There's one surefire way to end ransomware once and for all: Stop paying. If every organization that suffered a ransomware attack refused to pay up, the threats would lose their income stream, and the work would dry up leading to the end of these attacks as we know them.
Simple, right? It turns out, not so much.
The ransomware industry has become increasingly adept at generating demand. While there are both government and private entities working to dissuade organizations from paying, including legislation that may ban ransom payments for certain sectors, or the phasing out ofransom payment coverage by cyber insurance companies, the hold that cyber ransom has on its victims makes it likely that breached companies will continue paying the ransom. Organizations that do not pay ransomware risk potential losses that far outweigh the financial hit taken from an extortion fee, which gives attackers a clear advantage.
When an organization's bottom line is at risk, the decision to actually pay ransomware gangs is also a tough one for victims—the benefits and drawbacks have to be carefully considered, as payment never results in immediately reverting back to business as usual.
Ransom Payment as a Business Decision
Before understanding what happens when an organization pays, it's important to consider how the decision should be made. While the act of preventing, detecting, and stopping ransomware prior to any encryption and exfiltration lies solely within the realm of security teams, by the time ransom is demanded, how an organization reacts is a high-level business decision. At this point in the attack, the role of a security team becomes to provide the necessary information to business leaders so that they can make an informed decision.
When data is encrypted or exfiltrated, the first priority is typically to restore business operations as soon as possible to minimize additional damage caused by lost production, halts in sales, and reputational damage. To resume business as usual, victims have to ensure that attackers will deliver on their promise. While there is a slight risk that an attacker will not provide a decryption key, it's a fairly safe bet that one will be provided.
While obtaining an actual working decryptor is highly likely, full data recovery is uncommon among victims. According to a report published by Sophos, only 4% of organizations that paid a ransom got all of their data back. Of the data that is recovered, victims should expect the recovery to be a long, painstaking, and costly process—one that is expected to cost a total of $265 billion globally by 2031.
Ransomware gangs are increasingly threatening to expose stolen data as an added means of extortion, but after an organization pays ransom, the attacker will likely honor a promise not to publish any data publicly. Unfortunately, paying ransom does not stop an attacker from boosting their profits by selling access to victims. This means that companies that have already paid a ransom need to stay especially diligent about closing security gaps to prevent repeat attacks.
Deeper Dive: Strategies for Avoiding Ransomware Payments
As a business, ransomware offers terrible value for its services. Unfortunately, even when ransomware recovery is known to be slow and incomplete, the appeal of making ransomware payments remains, thanks to evolving cyber extortion tactics that now include data exfiltration and exploitation. These tactics have ensured that payment of ransom is extremely common, with 83% of victims paying the demand, according to a 2021 survey by ZDNet. This all points to the conclusion that the best tactic for avoiding cyber extortion and ending the ransomware cash supply is to prevent breaches from occurring in the first place.
To understand how to prevent ransomware, we need to understand the tactics today's extortionists are using. The adversary is rapidly adjusting its business models to become more agile. They're outsourcing specialty tasks and honing in on tactics to skirt conventional security strategies.
By the time today's advanced attackers target an organization, they're already inside. They're gaining this shortcut into an organization's network through the use of initial access brokers (IABs). IABs are specialty criminals who hunt and sell stolen credentials, known unpatched vulnerabilities, or supply chain compromises to larger ransomware operations. Before IABs, cyber extortionists needed in-house technical know-how to be able to effectively target an organization without detection. IABs remove barriers of entry into an organization by enabling them to purchase everything from active directory credentials to VPN access.
To prevent unauthorized access, many companies are relying on intrusion prevention and endpoint security tools, but the intruders are more and more looking toward techniques that bypass these controls altogether. According to the 2021 Verizon DBIR, social engineering attacks were the most commonly reported attack vector, and 61% of all breaches involved stolen credentials. This means that the majority of intrusions use techniques that can't be detected with endpoint detection or signature-based IDS technology.
Detecting Lateral Movement
With the adversary already past perimeter defenses, modern security teams have to change their strategy by putting the focus on detecting threats post compromise. After an initial intrusion, ransomware follows a pattern of lateral movement toward an organization's data, which they subsequently exfiltrate and encrypt. By knowing the lateral movement playbook, security teams can employ solutions that offer network visibility and behavior-based detections to their arsenal of defenses. From there, any time ransomware makes a move, whether it's early-stage lateral movement or late-stage activity, including data staging, defenders have a chance to catch them in the act and stop it before serious damage is done.
Even with the ability to detect lateral movement, it's important to keep in mind that attackers don't like being predictable. The more defenders are aware of their playbook, the more the adversary will alter and obscure their movements to avoid detection.
Hiding in encrypted traffic is one way they're achieving this. By leveraging encrypted protocols such as Active Directory or Kerberos, attackers are able to exploit what you trust the most for their own gains. With that in mind, defenders should strongly consider adding tools that offer strategic decryption to detect attacks that are taking advantage of encrypted traffic.
Ransomware Recovery: Preventing Repeat Attacks
For ransomware victims, the recovery costs expand far beyond any extortion fees: The average ransom payment in the US was $812,360 in 2021, a fourfold increase from 2020 averages, while the average recovery cost for ransomware totaled $1.08 million, according to Sophos.
Among other things, the heavy burden on IT and security teams to ensure the future security of their networks adds to the total recovery costs. Beyond data recovery, the biggest challenge for ransomware response is removing the offending malware from the organization's network and securing any vulnerabilities that enabled initial access.
Unfortunately, for many organizations, effectively identifying and securing the initial attack vectors or rooting out malware from their environments can be time-consuming, costly, and incomplete. These pitfalls can result in repeat attacks by adversaries that are able to either regain or maintain their foothold: budget and time constraints can lead to ineffective handling of affected devices, and a general lack of network visibility can leave attack vectors, including vulnerable IoT devices, in place.
Because of these challenges, a startling 85% of ransomware victims see repeat attacks. This is why, even after an attack, network visibility and behavior-based detection are necessary for organizations to maintain proper security hygiene, patch vulnerabilities, and detect signs of malware in their environment that may be leftover from an initial attack.
Staying a Step Ahead of Threats
In a perfect world, the question, 'should companies pay ransomware?' is a clear, unequivocal no—but we know that from a business perspective the answer isn't so simple. To avoid paying the ransom altogether, consider diversifying your defensive tactics with processes and solutions that can help spot and halt ransomware in the midgame—after the initial intrusion—to increase your chances of catching the adversary in the act. We can hope that, by staying ahead of ransomware's game plan, successful extortions will become less and less common.