Published on the 24/07/2019 | Written by Jonathan Cotton

As some public sector victims give in to hackers’ demands, organisations downunder should take note…

So you’ve been hacked and your data is being held to ransom. When is it the right time to cut your losses and pay the ransom?

A rash of high profile ransomware attacks – and capitulation by several US cities – has got both the public and private sector wondering whether the time and effort of resisting ransomware demands is worth it.

It’s understandable. The cost can be enormous as operations are disrupted, services interrupted and data lost, and in many instances the reputational damage can add to the already high cost of the attack. Could there be a case for simply ceding to the hacker’s demands in the interest of getting back to business as usual?

“Hard-line conversations about whether to negotiate with cybercriminals take a back seat to the reality that you are beholden to the business and its key stakeholders.”

So it has gone in Lake City, Riviera City and Jackson City. Riviera City paid US$600,000 and Lake City just under US$500,000 to retrieve their ransomed data. And they’re just the recent cases. In 2017 a South Korean internet service provider paid a handsome US$1m to unlock computers captured by the hackers.

Whether those decisions were the right is up for debate, but there are a growing number of voices saying that, while not pleasant, sometimes meeting the hackers demands is simply the most prudent course of action.

“As the attack grinds on, your organisation scrambles to find new ways to meet core functions, putting stress on everyone, including executive management,” says Josh Zelonis, principal analyst at Forrester.

“As the stress and financial burden rises, hard-line conversations about whether to negotiate with cybercriminals suddenly take a back seat to the reality that you are beholden to the business and its key stakeholders.”

The numbers back up such thinking too. The city of Baltimore grappled with their ransomware attack for more than a month, bringing the total cost of the attack to an estimated US$18.2 million. The cost the extortionist had demanding however was around US$76,000 (paid in bitcoin of course).

“Platitudes and emotion are not going to help you formulate an optimal recovery path for your business,” says Forrester.

“Recovery is complicated even if you have good backups that survived the attack. Many organisations significantly underestimate the scale of disruption they need to plan for or make too many assumptions about what functionality will continue to exist after an attack.”

But the short term expediency of paying up comes at a longer term cost. Spurred on by the success of the SamSam attacks – and similar attacks conducted by ransomware gangs such as GoGalocker, MegaCortex and Robbinhood – Symantec says we can expect the number of larger-scale cyber attacks on organisations to continue to grow.

According to the cybersecurity company attacks targeting organisations – and in particular enterprises – continue to climb, with enterprise targets taking up 80 percent of all of 2018’s ransomware infections.

“A ransomware attack that involves encryption of hundreds of computers and servers is probably one of the most disruptive and costly forms of cyberattack any organisation could experience,” says Symantec.

“The hastening pace of targeted ransomware attacks over the past 12 months means that organisations need to educate themselves about this threat and ensure that robust, overlapping defences are in place.

“The perceived success of the current crop of targeted ransomware groups makes it highly likely that more cyber crime actors will attempt to move into this space.”