Ransomware has become one of the most common and profitable forms of cyber crime, but there’s an obvious fact that is neglected: the attacks are only worthwhile if the victim chooses to pay up.
Of course, it’s easy to say that organisations can ignore criminals’ demands, but when facing weeks of disruption, huge financial losses and the prospect of customers’ personal data being leaked online, you can understand why some victims cave in.
This is contrary to the advice of experts, who warn that there is no guarantee that attackers will decrypt the information once you’ve paid up, but in desperate situations, organisations have habitually proven that this is a risk they’re willing to take.
Although paying up might help organisations out of their immediate dilemma, it has spurred on criminals to conduct more attacks and seek larger payments.
According to the Coveware Quarterly Ransomware Report, the average ransom payment increased from £50,000 in the third quarter of 2019 to more than £160,000 a year later.
But just as we were wondering how much organisations were willing to pay rather than implement measures to mitigate the risks of ransomware, Coveware has given the answer.
Its latest figures signal that organisations have had enough, with the average ransomware payment plummeting by 34%.
Ransomware victims are calling criminals’ bluff
According to Coveware, the sudden drop-off in ransom payments is related to cyber criminals’ threats to publicly release the stolen data if organisations don’t pay up.
In Q3 2020, one in two ransom demands gave this ultimatum, which is designed to prevent organisations from simply restoring their systems from backups.
That’s because, although backups would enable them to get back to work without paying for a decryption key, the organisation would still face the reputational damage and regulatory consequences of a data leak.
As such, almost three quarters of organisations put in that situation paid up.
In Q4 2020, the number of ransom demands making this threat increased to 70%, yet less than two thirds of organisation decided to pay.
The reason for this is simple: organisations have noticed that criminals are leaking sensitive data whether the ransom demand is paid or not.
Without the incentive to negotiate with the attacker, organisations can restore their systems from backups and accept that a data leak is inevitable.
How should you respond to a ransomware attack?
It may sound defeatist to say that a data leak is inevitable, but once you’ve got into that situation, there is nothing more you can do – but not just because of the likelihood that the data will be leaked anyway.
Rather, once a cyber criminal has infiltrated your systems, any information they access has already been breached.
It doesn’t matter if you get the data back or if the attacker deletes it; the confidentiality has been violated and you face the same legal consequences as if the data had been leaked online.
You are therefore much better off looking at ways to get back up and running and contain the reputational damage than spending money on something that makes very little difference to your wider response strategy.
We’ve previously discussed the best approach to responding to a ransomware attack, but we also offer tailored consultancy to guide you through the process in real time.
With our cyber security incident response service, our experts will take the reins of your recovery effort, helping you through every step, from identifying the source of the breach and stemming the damage to notifying the appropriate people and returning to business as usual.