Both the frequency and sophistication of ransomware attacks are rising. Affected businesses can be tempted to authorise requested ransom payments to renormalise operations as fast as possible. However, this is not a decision any company should hastily take without thorough consideration and due diligence.
Building on advice published (opens a new window) by the International Counter Ransomware Initiative (CRI), this article explores the key issues surrounding ransom payment. Additionally, recommendations are also offered on how organisations can build robust cyber incident responses to mitigate ransomware threats.
Considerations if declining payment
Typically, national governments will strongly discourage organisations from making ransom payments. Authorities believe paying ransom treats criminals as business partners and, arguably, promotes criminal activity of this type, as well as, inflating future ransom figure demands.
Payment does not guarantee that hackers will provide decryption keys, and if they are provided, there is no certainty they will work. Generally, it is in the cyber criminals’ interest to deliver a working decryption key to ensure the longevity of this type of criminal action. While studies suggest the majority of organisations that had their data encrypted regained access, the process is not always straightforward.
Furthermore, authorities also consistently warn the promise of criminals to delete victim data after ransom payment cannot be trusted. For example, after investigating LockBit, law enforcement officials discovered (opens a new window) that the criminals were retaining data they had pledged to delete after receiving payment.
Considerations if electing to pay
There may be occasions where a victim decides that paying a ransom is the better option. However, decisions about payment should be informed by a comprehensive understanding — as much as is possible — of the incident’s impact and how payment could change potential outcomes and repercussions.
If the targeted company does not have a secure and separate backup, recovery without a decryption key may be complicated or impossible. Reaching this decision may require the help and assessment of specialised consultants. Ransom payments can sometimes be lower than the costs and business interruption losses associated with a system’s downtime.
However, decryption keys are not a magic bullet and it may take several weeks for a company to get back online. It is therefore important to have requisite backups, and this should be part of your incident response plan.
Fees associated with forensic and data recovery largely depend on company size and the scale and complexity of attacks. As not all insurance policies cover such incidental expenses, nor the ransom payment itself, businesses must carefully check the exact wording of any cyber policy before making decisions.
Advice for affected companies
Following a ransomware attack, companies should fully assess the situation to gain a clear understanding on the nature of the attack. Ideally, the targeted company should have a thorough and rehearsed crisis response plan they initiate. A key first step of this will be notifying their insurers of the attack. Depending on policy, the insurer may instruct a third-party cyber-security incident response team to conduct forensics, assess the extent to which the systems are affected, and the viability of recovering systems and processes from backups.
Additionally, the affected company could hire a ransomware specialist to negotiate with malicious actors. This may involve asking for a reduction of the payment on the basis that not all systems need to be decrypted. The expert may also seek evidence the proposed decryption key works, by requesting a decrypted file as proof. A robust cyber insurance policy could cover these costs, and the underwriter’s breach response team will also assist in the practical implementation of these measures.
Businesses should seek specialist legal advice on conducting their response. Legal professionals will be able to help organisations understand and carry out their required contractual and regulatory obligations in event of a ransomware incident.
To limit the consequences of an attack and ensure remediation is straightforward, companies should keep good security hygiene and system health practices. To build resilience against cyber threats, organisations should:
Maintain offline backups of any critical data
Update operating systems to the latest version and shorten patch cycles
Use multifactor authentication and complex unique passwords for each login
Disable any unnecessary network services
For further advice, the aforementioned CRI guidance provides help on what companies should (opens a new window) aim to do.
Liaising with your insurer or broker
Before making hasty decisions, any business falling victim of a ransomware attack should consult with its broker or cyber insurer, legal counsel, and, where appropriate, law enforcement authorities. Regardless of decisions taken on whether to pay ransom or not, companies must consider their legal and contractual obligations to customers, partners, and relevant third parties.
For further information, please visit the Lockton Cyber and Technology page (opens a new window), or contact a member of our team.