Ransomware Payments. PHOTO: Cybercrime Magazine.

How To Avoid Ransomware Payments

Deny cybercriminals their payday with backup and disaster recovery

Oussama El-Hilali, CTO, Arcserve

Dover, Mass. – Jul. 7, 2020

Ransomware: We all know what it is — it’s “a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.” Cybersecurity Ventures reports that an attack is expected every 14 seconds this year and every 11 seconds by 2021.

Simply put, companies, governments, and individuals are getting attacked on the regular, causing downtime and data loss, costing businesses and governments millions of dollars and impacting reputation and customer service.

We all know the stats. We’ve all seen the headlines. We’re all in the mindset of “when, not if.” With the prevalence of ransomware attacks, organizations are often faced with the tough decision to pay a ransom or not, bringing up the question: is it ever ok to make a ransom payment?

Cybercrime Radio: Arcserve CTO Oussama El-Hilali

Protecting the world’s data explosion

When paying the ransom doesn’t pay off

Consider the following examples of organizations that experienced ransomware attacks and the outcomes of those attacks even when ransoms were paid.

In the case of Travelex, following a REvil attack, cybercriminals not only demanded $6 million USD from the UK financial institution, but they also claimed they had consumers’ personal and credit card data. Travelex took its IT systems and websites offline for more than three weeks under the guise of “planned maintenance.” Ultimately, the hacker group encrypted the entire Travelex network, deleted backup files and exfiltrated 5GB of personal data despite Travelex paying a ransom of $2.3 million bitcoin. 

Lake City, Florida fell victim to the Ryuk ransomware strain, rendering online city services useless. City departments were unable to accept payments online or via credit card, forcing the city to only accept cash or money orders and provide handwritten receipts. With help from its insurance provider, the city “negotiated” a ransom payment of 42 bitcoins, or $500,000. Over 100 years’ worth of records were encrypted for almost a month, and despite their ransom payment, they didn’t recover all their data.

A cost/benefit analysis of paying ransom

When asked if companies should pay ransom, we realize this is a business decision, so let’s take a look at some cost/benefit analysis when it comes to considering making a ransom payment.

The FBI doesn’t encourage paying a ransom but understands the criticality of considering a ransomware payment. When businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees, and customers. According to its Ransomware Prevention and Response to CISOs document, the FBI recommends ransomware victims consider the following factors:

  • Paying a ransom does not guarantee an organization will regain access to their data; in fact, some individuals or organizations were never provided with decryption keys after paying a ransom
  • Some victims who paid the demand were targeted again by cyber actors
  • After paying the originally demanded ransom, some victims were asked to pay more to get the promised decryption key.
  • Paying could inadvertently encourage this criminal business model.

It’s often thought that your only option is to pay the ransom or endure the damaging impacts of downtime and data loss. And while the immediate effects of an attack can cripple your organization, the consequences of an attack can be far-reaching.

If attacked and caught flat-footed, the resulting data loss and downtime could threaten the sustainability of an organization. It could mean lost jobs, financial impacts for customers, and even threaten lives in the case of healthcare systems.

Ransomware’s impact on consumer loyalty and purchasing behavior

Arcserve surveyed approximately 2,000 consumers to gain insights into the threshold for ransomware, which we found was shockingly low; if you fail to protect consumer data from ransomware attacks or ensure access to information — even once — they’ll move on to a competitor that can. The insights we gained from our survey are sobering.

An overwhelming 70 percent of respondents don’t believe organizations are doing enough to protect their data.

Almost 60 percent reported they would likely avoid doing business with an organization that experienced a cyberattack in the past year — and that their level of forgiveness won’t increase much with time and 45 percent won’t do business with you if cybercriminals have attacked your organization in the past three years.

And consumers don’t tolerate ransomware-related service disruptions and aren’t willing to wait for your ransomware recovery — 58 percent will switch to a competitor if they experience two or fewer disruptions, with 28 percent reporting they will walk away after just one disruption, while 37 percent will switch to a competitor if your systems and applications aren’t available and back online within 24 hours of an attack.

With so much on the line when it comes to the impacts of ransomware — from data loss and downtime to loss of consumer trust – organizations are hard-pressed to ensure they are doing all they can to protect themselves from cyberattacks.

Is it ever OK to make a ransom payment?

While the FBI doesn’t advocate paying ransoms, it does recognize that business impacts can have a negative effect on organizations, but their stance is rooted in the perception that ransom payments simply embolden cybercriminals to escalate their attacks. However, caught flat-footed, the resulting data loss and downtime could threaten the sustainability of an organization. It could mean lost jobs and financial impacts for patients.

Different organizations must evaluate what is right for their business, so as painful as this is, engaging in this dialogue now can ensure you’re prepared to respond in the face of a ransomware attack or —better yet — avoid it altogether.

A few ransomware payment stats that don’t inspire much confidence:

  • A recent CyberEdge Group survey found that only two-thirds of the organizations that paid ransoms actually recovered their data
  • A SentinelOne report found that only 26 percent of organizations that paid up were able to unlock their files
  • The same SentinelOne report also found that, of those organizations that executed ransomware payments, 73 percent were attacked again

The decision to pay a ransom or not is for the business and the business owners to make. While the entity victimized by the attack should decide whether to pay or not, we can suggest some actions to help organizations better prepare for that eventuality.

A better way forward

At Arcserve, our goal is to provide decision-makers with knowledge and tools to help drive the conversation and offer insights to help make an educated and thoughtful decision. Our stance is that no one should ever feel compelled to cave to a criminal’s demands. And, with a solid backup and disaster recovery plan in place, you don’t have to.

As such, we advise preparedness. A proactive approach to preventing ransomware attacks is a company’s best course of action.

  • Arm your first line of defense: your end-users — Awareness breeds caution. Empower your end-users to act as a human firewall through regular cybersecurity training and testing.
  • Secure your endpoints to keep cybercriminals at bay — Ransomware is becoming increasingly sophisticated. Leverage cutting-edge cybersecurity technologies and best practices to deny cybercriminals the access they are after.
  • Deny cybercriminals their payday with backup and disaster recovery — Hackers require leverage to demand a ransom. When you’re equipped to rapidly restore clean copies of your data, systems, and applications, you undercut their power.

Ultimately, the best way to avoid having to make a ransom payment, or even having to consider the possibility, is through integrated data security and protection.

As the world’s most experienced data protection solution provider, we help businesses protect their priceless digital assets. And, through our alliance with Sophos, the global leader in next-generation cybersecurity, we now offer the only means to unify cybersecurity, data backup, and disaster recovery. Arcserve solutions secured by Sophos allow organizations to neutralize cyberattacks with fully-integrated cybersecurity and ransomware recovery technologies for on-premises, cloud, and SaaS-based workloads.

Arcserve Archives

Oussama El-Hilali is Chief Technology Officer for Arcserve and is responsible for setting the global product strategy and managing the development and product management teams. He has nearly 25 years of IT and R&D experience, driving product strategy and road maps, acquisition of new technology, and developing strategic business partnerships in both Fortune 100 and emerging companies.

About Arcserve

Arcserve provides exceptional solutions to protect the priceless digital assets of organizations in need of full scale, comprehensive data protection. Established in 1983, Arcserve is the world’s most experienced provider of business continuity solutions that safeguard multi-generational IT infrastructures with applications and systems in any location, on premises and in the cloud.

Organizations in over 150 countries around the world rely on Arcserve’s highly efficient, integrated technologies and expertise to eliminate the risk of data loss and extended downtime while reducing the cost and complexity of backing up and restoring data by up to 50 percent.

Arcserve is headquartered in Minneapolis, Minn. with locations around the world. Explore more at Arcserve.com and follow @Arcserve on Twitter.