It wouldn't be a stretch to say ... we live in volatile times. Wars, pandemics, geopolitical instability, civil unrest, the price of cheese, pending environmental collapse, pending economic collapse etc etc etc. But ... in amongst all of this doom and gloom, there are opportunists. Opportunists like cyber criminals. And right now they are making bank.
During the Covid 19 pandemic alone, ransomware attacks have surged, as work-forces were sent home to work and cloud uptake skyrocketed. Cyber criminals took advantage of rushed and poorly conceived security implementations, and poor end user cyber-security hygiene on top of that. It is inevitable that most organisations will find themselves facing a ransomware attack at some point, but the answer to the question "should you pay the ransom?" is complicated.
Ransomware victims can be left in a pretty pickle. For organisations of all sizes, having vital files, documents, networks, servers or services targeted – leaving them encrypted, inaccessible and unavailable, can be crippling. And of course, there are some great reasons to pay; like faster recovery time, if you're facing a long and costly downtime while data and systems are restored, paying the ransom could look like the better option. And if the costs to recover from a ransomware attack exceed the ransom payment, why wouldn't you take the gamble and pay? Then there is protecting your reputation. The harm you suffer by having to advertise to customers that you got hit or breached could cause reputational damage and reduce customer confidence. And finally organisations won't want their customer and employee data exposed either. Some attackers will double-down and threaten to release the data they exfiltrated to pressure organisations to pay.
These are all compelling reasons to pay-up, and on the surface they make sense. But here is why you probably shouldn't pay:
You paint a target on your back - Cyber criminals will be encouraged by news of a successful extortion. Paying may offer short-term relief from all of the effects of ransomware, but once you're identified as someone who can be blackmailed, you become an attractive target to other would-be cyber-criminals or even the same ones. Its not uncommon for victims to be targeted again with repeat attacks.
Your next ransom may be bigger than previous - As the problem of ransomware increases, so too does the price. The average cost of recovery for businesses have more than doubled in the last year according to Sophos’ The State of Ransomware 2021. As more and more organisations have coughed up, criminals have been emboldened to jump their prices, knowing all too well how desperate organisations become when faced with financial loss and reputational harm.
Trust Issues - Can you trust that a criminal, who is in the business of dishonesty, is going hold up their end of the bargain, and hand back your data and systems once payment has been made? Many don't. Although there are exceptions, some known ransomware gangs have reputations for providing "great customer service" by providing deadline extensions, instructions on obtaining bitcoins for payment, and quickly decrypting data on payment. But this isn't a great thing to hang your hopes on.
Enabling and funding future attacks - It's understandable why so many organisations choose to save themselves hassle in the short term by paying the ransom, but the long-term cost of this decision, is that the money paid will undoubtedly be reinvested into future cyber-crime. The more money attackers have to develop more advanced varieties of ransomware, with ever more sophisticated delivery mechanisms, the more this issue will grow.
So … Should You Pay the Ransom?
There is always a good reason to pay, and it’s simple – organisations need their data back and their systems back online. They pay because they feel they have no choice. Whether you choose to pay the ransom really comes down to your individual circumstances, of course. But either option, be it paying the ransom or choosing to spend the time and effort to restore instead, is undesirable. So the best choice to make in the short term is to focus on your security infrastructure, and user training to greatly reduce the attack surface and chances of such an attack.
As of writing, there is now a third option ... you can do what the Bank of Zambia did...