Why Paying The Ransom Isn’t The Answer For Ransomware Victims - Information Security Buzz
Increased reliance on multiple cloud environments during the last couple of years and the growing number of employees opting for a hybrid working norm have created numerous opportunities for ransomware gangs to target organizations. As a response to the increasing impact of ransomware attacks, businesses of all sizes are investing in a zero-trust approach to security where digital identities and multi-factor authentication (MFA) play a key role.
Ransomware attacks have become more advanced and complex during the past years, evolving from simple malware deployment and extortion to a multi-tiered Ransomware-as-a-Service (RaaS) business model where “service providers” like Initial Access Brokers develop and then sell or rent their services. So-called “double extortion” attacks also heighten the risk, where cybercriminals exfiltrate the data before encryption and ransom demand. All these developments contribute to a more dire threat to organizations.
Research from CyberRisk Alliance indicates that 43% of the surveyed businesses suffered at least one ransomware attack during the past two years (2020 – 2021). 32% believe they cannot prevent ransomware attacks because threat actors are too well-funded and sophisticated.
According to the 2022 Thales Data Threat Report, 43% of the ransomware victims were significantly impacted. The impact ranges from hard costs, such as financial losses from penalties, fines, and legal expenses, to softer costs, including lost productivity, recovery costs, and brand reputation.
Ransomware attacks are sometimes even worse than the worst-case scenario for which an organization has planned. The data stolen by the ransomware group might be so sensitive or damaging that allowing it to be released would destroy the organization. With all other options exhausted, an organization realizes they may have to pay the ransomware group.
In fact, the percentage of ransomware victims choosing to pay the ransom is higher than you think. The CyberRisk Alliance report findings indicate that 58% of the victims paid a ransom, while 29% found their stolen data on the dark web.
However, paying the ransom might not be the solution to your nightmare. Even if a company pays, there is no guarantee that attackers will return the data or that the decryption key gets data back where it was before the attack.
According to a 2021 Sophos report, 92% of these organizations don’t get all their data back, and 29% of them don’t even recover half the encrypted data.
An inconsistent return of the data is not the only reason businesses should avert from paying the ransom. Federal agencies like CISA and other security professionals stress that paying the ransom does more harm than good.
While paying may appear to be a viable option and a quick solution to your problem, there are many reasons why you shouldn’t:
Before even discussing the possibility of paying the ransom, businesses should start planning how to reduce the likelihood of being the next victim of a ransomware attack.
The first step is to understand how ransomware gangs operate. These criminals often go after Big Game Hunting. The higher the expectation for service reliability, quality, and trust, the more likely the business will be targeted. For these companies, the impact of disruption on business operations is much more significant than the payout. When an energy or utility grid is compromised, this can lead to blackouts and gridlocks, and when safety mechanisms are breached, the release of toxic chemicals, oil spills, fires, or explosions.
The problem is exacerbated by the fact that the skills required to execute a ransomware attack have been dramatically reduced. Ransomware-as-a-service models are offering a complete package for potential attackers. Ransomware software packages exist along with millions of stolen access credentials on the dark web that allow people with relatively little technical background to execute ransomware attacks effectively.
Identity-based access and multi-factor authentication can help reduce the incidence of such attacks. Businesses should be proactive and build capabilities to identify the source of repeated, excessive login attempts and block such attempts. Having this capacity is crucial for detecting and reducing the impact of ransomware attacks.
In line with the recent Executive Order, an Americas Market Owner for IAM said, ”Adding identify verification gates (#MFA) in front of every app cannot just reduce the chance of getting hit with #ransomware but also limit that damage done”.
One of the most effective ways to prevent ransomware attacks is by adopting zero trust architecture. Built on the principle ‘never trust, always verify,’ a zero trust security strategy would have prevented ransomware attacks like the Colonial Pipeline and JBS, preventing it from spreading across the operations while keeping the operation running.
Zero trust isn’t a silver bullet for ransomware either, but it can help create a much more robust security defense against ransomware attacks if implemented well. One of the key pillars of zero trust focuses on user identity and access management. Others include monitoring, detection, and threat inspection capabilities necessary to prevent ransomware attacks and exfiltration of sensitive data. Zero trust frameworks help reduce the attack surface significantly as employees and third parties only have access to the resources they need at a given time.
Zero trust is a strategy that facilitates digital transformation. It needs a commitment from the entire organization and requires a change in mindset, executed with due diligence. However, the bonus is that businesses that implement zero-trust security successfully will be much stronger to combat evolving threats like ransomware and emerge as a genuinely cyber-resilient organization.