Ransomware: To Pay or Not to Pay
David Derigiotis
4 min
|
August 16, 2024
.webp)
This article was originally published on Live Insurance News.
When one threat actor group is taken down another one appears in its place ready to devastate organizations. The number one cyber threat? Ransomware.
By 2031, ransomware will cost victims an annual total of $265 billion. Until recently, the largest ransomware payment was $40 million by CNA Financial to regain control of their systems. Now, Dark Angels—one of the top cyber threat groups to watch—broke the record for the largest ransomware payment by almost double the largest payment at $75 million.
With ransomware attacks increasing and becoming more costly, the question becomes—to pay or not to pay. Choosing whether or not to pay ransom to a threat actor group isn’t an easy decision.
Here are some insights to aid in making this difficult choice:
For businesses that cannot afford prolonged disruptions, such as healthcare or critical infrastructure, paying the ransom can be beneficial. For example, if a hospital’s data is held for ransom, downtime or encryption of critical data can potentially put patients at risk. When the ransom is paid, the goal is for data to be returned and decrypted to minimize downtime and restore business as usual. Paying a ransom will never guarantee that recovery will be swift, however it must be compared against the impacted organizations overall preparation surrounding this type of incident. Veeam's 2023 Ransomware Trends Report indicates that it takes an average of 24 days to regain a foothold on the organizations' production data after a ransomware attack
In certain cases, it might be more economical to pay the ransom than to endure the potential costs associated with business disruptions, lost revenue, and damage to reputation. For instance, Caesars paid a $15 million ransom following a cyber attack, while MGM chose not to pay, highlighting the different strategies for handling cyber threats. MGM Resorts International disclosed that the costs resulting from the September 2023 ransomware attack surpassed $100 million. Businesses should weigh the immediate expense of paying ransom against the broader financial impact of an extended shutdown. This includes considering the costs of lost revenue, customer attrition, and potential regulatory fines. A thorough cost-benefit analysis can help organizations determine if paying the ransom might be more economical than orchestrating prolonged recovery efforts.
Paying the ransom does not guarantee the attackers will hold up their end of the deal. It is entirely possible the threat actors will not provide the decryption key or that the decrypted data will be intact and usable. There is also the risk of being a future target because paying a ransom marks an organization as a willing payer, potentially encouraging further attacks from the same group or others. This cycle can lead to increased vulnerability and recurring financial losses. However, certain threat actor groups have certain ‘codes’ for right protection. One group states, “If the affiliate refuses to send you the decryptor after your payment, you can contact us and we will send the decryptor for free.”
Ransom payments are often given to criminal and terrorist organizations to fund acts of war, human trafficking, and drug smuggling. This creates a moral and ethical dilemma for the victims. Do they pay the cybercriminals with the knowledge that their payment will fund something nefarious or do they refuse at the risk of their business and its employees? It's not an easy decision as every corporation has different circumstances. As long as these organizations are funded, more threat actor groups are developed and become more difficult to track, contributing to the perpetuation of ransomware attacks.
Paying a ransom may involve significant legal and compliance risks, including potential violations of sanctions laws and regulatory requirements. Moreover, failure to adhere to these legal constraints can result in severe penalties, reputational damage, and further scrutiny from regulatory bodies. Currently, a handful of states prohibit governmental entities from making ransomware payments. North Carolina was the first state to pass a law prohibiting state agencies and local government entities from paying ransoms or communicating with ransomware threat actors. Florida followed, becoming the second state to restrict how public entities can respond to ransomware events. Florida's law prohibits state agencies, counties, and municipalities from paying or complying with ransom demands.
Cyber insurance policies can cover various costs associated with ransomware attacks, including skilled negotiators, ransom payments, forensic investigations, and business interruption losses. However, organizations must thoroughly understand their policy terms and conditions, as some insurers may have specific requirements or limitations regarding ransomware payments. This can include conditions such as mandatory reporting to law enforcement, the necessity of prior approval before making any ransom payments, and adherence to specific cybersecurity protocols. Additionally, policy exclusions or sub-limits may apply, which could impact the extent of coverage available in the event of a ransomware attack. Understanding these nuances is essential to ensure adequate protection and compliance with insurance provisions.
Organizations must navigate a complex landscape of compliance requirements when dealing with ransomware attacks, particularly regarding sanctions laws and regulatory disclosures. This includes ensuring ransom payments do not violate international or domestic sanctions by inadvertently funding sanctioned entities or individuals. The Department of the Treasury previously released an advisory identifying the potential sanctions risks for facilitating ransomware payments. The advisory stated, “U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes.”
Public companies should consider their disclosure obligations to shareholders and regulators when dealing with ransomware attacks. Material cybersecurity incidents, including significant ransomware attacks, must be disclosed in Securities & Exchange Commission (SEC) filings. This disclosure ensures transparency and informs investors about potential risks to the company’s financial performance. It's crucial to consider the attack's impact on operations, finances, and reputation, and to provide detailed information about the incident, response measures, and future cybersecurity implications. Failure to adequately disclose such incidents could result in regulatory scrutiny and damage shareholder trust.
Navigating this challenging cyber landscape requires a thorough understanding of the implications of each choice. While paying the ransom might offer a quick fix, it can also encourage further attacks and pose serious ethical concerns. On the other hand, refusing to pay could lead to extended operational disruptions and financial losses.
Organizations must weigh the pros and cons carefully, considering factors like client trust, insurance coverage, compliance requirements, and corporate governance obligations. A well-informed decision, supported by well-developed cybersecurity measures and a comprehensive response strategy, can help mitigate the impact of ransomware attacks and safeguard businesses for whatever the future holds.
Share post
Get in touch
.webp)
.png){kind=small}
.jpeg)
.webp)
