Euro Security Watch with Mathew J. Schwartz

Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Ransomware Reminder: Paying Ransoms Doesn't Pay

Funding Criminals Perpetuates Cybercrime
Ransomware Reminder: Paying Ransoms Doesn't Pay
Percentage of organizations that paid a ransom after their data was encrypted in a ransomware attack. (Source: Sophos)

Security experts and law enforcement officials have long argued that paying ransoms doesn't pay. For starters, it directly funds the cybercrime ecosystem and makes it attractive for criminals to keep launching ransomware attacks. Anytime the average ransom payment goes up, it also attracts new players.

See Also: 5 Requirements for Modern DLP

For anyone seeking to put a number to the problem, a recent survey asked IT professionals: "What was the approximate cost to your organization to rectify the impacts of the most recent ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity, etc.)?"

Ransomware victims that that did not pay a ransom reported, on average, $730,000 in recovery costs. But organizations that did pay a ransom reported an average total cost - including the ransom amount - of $1.4 million.

Those numbers are based on a survey conducted by market researcher Vanson Bourne in January and February for Sophos, which gathered comments from 5,000 IT professionals across 26 countries, including the U.S., Canada, France, U.K., Netherlands, Czech Republic, Australia, India, China and more. Those IT pros work at companies with 100 to 5,000 employees.

More on those findings and their reliability in a moment.

The survey also found that over the prior 12 months, 51% of organizations reported experiencing a "significant" ransomware attack, of which 73% resulted in attackers successfully encrypting data.

Of those that had their data encrypted in an attack, 26% said they paid a ransom and regained access to their data, while 1% paid a ransom but did not regain data access. So the good news is that 73% of firms didn't pay.

What do they do instead? The Sophos study didn't dive into that, but ideally, victims have the ability to wipe systems and restore from recent backups. In some cases, free decryptors for the strain of ransomware that hit them will be available, or may be in the future. Otherwise, victims have to start over. Obviously, that's not an ideal scenario, and it's one of the reasons why law enforcement agencies in the U.S., U.K. and many other countries say whether or not to pay remains up to victims.

Insurance can help defray recovery costs too. Sophos' study found that 64% of organizations have a cybersecurity insurance policy that includes ransomware coverage. For organizations that had a cyber insurance policy and opted to pay a ransom, in 94% of cases, the insurer covered the payoff (see: Do Ransomware Attackers Single Out Cyber Insurance Holders?).

Cost Comparison: Reliable?

So, what accounts for the supposed massive increase in incident response costs for organizations that pay a ransom?

The Sophos report accompanying the results gives no black-and-white rationale for the cost disparity. Instead, it suggests that the total cost of recovering from a successful ransomware attack is largely the same, regardless of whether an organization pays a ransom in exchange for the promise of a decryptor. Accordingly, any payoff simply adds more cost to the preordained cleanup effort.

But that raises many questions. For starters, some ransomware victims that pay attackers do get a working decryptor. Surely their recovery time - and costs - could be less than organizations that might otherwise have to wait many more weeks to restore system.

Some Ransomware Gangs' Shoddy Crypto

If the jury is still out on the survey results, previous studies have identified that however you look at it, recovering from a ransomware attack involves massive incident response and recovery challenges. Security experts say that rather than paying for cleanup, organizations should spend the money on prevention, where it will do a lot more good.

Why is ransomware so difficult to recover from? For starters, wiping and restoring systems - for organizations that have working backups - takes time. For organizations that choose to pay attackers instead, some ransomware strains are coded better than others. As a result, some crypto-locking malware encrypts files in such a way that some get corrupted, meaning that they cannot be restored.

As ransomware incident response firm Coveware recently reported: "Some ransomware variants had predictable recovery rates, close to 100%, while others were as low as 40%. Specifically, variants like Mesponinoza, DeathHiddenTear, and Buran caused data loss upon encryption and also delivered decryption tools with bugs that lead to additional data loss." (See: Ransomware: Average Business Payout Surges to $111,605.)

Source: Coveware

Even with a decryptor, restoration takes time. Many ransomware operators offer self-support portals for victims to exchange bitcoins for a decryption key tied to an individual, infected endpoint. For an organization that has hundreds or thousands of infected endpoints, having to pay for and generate a different decryption tool for each one - before installing and running them all on various endpoints - can be a laborious process. In response, the Sodinokibi operators have added functionality allowing affiliates to issue a single, master decryption key for multiple endpoints.

Another time sink: Some ransomware decryptors shred file hierarchies, meaning that even when encrypted files get restored, they may all get dumped into a single directory, lacking any folders for context.

Experts: Invest in IT

Security experts and law enforcement agencies have been saying for years that the best defense against ransomware is to do everything possible to avoid getting infected (see: Please Don't Pay Ransoms, FBI Urges).

Where should they start? Raj Samani, chief scientist at McAfee, says it's essential for organizations to always monitor their IT environments, watching for anything unusual. Also, they must ensure they're maintaining - and regularly testing the integrity of - up-to-date backups that get stored offline or in some manner that is disconnected from the organization. That way, if crypto-locking malware does manage to hit some systems, they can be wiped and restored.

Raj Samani, chief scientist at McAfee, says not paying criminals is the best way to make them look beyond ransomware.

Ransomware frequently infects organizations via easily defendable vectors, such as weak or poorly secured remote desktop protocol endpoints, Samani tells me. Attackers can purchase stolen RDP credentials on cybercrime marketplaces (see: Why Are We So Stupid About RDP Passwords?).

"I know that that seems simplistic, but the way that they're getting into environments isn't necessarily remarkable, it's things like this - RDP - where you've got the sale of credentials online," he adds.

Source: Coveware

Impetus for Not Paying: Public Good

Ransomware victims can turn to a number of free resources, including the public-private No More Ransom project. "We've literally developed a website where we've given up our time to give you free tools and advice on what to do," Samani says (see: No More Ransom Thwarts $108 Million in Ill-Gotten Profits).

Another well-regarded resource is ID Ransomware, which helps victims identify what's crypto-locked their system. Michael Gillespie (@demonslay335), the U.S.-based developer and Emsisoft employee who runs the free service, last year told the New York Times that he was receiving 1,500 requests for help daily.

Clearly, the ransomware problem isn't going away. But every organization can help drive the success rate of these attacks down, and the wasted time and costs facing attackers up, by ensuring they have the right defenses in place, Samani says.

"And most importantly, don't pay," he says. "If you want to try to stop this from happening, the only way we're going to do it is by impacting their ROI. If they're not going to make money, they're not going to do it; it's very simple."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.