Speaking to Techerati, Naaman Hart, cloud services architect at cybersecurity company Digital Guardian, explores the pressures to pay ransoms and the rise of the trustworthy attacker
Ransomware is such a popular means of attack that its almost becoming infeasible to report on every single breach. According to recent figures, ransomware accounts for nearly 24 percent of all malware incidents. Companies are yielding to attackers at a staggering rate, turning the ransomware market into a lucrative business.
While in an ideal world we would hope no company would give in to attackers, in the current climate this is an unrealistic ideal, and for many reasons it is entirely rational for a company to pay up. But firms still need to go about the process in an intelligent way: to maximise their chances of getting back their files and ensure they don’t fall victim again. We asked Naaman Hart, cloud services security architect, to outline the best practices.
Why pay
While it is clearly unethical to fund criminal activity, there are many practical and financial reasons companies decide to pay ransomware ransoms. First, the cost of downtime often far outways the price attackers demand, especially in the manufacturing industry. In the most competitive industries, such as instant online services, if users cannot access a firms’ websites they will simply go to a competitor.
On top of these strong impetuses, many companies also have insurance policies with providers pressurising them to pay early before the cost of downtime exceeds the ransom. On the other hand, when ransomware insurance policies cover some or all of the cost of payment, its cost to business decreases. That’s before we consider that the malware itself, such as Ryuk, is becoming more sophisticated and harder to decrypt. Naaman added reputation also weighs heavily in firms’ calculations:
“If you just pay them, then the whole situation goes away and there’s no need to report any data loss or anything like that,” he said. “This is completely against everything. It’s against GDPR, it’s against best practices, it’s ethically questionable. It’s not really what they should be doing, but you can understand the reasoning in that they just want this to go away and they want to keep it quiet.”
While there are basic measures to ensure protection from attacks, such as creating offsite backups segregated from normal day to day systems, and practising the accompanying recovery drills, if companies haven’t made adequate preparations payment quickly becomes the ‘cheapest’ option.
Before paying
If forced into this corner firms must be shrewd in the way they go about it, as there is a significant price tag attached – one rising year-on-year. Coveware research shows that the average ransom organisations are paying per incident has doubled in the past two quarters alone from $6,733 (£5,198 )in Q4 2018 to $12,762 (£9,821) in Q1 2019.
Some say even paying at all is foolish. It is true that there are no guarantees attackers will supply a working decryption tool upon payment. Indeed, a 2018 study claimed that on average less than half of those who handed over the money successfully retrieved their files. However, recent research suggests the tide is turning. Coveware claims 96 percent of companies who pay their ransom receive a working decryption tool, and that the same companies manage to unencrypt 93 percent of their data using it. Naaman said the shift is unsurprising. Attackers are getting savvier; appreciating that improving the trust relationship lands them more cash.
“It’s ironic that you can call them trustworthy, but that is essentially the basis of the business,” Naaman said. “If those companies actually weren’t able to restore your data when they are paid, then that would quickly get around and this industry literally would die overnight. Attackers are putting a lot of time and effort into making sure that they can recover your data and their payment mechanisms.”
In the presence of these incentives, victims can by and large assume that attackers will hold up their end of the deal. Nevertheless, it would be imprudent to simply panic and pay without some proper examination of the breach.