Everyone knows the mantra: if you're infected with ransomware, don't pay up as it just encourages more attacks.
By paying the attacker, the theory goes, you're proving that their method of extortion works – that they will make money (potentially a lot of it) by holding data hostage. Read More >>
However, at this year’s RSA Conference, there’s been a shift in tone within the security community. While nobody is outright advising businesses, or individuals, to pay up, they are acknowledging that many companies that fall victim to a ransomware attack do just that. Indeed, a survey by IBM towards the end of 2016 showed around 70% of companies affected by ransomware have paid to get data back, with payouts reaching the $1 billion mark that year.
Why businesses pay
There’s one strong business imperative to pay ransomware: it’s less expensive to cough up than it is to hold out against the attackers.
“You may say ‘look, we have a business principle here, we’re not going to pay the bad guys’. But if you’re confronted with the business reality of paying the bad guys a few Bitcoins versus being offline or losing millions of dollars worth of data, your business principle might give way to the business reality of having to pay the ransom,” said Ed Skoudis, an instructor at the SANS Institute, during the Seven Most Dangerous New Attack Techniques panel.
Marcin Kleczynski, CEO of Malwarebytes, gave the example not of cryptoransomware, but of a DDoS-based ransom attack, where a business is taken offline until a ransom is paid.
Speaking to IT Pro he said: “Imagine a botnet being pointed at an airline’s ticketing website, which produces tens-of-millions of dollars in revenue per hour. I [as the botnet controller] say ‘this will continue unless you pay me $1 million now.”
“$1 million is much less than the $10 million it makes per hour, so why not extort that kind of money?”
Indeed, having a backup and recovery system in place is no guarantee that a company won’t pay the ransom, even though in theory it should negate the need to do so.
Jeremiah Grossman, chief of security strategy at SentinelOne, told IT Pro: “What we find in [our] research, of those who pay the ransom around 50% actually have backups. So the backups aren’t a panacea.
“What happens is, say you have the backups but the bad guys have encrypted 1,000 of your machines. IT says ‘yeah, we’ll recover, no problem – in a week’.”
If the ransom is only $50,000, Grossman said, then they “write the cheque”, as it’s more expedient and quite possibly cheaper.