Should you pay a ransom?

In early June, Michigan State University revealed it had been hit by hackers using Netwalker ransomware; at the same time, the University of California, San Francisco experienced a similar attack.

In both cases, the hackers encrypted data held on university servers and demanded a ransom for its release, but the two institutions responded in very different ways.

Both were able to lock down quickly, limiting the amount of data that was compromised, and both reported the breach to users and law enforcement. But while MSU refused to hand over the ransom, UCSF paid up.

“The data that was encrypted is important to some of the academic work we pursue as a university serving the public good,” the UCSF explained in a statement.

“We, therefore, made the difficult decision to pay some portion of the ransom, approximately $1.14 million, to the individuals behind the malware attack in exchange for a tool to unlock the encrypted data and the return of the data they obtained.”

Rising trend for paying ransoms

Ransomware attacks such as these have been on the rise for some time and the growth has only accelerated during the coronavirus crisis. In March, according to security form VMware Carbon Black, ransomware attacks shot up 148 per cent from February.

And there’s also a trend towards paying up, with a recent survey carried out for insurer Hiscox finding one in six organisations experiencing a ransomware attack in the last year has handed over the cash.

Traditional wisdom is this is a bad idea. Law enforcement agencies don’t like it as it encourages the criminals.

But Josh Zelonis, principal analyst with Forrester, says it may make sense to consider paying the attackers, much as it may stick in the craw. This means taking a careful look at precisely which systems have been impacted.

“I know of one particular situation where they didn’t pay the ransom because of the systems that were hit; they were critical, but not so critical,” he says.

“The comment that was made to me was that if they’d encrypted these other systems, they’d have paid instantly.

Ransomware success relies on unpreparedness

Many organisations are unprepared for an attack, making it more likely that they’ll be forced to pay up. Indeed, says Zelonis, even where organisations do regularly backup their data, most fail to check their backups.

“In a survey I did, the vast majority of companies, which tested their ability to recover from an attack, backup once a year and something like 90 per cent of backups complete with errors, and the severity of these errors is to be determined,” he says.

“So a lot of organisations are running these costly backup solutions and don’t actually know whether those backups are going to work until somebody’s gone and encrypted their infrastructure.”

However, paying up certainly isn’t a way of magically making the problem go away. According to John Shier, senior security expert at Sophos, the average cost of a ransomware attack where the ransom is paid is $1.4 million, almost twice as much as where the ransom is denied.

“When you get hit by ransomware, it’s because there’s some sort of deficiency in your protection,” he says.

“So the act of paying the ransom only solves part of the problem – the problem of getting your encryption keys and the restoring of your files – but it doesn’t resolve the underlying problem, which is whatever the criminals exploited in the first place to get on to your network. That hole still exists.”

Paying the ransom doesn’t always work

It’s also worth remembering that paying the ransom doesn’t necessarily mean things will get back to normal. Sophos has found that in 1 per cent of cases, paying the ransom did not lead to the recovery of data; 5 per cent for public sector organisations.

In fact, 6 per cent of organisations surveyed, and 13 per cent of public sector organisations, never managed to restore their encrypted data at all.

To an extent, it’s possible to plan whether a ransom should be paid, and the important thing is to ensure the organisation is in a position to make a quick decision.

“You can prepare ahead of time. You can get your business stakeholders together and put together a plan for if the worst happens,” says Shier.

“When something unforeseen forces your hand, that’s when you make a last-minute decision, but you have to have all your stakeholders in place.”