Posted 2 Sept. 2019

Ransomeware attacks: when should victim companies pay?

Laurent Halimi blog profile image

By Laurent Halimi

What is ransomware?

Malware, or malicious software, that locks and encrypts a victim’s device, preventing access to it until a ransom is paid. Ransomware is rapidly becoming a major threat to companies’ cybersecurity.

Unlike other malware programs, the hackers don’t steal private data; rather they simply block its owner from viewing or using it, essentially holding their files hostage. The victim must then pay the cybercriminal, most commonly in bitcoin, to regain control of their files and computer. Not paying the ransom puts the victim at risk of irreversibly losing their data forever.

Ransomware is a growing threat – and an increasingly lucrative option for hackers. In 2018, ransomware damages were predicted to exceed $8 billion; while the average ransom demand in 2018 was roughly $500, some businesses have paid close to a million dollars to secure their data decryption. In the mid-2000s, ransom demands averaged around $300.


Which companies are at risk?

High-profile cases of ransomware are usually those attacking banks, hospitals or government systems, such as the WannaCry attack on NHS hospitals across the UK and businesses across Europe, including French car company Renault and Germany’s national railway, Deutsche Bahn. This particular attack saw more than £108,000 in bitcoin paid out to hackers.

However, it is, in fact, small and medium-sized businesses that are most at risk of a ransomware attack. Over 70% of attacks target small businesses, while close to 50% of small businesses have fallen victim to a cyberattack.

A ransomware attack has the power to completely disrupt a company’s operations and bring it to a standstill. Many companies underestimate the threat, resulting in a lack of adequate training, backups or contingency planning. This means that 60% of small and medium-sized companies go out of business six months after being hacked.


Should companies ever pay the ransom?

A big debate surrounding ransomware is whether companies should give in to cybercriminals and pay the ransom in exchange for decryption.

Research shows that 45% of organisations shell out for at least one ransom, while some major companies budget in buying bitcoin in case of an attack.

The official advice of cybersecurity experts and the FBI is to never pay in the event of a ransomware attack. The FBI states, “The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes”. After the Baltimore City government attack, the mayor called for other mayors to stop meeting ransomware demands, claiming that paying was only increasing the number of attacks against government systems. Also, victims have no leverage over the attackers to guarantee that they will follow through on their promise of unlocking the files.  

However, some companies argue that it’s up to them whether they should pay a cyberattack ransom or not, and that the situation should be evaluated like any other business decision. Weighing up the upfront cost of the ransom versus the time, cost and stress of remediation post-attack, many opt to bite the bullet and resolve the problem quickly by shelling out the ransom. Companies without secure backups are more pressured to pay as they face losing everything, while cybersecurity insurance is a further incentive to pay up for those who are covered.

Not giving into a hacker’s extortion demands is undoubtedly easier said than done. Small business owners risk losing everything they’ve worked for; encrypted hospital and government systems can cause chaos and even endanger patients’ lives. The best solution, therefore, is for companies to focus on their defense against ransomware.


Best practice for protecting against ransomware attacks

The FBI advises businesses to have “several layers of security as there is no single method to prevent compromise or exploitation”. This includes steps such as:

  • Buying cybersecurity insurance
  • Regularly updating operating systems
  • Using multi-factor authentication and complex login passwords
  • Maintaining separate, safe and secure offline backups of all critical data
  • Putting a cybersecurity response team on retainer
  • Training all employees on how to avoid and recognise cyber threats

By implementing these best practices, companies position themselves well against a ransomware attack, minimising the likelihood of needing to pay an extortionate ransom and weakening a hacker’s threat.