Why it doesn’t pay to pay that ransomware demand

Published on the 21/06/2022 | Written by Heather Wright

Ransomware attackers: We’ll be back…

Nearly 70 percent of companies who paid a ransomware ransom were hit again within a month for an even larger sum according to a new report which shows empirically the perils of paying up.

And it’s not just the threat of further attacks, with just 42 percent of those who ponied up seeing the restoration of all their systems and data, leaving the majority floundering, despite their payout, according to Cybereason’s global study on ransomware’s business impact, Ransomware The True Cost to Business.

Nine percent would go on to pay a ransom three times or more.

Companies have long been warned not to pay the ransoms, including through official Australian Cyber Security Centre and Cert NZ guidance, but the Cybereason report suggests such ransoms are being viewed as an inevitable cost of doing business in the digital age. 

Seventy-three percent of the more than 1400 cybersecurity professionals surveyed reporting their organisation had been the target of at least one attack in the last two years and 28 percent saying they paid the ransom. 

Of those that paid, 80 percent were victims of at least one subsequent attack. Adding insult to injury, more than two-thirds of the subsequent attacks (nearly half of which were perpetrated by the same attackers) saw an increased ransom demand. Soberingly, 44 percent also paid the second demand. Nine percent would go on to pay a demand three times or more. 

It’s the latest in a line of reports highlighting the grim statistics behind ransomware, with both Thales and Sophos also releasing reports on the impact for Australian and New Zealand organisations.

Thales report which found 30 percent of New Zealand organisations admit they have paid, or would pay a ransom for data, while Sophos’ State of Ransomware 2022 shows 80 percent of the 250 Australian organisations surveyed were hit by ransomware in the last year with 65 paying up for an average of US$226,863 in their most significant ransomware attack. The 80 percent hit rate for Australia was well ahead of the global average of 65 percent and a massive jump from the 45 percent reported in Australia in 2020. Forty-three percent of those who had data encrypted paid to get their data back, even if they had other means of recovery, such as backups.

Chester Wisniewski, Sophos principal research scientist, says there could be several reasons for the increasing portion of victims paying up even when they have other options available.

He says incomplete backups or the desire to prevent stolen data from appearing on a public leak site are key reasons.

“Restoring encrypted data using backups can be a difficult and time-consuming process, so it can be tempting to think that paying a ransom for a decryption key is a faster option. It’s also an option fraught with risk,” Wisniewski says.

“Organisations don’t know what the attackers might have done, such as adding backdoors, copying passwords and more. If organisations don’t thoroughly clean up the recovered data, they’ll end up with all that potentially toxic material in their network and potentially exposed to a repeat attack.”

Indeed, the Cybereason report shows that in 63 percent of cases the attackers were in the organisation’s network for up to six months before being detected, potentially downloading confidential data before deciding the best time to strike, encrypting data at the tail-end of the attack.

Unlike the earlier ‘spray and pray’ ransomware attacks, RansomOps attacks are more intricate, with targets carefully chosen for their ability to pay substantial demands and their high likelihood to pay given their industries, such as healthcare and other critical infrastructure organisations, and the potential effects. 

Cybereason’s report also highlights the longer-term impacts of an attack. While the short-term impacts of disruption to business – 33 percent of companies acknowledged they were forced to temporarily suspend business operations after an attack – costs associated with incident response and mitigation efforts, lost productivity and the cost of any ransom payment might be front of mind, they’re just the start.

Australian organisations in the Sophos survey took on average a month to recover from an attack, with 86 percent saying the attack caused their organisation to lose business or revenue.

Longer-term impacts included 37 percent admitting they had to lay off employees following an attack and 35 percent reporting C-level resignations, along with diminished revenue, damage to the brand and reputation, loss of customers and strategic partners and even the viability of the business in some instances. 

Lior Div, Cybereason CEO and co-founder, says “Ransomware attacks are traumatic events and when ransomware gangs attack a second, third or fourth time in a matter of weeks, it can bring an organisation to its collective knees.

“Deploying effective anti-ransomware solutions is easier said than done, and the hackers know it.

“After being hit the first time by a ransomware attack, organisations need time to assess their security posture, determine what are the right tools to deploy and then find the budget to pay for it. The ransomware gangs know this and it is the biggest reason they strike again so quickly.”

And as to why companies are paying up – despite all the advice to the contrary – Cybereason’s report shows nearly half paid cited an attempt to avoid any loss of revenue as the key reason, with 41 percent doing so to expedite recovery. 

Some however, admitted they just weren’t prepared: A full 27 percent admitted they hadn’t backed up their data, while 34 percent said they were simply too short staffed to attempt an effective response without the assistance of the attackers.

Interestingly, while paying up didn’t prove hugely successful in most cases, with 54 percent of those who paid reporting system issues or corrupted data after decryption, those that didn’t pay a ransom reported more success – 78 percent said they were able to fully restore systems and data without receiving the decryption key at all. There’s not word in the report, however, as to whether those organisations were simply better prepared for an attack and better able to respond.

Despite the concerns about ransomware, Thales found only 51 percent of New Zealand businesses have a formal ransomware plan, with 40 percent adding additional budget for ransomware tools.

In Australia, organisations appear to be making efforts to fight back, with 99 percent of Sophos respondents saying they have made changes to their cyber defences over the last year to improve their insurance position. 

“The best option for defending against ransomware is to be proactive and prevent and attack at the outset, to detect and disrupt an attack in progress as early as possible and to be prepared to respond to a successful attack swiftly,” notes Cybereason.

Sophos offers a few more direct suggestions:

1. Install and maintain high-quality defences across all points in the organisation’s environment. Review security controls regularly and make sure they continue to meet the organisation’s needs.

2. Proactively hunt for threats to identify and stop adversaries before they can execute their attack – if the team lacks the time or skills to do this in house, outsource to a managed detection and response specialist.

3. Harden the IT environment by searching for and closing key security gaps such as unpatched devices, unprotected machines and open RDP ports. 

4. Prepare for the worst. Know what to do if a cyber incident occurs and keep the plan updated5. Make backups, and practice restoring from them so that the organisation can get back up and running as soon as possible, with minimum disruption

Post a comment or question...

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.


Thank you! Your subscription has been confirmed. You'll hear from us soon.
Follow iStart to keep up to date with the latest news and views...