There's one surefire way to end ransomware once and for all: Stop paying. If every organization that suffered a ransomware attack refused to pay up, the threats would lose their income stream, and the work would dry up leading to the end of these attacks as we know them.
Simple, right? It turns out, not so much.
The ransomware industry has become increasingly adept at generating demand. While there are both government and private entities working to dissuade organizations from paying, including legislation that may ban ransom payments for certain sectors, or the phasing out of ransom payment coverage by cyber insurance companies, the hold that cyber ransom has on its victims makes it likely that breached companies will continue paying the ransom. Organizations that do not pay ransomware risk potential losses that far outweigh the financial hit taken from an extortion fee, which gives attackers a clear advantage.
When an organization's bottom line is at risk, the decision to actually pay ransomware gangs is also a tough one for victims—the benefits and drawbacks have to be carefully considered, as payment never results in immediately reverting back to business as usual. To help organizations demystify the business impact of paying an extortion fee, Gartner® published Quick Answer: Ransomware—What Happens If You Pay? The Quick Answer details how organizations should respond to an extortion demand, and how much data they may or may not recover as a result.
Quick Answer: Ransomware — What Happens If You Pay?
Before understanding what happens when an organization pays, it's important to consider how the decision should be made. While the act of preventing, detecting, and stopping ransomware prior to any encryption and exfiltration lies solely within the realm of security teams, our takeaway from the Gartner Quick Answer is that, by the time ransom is demanded, how an organization reacts is a high-level business decision. At this point in the attack, the role of a security team becomes to provide the necessary information to business leaders so that they can make an informed decision.
When data is encrypted or exfiltrated, the first priority is typically to restore business operations as soon as possible to minimize additional damage caused by lost production, halts in sales, and reputational damage. To resume business as usual, victims have to ensure that attackers will deliver on their promise. While there is a slight risk that an attacker will not provide a decryption key, it's a fairly safe bet that one will be provided. As the Quick Answer points out, "Ransomware is a business, the criminals will provide the decryption tool, and they will withdraw the threat to publish any stolen data. If they don't do so, they effectively break their business model."
While obtaining an actual working decryptor is highly likely, the Quick Answer reports that full data recovery is uncommon among victims as "even with the decrypter, there is no guarantee that all the data will be recovered. Only 8% of organizations manage to recover all the data following a ransomware attack." The Quick Answer also gives clues as to how much data an organization may expect to recover, citing that "the business model of ransomware means that the decryption key will be provided by most attackers, and an average of 65% of the data will be recovered."
Of the data that is recovered, victims should expect the recovery to be a long, painstaking process. The report warns that decryptors can be sluggish or fail entirely: "However, the decryption is often very slow, and if a large amount of data has been encrypted, it can take weeks to recover. The average time to recover was 23 days in the first quarter of 2021."
To help with the process of recovery, the Gartner Quick Answer recommends seeking outside help to negotiate and stay within the boundaries of the law, saying "engage with a professional incident response team as well as law enforcement and any regulatory body before negotiating. Negotiation needs to be part of incident response planning." They also recommend "using the incident response teams to build a new decryption tool by extracting the keys from the tool provided by the attacker."
Finally, when an organization pays ransom, the Quick Answer warns that "although the threat actor will honor their promise not to publish any data, there is little doubt that the data will be shared or sold to other threat actors, increasing the probability of future attacks." Our takeaway from this recommendation is that companies that have already been breached should stay especially diligent about looking for signs of compromise to prevent repeat attacks.
Deeper Dive: Strategies for Avoiding Ransomware Payments
Gartner's Quick Answer reminds us that, as a business, ransomware offers terrible value for its services. Unfortunately, even when ransomware recovery is known to be slow and incomplete, the appeal of making ransomware payments remains, thanks to evolving cyber extortion tactics that now include data exfiltration and exploitation. These tactics have ensured that payment of ransom is extremely common, with 83% of victims paying the demand, according to a 2021 survey by ZDNet. This all points to the conclusion that the best tactic for avoiding cyber extortion and ending the ransomware cash supply is to prevent breaches from occurring in the first place.
To understand how to prevent ransomware, we need to understand the tactics today's extortionists are using. The adversary is rapidly adjusting its business models to become more agile. They're outsourcing specialty tasks and honing in on tactics to skirt conventional security strategies.
By the time today's advanced attackers target an organization, they're already inside. They're gaining this shortcut into an organization's network through the use of initial access brokers (IABs). IABs are specialty criminals who hunt and sell stolen credentials, known unpatched vulnerabilities, or supply chain compromises to larger ransomware operations. Before IABs, cyber extortionists needed in-house technical know-how to be able to effectively target an organization without detection. IABs remove barriers of entry into an organization by enabling them to purchase everything from active directory credentials to VPN access.
To prevent unauthorized access, many companies are relying on intrusion prevention and endpoint security tools, but the intruders are more and more looking toward techniques that bypass these controls altogether. According to the 2021 Verizon DBIR, social engineering attacks were the most commonly reported attack vector, and 61% of all breaches involved stolen credentials. This means that the majority of intrusions use techniques that can't be detected with endpoint detection or signature-based IDS technology.
Detecting Lateral Movement
With the adversary already past perimeter defenses, modern security teams have to change their strategy by putting the focus on detecting threats post compromise. After an initial intrusion, ransomware follows a pattern of lateral movement toward an organization's data, which they subsequently exfiltrate and encrypt. By knowing the lateral movement playbook, security teams can employ solutions that offer network visibility and behavior-based detections to their arsenal of defenses. From there, any time ransomware makes a move, whether it's early-stage lateral movement or late-stage activity, including data staging, defenders have a chance to catch them in the act and stop it before serious damage is done.
Even with the ability to detect lateral movement, it's important to keep in mind that attackers don't like being predictable. The more defenders are aware of their playbook, the more the adversary will alter and obscure their movements to avoid detection.
Hiding in encrypted traffic is one way they're achieving this. By leveraging encrypted protocols such as Active Directory or Kerberos, attackers are able to exploit what you trust the most for their own gains. With that in mind, defenders should strongly consider adding tools that offer strategic decryption to detect attacks that are taking advantage of encrypted traffic.
Ransomware Recovery: Preventing Repeat Attacks
For ransomware victims, the recovery costs expand far beyond any extortion fees: The average ransom payment for mid-size companies in 2021 was $170,000, while the average recovery cost for ransomware totaled $1.85 million, according to a report published by Sophos.
Among other things, the heavy burden on IT and security teams to ensure the future security of their networks adds to the total recovery costs. Beyond data recovery, the biggest challenge for ransomware response is removing the offending malware from the organization's network and securing any vulnerabilities that enabled initial access.
Unfortunately, for many organizations, effectively identifying and securing the initial attack vectors or rooting out malware from their environments can be time-consuming, costly, and incomplete. These pitfalls can result in repeat attacks by adversaries that are able to either regain or maintain their foothold: Cut corners due to budget and time constraints can lead to ineffective handling of affected devices, and a general lack of network visibility can leave attack vectors such as vulnerable IoT devices in place.
Because of these challenges, a startling 85% of ransomware victims see repeat attacks. This is why, even after an attack, network visibility and behavior-based detection are necessary for organizations to maintain proper security hygiene, patch vulnerabilities, and detect signs of malware in their environment that may be leftover from an initial attack.
Staying a Step Ahead of Threats
In a perfect world, the question, 'should companies pay ransomware?' is a clear, unequivocal no—but we know that from a business perspective the answer isn't so simple. If your organization is ever faced with that hard question, refer to Gartner's Quick Answer as a starting place. To avoid paying the ransom altogether, consider adding network visibility and behavior-based detection from a network detection and response (NDR) solution to increase your chances of catching the adversary in the act. We can hope that, by staying ahead of ransomware's game plan, successful extortions will become less and less common.