Don't Pay the Ransom. Period | ActZero

With ransomware gaining more and more attention in the news, companies have been dealing with it whatever ways they can. In an increasing number of cases, they have been paying ransoms, despite FBI advice not to. They see this as the cheapest route to getting their systems back online, and they aren’t alone in thinking so – some industry analysts have said ransom should be considered “as a valid recovery path that should be explored in parallel with other recovery efforts.” If you can drive the desired outcome (recovery) for a cost (the ransom amount) that’s lower than the alternative (remediation activities), why wouldn’t you? For those who don’t know me, I’m being facetious.

In this post, I refute these arguments. I explain why such assertions are wrong, short-sighted, and ultimately fuel the efforts of hackers who release ransomware. Furthermore, I highlight the tangible impact to your business resulting from the consequences of paying a ransom.

Isn’t the ransom cheaper than a cybersecurity solution?

Shameless plug, ActZero MDR typically costs less than a single security analyst… That said, let’s look at the reasons people (erroneously) think they should pay / that paying is the cheapest option:

• Astronomical Cost of Downtime

Yes, downtime is expensive – perhaps even leading to catastrophic consequences for your business, if you can’t afford it… but, isn’t that why you have a disaster recovery strategy in place? Imagine that it wasn’t a ransomware attack, but a flood, fire, or power outage that led to such downtime. The point is that there are many causes of downtime that don’t have the ‘too good to be true’ fix of paying a ransom and that your business needs to mitigate this risk.

• Risk of Losing Existing Partners, Customers, or Employees

With your company’s data inaccessible, you would likely be very concerned about the fallout for these stakeholders. But, can you imagine their reaction to learn that you paid a ransom to restore functionality? To me, it makes much more sense to demonstrate vocally what you’re doing to recover that is in keeping with the law. I assure you it will be much better received than “yup, we paid that ransom so fast, and now we’re back online quicker than ever…”

• Brand Damage (Risk of Impeding New Partners, Customers, or Employees)

If you want to avoid the impact on future acquisitions - shouldn’t you demonstrate that in your response to this, you did what was necessary to prevent it from happening again? I’m getting ahead of myself, but suffice it to say that there are downstream implications to paying a ransom that will result in additional threats against your business…

The Consequences

Now, let’s look at what could happen when you pay a ransom:

• The FBI points out, the hackers might not unlock your systems even if you do pay. You are dealing with criminals; there is no assurance that once you pay that you will regain access to your data/systems. You may still have the same problem, and one ‘ransom amount’ less with which do deal with it.
  
  
• Even once you’ve removed the ransomware (encryption), there’s nothing to prevent hackers from locking you down again! Until you remove the malware that installs/initiates the ransomware, and remediate the vulnerabilities that allowed that malware to get on there in the first place, you could be locked down one hour/week/month later – you have no way of knowing when. What you do know, for a certainty, is that your present security configurations/technology/processes were insufficient to prevent this attack – and that nothing about those elements will be different simply by paying the ransom.
  
  
• When you pay a ransom, it is very likely that you will be on a list of ‘payers’. Lists like these get passed around or sold on the dark web, because the fact that you paid once means you’re A) vulnerable and B) likely to ‘convert’ for the bad guys. So, the risk is not only that you’ll get hit again, but that you’ll get hit again and again by different hackers who may have different means at their disposal. In other words, even if you address/remediate the vulnerability that allowed you to be infected in the first place, other players could find other ways once you are on that list.

So, any argument that suggests it may be cheaper to pay a ransom than to A) implement your DR strategy B) engage a firm to remediate it, or C) build up / improve your own security defenses, is not looking at the long term. Sure, it might be cheaper in the short term to pay a ransom, but the downstream consequences are lasting, expensive, and truly business-threatening.

Setting aside, for a moment, these obvious business considerations – ask yourself, what about your obligation not to ‘fund’ the bad guys? Even if we don’t see this reflected in our laws (this is not legal advice), surely you see some merit to the government policies of “We Do Not Negotiate With Terrorists.” Because the fact is that if nobody ever paid a ransom, the bad guys would have no reason to demand one – because it would not be profitable for them.

Moving Forward

Of course, all of this discussion is in the context of a reactive response – paying a ransom, hiring an IR firm like ActZero, or implementing your own DR contingency… but, perhaps a more valuable avenue of exploration is: what could you have done proactively to reduce the risk of ransomware from the beginning? If paying the ransom is truly the cheapest way (and I hope you have seen that it isn’t…), shouldn’t you start budgeting for ransom? Do you think you’re saving money by “buying an umbrella while it’s raining”?

The fact is that (in mid-size enterprises especially) there’s never budget for cybersecurity … until there has to be. Our recommendation is that you engage an expert (like ActZero) to plan out what you can do. We can work with you to craft a business case relative to the cost of getting hacked, the cost of building your own SOC, or even the cost of a single analyst (which comes with its own set of issues/costs in terms of hiring, training, retaining and equipping them).

Once you acknowledge that your actions have consequences beyond the singular incident, for both your own organization and others, you’ll see that it never makes sense to pay the ransom. Far better to engage assistance on retainer, to harden your systems proactively, to plan for what you will be facing in advance. Our experts can help you on these paths. And, if you’ve already paid a ransom, I strongly encourage you to talk to us sooner than later.

For more information on Ransomware and steps you can take, check out our white paper: The Rise of Ransomware-as-a-Service.