Ransomware: should you pay the ransom?

Cyber attacks are evolving and one type is becoming particularly popular for cyber criminals: ransomware. Should your organization pay the ransom?

A thick gold chain lock sits upon a green motherboard

What is ransomware?

Ransomware is a highly sophisticated type of malware that locks or encrypts computer files, making them inaccessible to users. Cyber criminals then demand users pay a ransom to regain access to the data. Because ransomware does not require elevated or administrative credentials to run, it is more difficult to control than other types of malware. It has become such a prominent cyber threat that Trend Micro has predicted 2016 as the “year of online extortion.”

How do ransomware attacks unfold?

There are five key stages to a ransomware attack:

  1. Enter: ransomware enters the system through malicious websites, email attachments or by exploiting a vulnerability.
  2. Exploit: it exploits additional vulnerabilities in the system to gain more control of specific file locations or user accounts.
  3. Execute: it executes and installs itself on the compromised system and then synchronizes with a command and control server.
  4. Encrypt: it encrypts or locks data and files on the system.
  5. Extort: a ransom demand is made in exchange for a decryption key that unlocks the system.

The usual targets

Cyber criminals typically target organizations that hold highly confidential or critical data as they are more likely to pay the ransom — the financial and health industries are particularly at risk. In the case of hospitals, ransomware could literally result in a life or death outcome. In February 2016, a US hospital was locked out of its computer systems and eventually paid a US$17,000 ransom to regain access and return operations back to normal.

In EY’s experience helping clients deal with this menace, the “first offer” ransom demand per computer is typically US$500 — and this demand can go up significantly. Ransoms are usually requested in virtual currencies, making it impossible to trace the attackers via financial records.

To pay or not to pay

Law enforcement agencies generally advise against paying digital ransoms on the basis that it could encourage more attacks, but this ignores the reality of organizations confronted with ransom demands. The costs of not paying, particularly in the immediate term, can be catastrophic — for some organizations, it could mean the decline of their business. By delaying the ransom payment, the costs of downtime and business interruption only increase. 

Then there is the reputational damage that ransomware attacks can wreak. Cyber criminals cannot only withhold data until payment is made — they can also threaten to expose the data if payment is not made. This could severely damage an organization’s reputation and brand value, particularly if customer information is involved.

How to protect yourself

As FBI Cyber Division Assistant Director James Trainor says, “there’s no one method or tool that will completely protect you or your organization from a ransomware attack. But contingency and remediation planning is crucial to business recovery and continuity — and these plans should be tested regularly.”

Here are some recommendations of what you can do to mitigate your exposure to ransomware:

  • Regularly update anti-virus and anti-malware systems.
  • Install patch updates for operations systems, software and digital devices.
  • Mitigate risk exposure with data backup systems, which can allow organizations to revert to a ransomware-free system.
  • Confirm critical systems are not unnecessarily connected to or accessible from the internet.
  • Include cybersecurity awareness training that discusses ransomware as part of the organization’s evolving culture.
  • Shift the company’s mindset so that ransomware is seen as a business risk issue, i.e., it does not solely impact the IT environment.

And here are some recommendations of what you can do if you find yourself a victim of ransomware:

  • Restore data from a backup if that data has not been encrypted or deleted by threat actors.
  • Attempt to find a decryption key that may exist (many security vendors have been publicly releasing decryption keys for free usage).
  • Make a business decision to move forward without the data that was lost.
  • Pay the ransom in order to retrieve sensitive data and restore your operational capability.

Strengthen the weakest link

Implementing technological solutions is all well and good, but their effectiveness is limited if system users are not better educated about cybersecurity. In many cases, employees are unwittingly the source of data breaches due to poor cyber awareness — and in some cases, are wittingly aiding cyber criminals. Without addressing the human element of cybersecurity, organizations will increasingly be held hostage to the ransom demands of cyber criminals.

Discover more