What should be considered by companies that are faced with ransomware?
As ransomware attacks become more common and sophisticated, the decision to pay or not pay a ransom becomes more difficult.
It is difficult to know for sure what proportion of ransomware victims worldwide transfer money to hackers. Some reports for 2021 put this figure at around two-thirds of the time.
Paying the ransom can often seem like the most reasonable way to solve a problem. However, it is critical to consider the potential impact and long-term impact on the business. For example, there is no guarantee that the payment of a ransom will compensate for the damage caused. Also, the payout can incentivize attackers to new attacks if they see a willingness to meet their demands.
In many cases, the cost of the buyout is only a fraction of the costs incurred by the company. At the same time, according to various studies, the total cost of mitigating the consequences of an attack is on average seven times higher than the amount of the requested ransom.
If the attacker is intentionally intimidating the victim company and wants to undermine its economy, paying a ransom is probably not the best solution. This rule is especially relevant for incidents involving geopolitical risks. In addition, state organizations are more likely to adhere to the policy of non-payment of ransom, whatever the threats of hackers.
The overall damage of an attack usually depends on several aspects at once - the cost of the ransom, reputational damage, and regulatory fines. When it comes to data loss, the risk largely depends on the confidentiality of this very data. For example, simple email addresses and the names of customers or company employees are much less valuable to attackers than identity cards, passport copies, or medical records.
And if attackers understand the importance of the data they hold, they are likely to demand a higher ransom. For example, one report from IBM indicates that data breaches in the healthcare industry are estimated by hackers to be about twice as expensive as breaches in other industries.
Regardless of whether the company decides to pay or not pay the ransom, the victim company will have to negotiate with the attackers. Experts advise hiring a professional negotiator who knows what to say and what not to say. A professional also has a better understanding of what tactics to use. Proper negotiation can help buy time and understand who carried out the attack, what information was stolen, and what the criminals are pursuing.
The decision not to pay the ransom may seem right at first, but this may change as the victim learns more about the circumstances of the attack. An incorrect form of communication with hackers can provoke them to break off negotiations and put the victim in an awkward reputational position through public statements.
Over the years, various countries have considered banning ransom payments. For example, following the recent cyberattacks on Medibank and Optus, Australian Home Secretary Claire O'Neill said the Australian government would consider making ransom payments illegal. But what if the cost of paying the ransom is less than the damage that inaction causes? Then such a law can only make matters worse.
Despite the ever-changing nature of ransomware attacks and the varying motives of attackers, the human element of effectively negotiating remains the key to a solution. Successful negotiations with attackers are critical to the potential damage to the victim company.
Companies should always evaluate all the advantages and disadvantages of paying a ransom, as well as explore possible alternatives. Ultimately, the company's finances and reputation are at stake, so any decision must be balanced. And it is worth taking it only after a thorough analysis of all possible risks.
And in order not to have to solve such complex issues, you can prepare "still on the shore." For example, conduct regular security tours with company employees and talk about the tricks that scammers usually use. This will greatly increase the chances of avoiding compromising the company's networks even if attackers resort to social engineering and other types of deception.