Ransomware, To Pay or Not To Pay

Posted by Mark Greisiger

A Q&A with Winston Krone, Kivu
Unfortunately, for now, it appears that ransomware attacks, wherein hackers encrypt data and hold the decryption key for a sum of money, are here to stay. That leaves the attacked organization with a tough quandary: whether or not to actually give in to the criminal’s demands. We talked to Kivu’s Winston Krone about the latest thinking on when it’s appropriate to pay the ransom.

What factors should be considered when weighing whether or not to pay for data acquired during a ransomware scheme?
Assuming that legal due diligence checks out (to be compliant with OFAC, AML and anti-terrorism laws), the key factors we consider are:

  • The likelihood that this particular attacker is likely to be able to provide the correct decryption methods to recover the encrypted data. In our case, this includes using our experience of the current attackers and their groups to determine the specific attacker’s maturity and previous attacks (if any).
  • Even if the attacker provides the decryption method, we want to know whether the client’s network is likely to have suffered corruption caused by the attack. This will include reviewing the client’s network and applications to identify specifically vulnerable systems such as out-of-date operating systems or live databases.
  • We will identify existing backups (even if not current) as our analysis of the particular ransomware variant and the client’s network may indicate it will be quicker to recover from older backups and third party sources than attempt decryption and deal with the corruption issues.

How often do you see organizations paying ransoms?
There’s a self-selection process involved with cyber insurance panels. We’re mainly getting called when an organization needs critical data recovered but believes that it cannot restore from backups. In some cases we’re able to find data that they’ve missed or we advise the clients that paying a ransom is either pointless (since we strongly believe the attackers won’t respond or corruption issues will make successful recovery impossible) or full restoration will take much longer than the client was expecting. However, in the majority of cases, a client will proceed with paying a ransom of some amount.

How often is it that those that pay ransom don’t get their data returned by the bad guys?
Prior to 2018, the failure rate was less than 0.25%. However, in 2018, we saw a surge in amateur attackers using RaaS (ransomware as a service) platforms who couldn’t follow their own processes or didn’t understand how the ransomware tools worked – leading to cases where the attackers could not provide proper decryption even when a ransom was paid, and the attackers were willing to assist. However, it’s still very rare for an attacker to take a ransom payment and maliciously not follow-through.

If an organization doesn’t pay, how does that usually play out?
It depends on why the organization doesn’t pay. If it’s because backups are found to exist, then frequently recovery is slow but ultimately successful – although in complex and large networks, some corruption is inevitable. If the reason for not paying is because we advise that the attacker will not be able (or willing) to assist, or because corruption issues will make paying a ransom pointless, then the organization is going to suffer significant business interruption while it attempts to recover missing data from employees, isolated machines and third party parties/ business partners. This process can take months and some data may never be recoverable.

In summary…
I want to thank Winston for his always spot-on perspective on ransomware, which is now a leading cyber risk insurance cause of loss for cyber claims. Winston does a great job of highlighting the hurdles and pressure points a policyholder must navigate when trying to resolve this type of cyber attack. It’s far more nuanced than simply paying a threat actor some bitcoin. Without the guidance of a skilled practitioner there are many pitfalls, even if things are going well.

Our 2019 NetDiligence® Cyber Claims Study showed tremendous growth in ransomware cyber claims. This loss exposure can include business interruption, payment of significant extortion funds and a negative impact on corporate reputation. And, after talking to various technical experts, Breach Coach® lawyers, and our insurance carrier partners, we believe this trend will continue. Having insurance along with an actionable data breach crisis plan can help mitigate this exposure.