Listen to the article (AI powered narration)

Published on June 01, 2020

During a particularly high-profile ransomware attack last month, REvil/Sodinokibi attackers stole 756 GB worth of sensitive documents from celebrity law firm Grubman, Shire, Meiselas, and Sacks. The attackers threatened to publish important files related to pop singers Lady Gaga and Christina Aguilera if the firm didn’t pay out $21 million. The folks at Grubman refused to negotiate, at which point the stakes were raised to $42 million; some files were leaked, and the attackers threatened to leak damaging information on Donald Trump.

According to the attackers, Grubman offered a payment of $365,000; however, the law firm vehemently denies this allegation. The bad actors also claim that someone paid them for the information on Trump. Whether any of this is true is unclear, as ransomware attackers are not known for their honesty.

Grubman subsequently retained Coveware, a third-party firm that specializes in ransomware mitigation, and they have refused to pay the attackers. In this particular instance, it appears that the REvil/Sodinokibi hackers were able to exploit an unpatched Citrix vulnerability. At any rate, all this begs the question: Does it ever make sense to pay a requested ransom?

It is generally not advisable

According to a recent study from market research firm Vanson Bourne, victims who decide to pay the ransom ultimately cost their businesses twice as much as those who opt to not pay up. Over an eight-week period in early 2020, the researchers polled 5,000 IT managers across 26 countries. They ultimately found that those who didn’t pay the ransom incurred, on average, $730,000 in recovery costs; whereas, those who decided to pay were on the hook for an average of $1.4 million.

Paying the ransom doubles the cost because there are a substantial amount of costs that go into remediating the attack; you have to not only get your data back, but you also have to get your company back up and running. In most cases, by cutting the ransom payment out of the equation, it will save you money over the long term.

Intuitively, and morally, it makes sense to avoid paying these bad actors. After all, paying the hackers likely incentivizes them to continue their criminal behavior. Also, even if you do pay the ransom, there is no way to be sure that they will even return the stolen data. That said, according to the 2020 State of Ransomware Report, only 1 percent of the victims who paid up failed to get their data back.

It is striking to see how prevalent these types of attacks are; in fact, 51 percent of the report’s respondents said they received a ransomware attack in the last year alone. Of those who were hit, 26 percent paid out and 56 percent recovered their data by using backups.

Another interesting finding from the aforementioned report was that all other things being equal, data on the cloud was more susceptible to attacks than data stored on-premises.

However, there are times when paying the ransom makes sense

As disagreeable as it may feel, sometimes paying can be an attractive option. Forrester analysts Josh Zelonis and Trevor Lyness noted in their 2019 report that paying the ransom can sometimes save a great deal of money.

As a quick example, the City of Baltimore was hit by a ransomware attack in 2019, which incapacitated the city’s entire infrastructure. The offenders asked for 13 Bitcoin, which was worth roughly $76,000 at the time of the attack; however, the Mayor of Baltimore refused to negotiate. This decision, in hindsight, was a poor one from a business perspective, as the attack ended up costing the city approximately $18.2 million.

So, put simply: It really depends on the nature of your business and the severity of the attack. Do you work in healthcare, education, or a government entity? Have your core business functions been stopped? Did the criminals target your backup systems, making it even more difficult to recover your data? Besides the decryption keys, has there been data exfiltration?

As ManageEngine Vice President Rajesh Ganesan says, “Ideally, the policy for organizations should be to not give in to ransomware demands, as it strengthens the collective defense against the attackers. But in the real world, exceptions are inevitable, especially when it comes to people’s lives. Case in point is the WannaCry ransomware attack on the UK’s NHS, where the nation’s healthcare system was under siege and it became impossible to coordinate even critical surgeries. When human lives are in danger, paying ransomware can be justified; however, at the same time, organizations should take it as a huge kick in the backside and strengthen their resolve to not allow it to happen again. It just takes knowledge, discipline, and being a bit more meticulous than the attackers.”

Conclusion

To be sure, there are a lot of factors to take into consideration in the aftermath of an attack. Perhaps you are able to negotiate with the bad actors. Alternatively, you may have cyber insurance; in which case, you will want to see whether it covers ransomware attacks. Even if you don’t have cyber insurance, it may still be worth reaching out to your insurance broker, as ransomware attacks can sometimes be covered under another one of your insurance plans.

Again, it mostly comes down to the severity of the attack and the sector in which you work. During his years at ManageEngine, Ganesan experienced ransomware attacks firsthand: “ManageEngine has undergone ransomware attacks; we never paid ransom. What we do for work isn’t actually a matter of life and death—at all. We decided, okay, we’ll take a week’s downtime, but we won’t pay ransom.” When asked if that would be the same decision if he worked in the healthcare space, he thought pensively and responded, “It depends.”

John Donegan

John Donegan

Enterprise Analyst, ManageEngine

John is an Enterprise Analyst at ManageEngine. He covers infosec, cybersecurity, and public policy, addressing technology-related issues and their impact on business. Over the past fifteen years, John has worked at tech start-ups, as well as B2B and B2C enterprises. He has presented his research at five international conferences, and he has publications from Indiana University Press, Intellect Books, and dozens of other outlets. John holds a B.A. from New York University, an M.B.A. from Pepperdine University, an M.A. from the University of Texas at Austin, and an M.A. from Boston University.

 Learn more about John Donegan
x