double extortion, a vicious tactic in which cybercriminals post or sell information online until a ransom is paid. By Q3 2020, almost 50% of ransomware incidents included threats of release; by the end of the year, that figure was up to 70%. The intent here is not to profit from the value of the data through resale, but to incentivize victims by putting the confidential client data they hold in jeopardy, blurring the line between a ransomware event and a privacy breach.
What are the consequences of a ransomware attack?
Ransomware infections are costlier and more devastating than ever. Reports from Coalition note a 47% increase in the severity of attacks from Q1 to Q2 2020. Major losses can be attributed to:
1. Extortion Costs
Emboldened by data exfiltration, double extortion, and now the chaos and confusion of COVID-19, ransom demands have been climbing steadily since 2018. Data from leading ransomware incident response firm Coveware put the average payment in Q2 2020 at $178,254 USD, up 60% from the previous quarter; this is following a big 33% jump already from Q4 2019 to Q1 2020.
2. Remediation Costs
Aside from the ransom itself, the overall financial toll from a ransomware event has risen substantially, with organizations also incurring expenses for operational downtime, forensic investigations, data restoration, and incident response. At an average cost of $4.44 million USD, ransomware attacks are far more expensive than the average breach at $3.86 million USD.
Remediation costs are even crippling for victims that resist payment. The city of Baltimore, for example, famously refused to pay their attackers $76,000 USD in May 2019, but ended up spending over $18 million in recovery. These losses will likely be disproportionately more impactful for SMBs, who may not be able to afford $20,000 in ransom, let alone a few hundred thousand in incident response.
3. Business Interruption
Whether or not they pay a ransom, organizations face extensive costs from network outage, lost productivity, and lost revenue while they do repairs or rebuild systems from scratch. Even when backups are readily available, the process of data restoration is tedious and complicated. The average downtime for an attack is 9.6 days and costs a conservative estimate of $10,000 USD a day, though the total time to get back online can take months. Companies without backups, or where backups have been encrypted or destroyed, have a longer road to recovery, especially if intellectual property or competitive information was leaked.
4. Regulatory Penalties
Under mandates like PIPEDA in Canada and the GDPR in Europe, organizations are required to report all privacy breaches that pose a risk of significant harm to individuals. Failure to do so can lead to compliance violations and penalties of up to $100,000 in fines, with potential to go up to $25 million under the DCIA, Canada’s new proposed privacy legislation.
However, a ransomware event might not necessarily constitute a breach—not unless there’s any evidence of data theft. Many businesses use this loophole to downplay the effects of an attack and avoid notifying government bodies and affected individuals, increasing their exposure to PIPEDA’s fines if client data is made public.
On top of that, organizations may face legal action from clients whose data was compromised, long-lasting reputational damage, and diminished goodwill that could impede their long-term success.
The big question: to pay or not to pay?
Caught between the threats of business interruption and data loss and leakage, organizations find themselves in a precarious catch-22. Paying attackers is an easy, short-term solution that may avoid immediate damage, though it’ll cost you more in the long run. Similarly, refusing payment could lead to the permanent erasure of vital information, but could protect your organization from future attacks.
Before you make any big decisions, consider the following:
1. Attackers tailor their demands to your organization.
Often, the cost of remediation appears to outweigh the cost of extortion. Hackers know that recovery is expensive and try to find a sweet spot for their demands: high enough to turn a profit, but lower than what it would take to restore your systems or reconstruct lost data. That way payment seems like best, or rather the only, option.
2. The cost of remediation isn’t always higher than the ransom.
Alternatively, if you have proper cybersecurity and backup procedures in place, remediation might not cost you as much. The city of St. John in New Brunswick, for example, was hit with a ransomware attack in November 2020, with the hackers asking for up to $20 million in ransom. The city refused and ended up paying $2.9 million in total (including the cost of data forensics) to restart everything from scratch.
3. Your data may not be returned intact.
About 20% of victims that pay don’t get their data back. Despite assurances to the contrary, cybercriminals might not provide you with the decryption key after you’ve paid. Plus, the efficacy of decryption tools varies across ransomware variants. While some files may be recovered, your servers and permission registries could be irreversibly corrupted, meaning your data will never be fully restored.
4. Ransomware operators may renege on their promises.
After the initial payment, attackers might raise their price or initiate a staggered release, where files are returned in increments for different amounts. Additionally, paying doesn’t guarantee that any exfiltrated data has been credibly destroyed; hackers have, on occasion, shown fake files as proof of deletion in cases where it did not occur.
5. Paying could invite future attacks.
Once your files have been copied, there’s nothing to stop criminals from leaking or selling data on the Dark Web anyway—or returning for a second wave of attacks at some point in the future. If hackers know you’re willing to pay, they might restart their malicious activity after you rebuild your network and continue to extort money from you over time. Stolen information can also be used to facilitate other illicit activities, like business email compromise, invoice manipulation, and funds transfer fraud.
On another note: paying doesn’t mean you’ve rid your business of the security problems that allowed you to be affected. If you don’t figure out what went wrong, why, and fix it, you’ll just as easily fall victim to future attacks.
6. Your insurance company might not reimburse you.
Since extortion is covered in most cyber insurance policies, many businesses pay ransom demands to get back up and running quickly, counting on insurers to foot the bill and make them whole again. However, as a guaranteed payment, insurer payouts could be having the unintentional effect of fuelling more ransomware incidents, with criminals asking for more money, more often.
This model is ultimately unsustainable. After years of volatile attacks and higher-than-expected damages, cyber insurers are incurring heavy losses and may no longer be able to absorb the kickback from a major event. Why? Quite simply, they won’t have the reserves to pay for millions in extortion costs for potentially hundreds of clients, in addition to a host of other privacy breach and data security claims.
To learn more about how insurance markets work, read: The Insurance Pendulum: What’s a Hard Market?
How do insurance companies respond to ransom payment?
As ransomware attacks grow in size and significance, insurance companies may start to be more cautious about how much risk they can take on. Eventually, they’ll have no choice but to:
1. Pull back on ransomware coverage.
To protect their existing clients and ensure they’re financially secure enough to pay for other cyber claims, various insurers have already started to reduce their capacity, with limits being lowered on both expenses incurred by the policyholder and liability to third parties. Others might remove ransomware coverage altogether, or make it optional, but with a high premium and deductible.
2. Set more transparent expectations with clients.
While cyber insurance will still cover data breach expenses, organizations cannot continue to rely on insurers to compensate for the gaps in their network security. Even if insurance companies don’t eliminate ransomware coverage completely, they’ll probably need clients to demonstrate that they meet basic security provisions, such as patch management, system policies, and awareness training for all staff, in order to pay out on policies.
PROLINK’s blog posts are general in nature. They do not take into account your personal objectives or financial situation and are not a substitute for professional advice. The specific terms of your policy will always apply. We bear no responsibility for the accuracy, legality, or timeliness of any external content.