Should you pay Ransomware?

What is Ransomware?

Ransomware is a form of malicious software, which works by encrypting access to an organisation’s files. The threat actor(s) behind the attack will demand a ransom payment, typically in cryptocurrency, in order to release the data and files that have been encrypted.  

Ransomware attacks range widely in their severity and complexity. A common type of ransomware attack is the ‘Scatter gun’ method. This style of attack does not have one particular target and may send thousands of phishing emails to try and manipulate one victim into downloading ransomware.  

Tactics, techniques and procedures (TTPs) are what are used to describe the methods threat actors use to effectively deploy ransomware. Once one of these TTPs has been effective, the offender will use psychological manipulation to pressure the victim into paying a ransom. For example, threat actors have been known to increase the ransomware payment demand by the hour or threaten to release sensitive files if a payment is not made within a specific time period.  

Consider this scenario: Your organisation is heavily reliant on systems, applications and customer data to operate on a day-to-day basis, and you’ve been hit by ransomware. Your data is unusable, your systems are offline.  

Your employees are unable to do their jobs, customer commitments are not being met and the media is sniffing around asking for information. You’re in danger of losing customers, the downtime is costing you money and your reputation is tarnished by the news headlines.  

Everyone is stressed, there’s panic and you don’t have a robust incident response plan in place, because “it would never happen to us”. Faced with a seemingly impossible situation, the message comes down from the executive team: “Let’s pay the ransom and get everything up and running as quickly as possible”. 

Ransomware statistics

While it’s well understood that paying the ransom is rarely a good idea, over 80% of organisations in the United Kingdom (“UK”) did so last year, according to Proofpoint research and it’s an understandable, if less than ideal, response when faced with the alternative of complete business failure.  

In fact, the issue of ransomware payments has become so pressing that the Information Commissioner’s Office (“ICO“) and National Cyber Security Centre (“NCSC“) recently published a joint letter to the UK Law Society, urging the body to remind its members that law enforcement “does not encourage, endorse nor condone the payment of ransoms.”  

The letter touches on what the bodies have noted as a common misconception, where organisations and lawyers alike misguidedly believe “that payment of a ransom may protect the stolen data and/or result in a lower penalty by the ICO should it undertake an investigation.” 

The challenge is that ransomware will remain a problem. The latest Data Breaches Investigations Report by Verizon notes that this year ransomware has continued its upward trend with an almost 13% rise in attacks – which is an increase as big as the last five years combined.  

Ransomware attacks are becoming increasingly complex, as threat actors find new ways to put pressure on organisations. The damage from ransomware is also on the rise, particularly across the healthcare, education and legal sectors due to the vast amounts of personal and financial data they process.   

Recent high-profile breaches include Cisco being hacked by Yanluowang ransomware gang, and the ransomware attack on Advanced, an IT company that supplies the NHS 111 software, which targeted the system used to refer patients for care, including ambulances being dispatched, out-of-hours appointment bookings and emergency prescriptions. 

In this blog, we explain how ransomware works, why you shouldn’t pay a ransomware demand, and how best to prepare for and respond to ransomware incidents. You may also find our latest blog “What should you do after a cyber security incident” helpful, for steps to take following a breach. 

Common TTPs include:

Phishing: A form of social engineering in order to trick a user into giving up their credentials, usually delivered by email. Our blog on Phishing Emails and How to Identify Them provides more information.  

Remote access: Threat actors scan the internet regularly for open ports such as remote desktop protocol and use they will then use them as an entry point into a system. 

Account compromise: Once a hacker has user access, they can then use several different methods to escalate privileges and get access to administrator accounts, gaining the ability to deploy ransomware in the most damaging locations.  

Known Vulnerabilities within software or applications: Known vulnerabilities that have patches available can be exploited to gain system access if there is not a frequent and up-to-date patching process within an organisation.  

Why you shouldn’t pay a ransomware demand

It’s important to note that, while committing a ransomware attack is a criminal offence, paying a ransom demand is not against the law. Despite this, we still advise clients to avoid giving in to ransom demands. This is because:  

• It’s unlikely you will get your data back if you pay: One of the main motivations an organisation has for paying the ransom is to quickly restore operations and regain control of their systems and data. However, history has shown that this rarely happens. Ransomware research from the security vendor, Cybereason, found that only 42% of organisations that paid the ransom found the payment resulted in the restoration of all systems and data. Moreover, 54% said that system issues persisted or some data was corrupted after decryption.  
• The threat actors responsible are more likely to target your organisation in future attacks: Threat actors are not known for their integrity. If your organisation pays their ransomware demand, you have proven to a nefarious individual that you will be susceptible to exploitation – and they may target you in future attacks. In line with this, the same research from Cyberreason noted that nearly 80% of organisations that paid a ransom suffered repeat ransomware attacks. 
• You risk double extortion: Should your organisation pay for the decryption key, the attacker may then extort you a second time and demand an additional payment and threaten to release the data previously compromised publicly. 
• Paying the ransom is not an appropriate measure under the UK GDPR: UK data protection law requires organisations to make use of appropriate technical and organisational measures to secure personal data and restore it following an information security incident. Despite some confusion, it’s crucial to understand that paying the ransom is not considered an appropriate measure. Indeed, as noted in its letter to the Law Society, the ICO and NCSC note that “the ICO does not consider the payment of monies to criminals who have attacked a system as mitigating the risk to individuals and this will not reduce any penalties incurred through ICO enforcement action.” 
• Paying the ransom does not mitigate your obligation to report the attack: In the event that personal data is subject to a ransomware attack, you will need to notify the ICO regardless of whether or not you have paid the ransom. As such, if your organisation is looking to pay the ransom to avoid legal implications, you must understand that this will not be the case.  

What should organisations do during a ransomware attack instead?

Improve your security posture 

Whilst a ransomware attack is undoubtedly a stressful and unpleasant situation to be in for any organisation no matter the size, there are steps you can take to help reduce the risk of an attack becoming a successful compromise.  

These steps cover technical and organisational measures you can implement to improve security hygiene; ensure good vulnerability management and secure configuration, and improve employee awareness of the threats and TTPs used by ransomware groups.  

For further advice on how to protect against ransomware attacks,  our blog on the three crucial steps to follow to defend against ransomware is a good starting point.  

Incident Response 

No matter how hard you try you cannot, however, guarantee that you will not fall victim to ransomware. For this reason, you need to implement an incident response plan and supporting procedures which cover steps to follow in the event of a successful attack. These cover everything from detection, containment, eradication and recovery.   

Having a well-rehearsed plan in place will help you identify, mitigate and recover from a ransomware attack based on decisions you have already made when not under the pressures listed at the top of the blog.  

A response plan will instil confidence not only within your organisation but throughout your wider supply chain. It can help when applying for or renewing cyber security insurance as well as ensuring that you have a team of people in place to investigate a breach immediately and start the process of recovering systems.  

For more information on incident response measures, download our free Guide to Incident Response.  guidance on incident response. If you would like support with improving your incident response capability and enhancing your ransomware defences, please see our cyber security services. 

Prevent ransomware attacks

If you need help or advice on how to manage your business’s cyber security and help to mitigate ransomware attacks, we’re here to help. We can advise on your security vulnerabilities, select the right security technology and check your systems are configured correctly. We can also put policies in place and run staff training exercises. Contact us for a friendly chat. 

Graphic by: https://www.freepik.com/vectors/illustrations’>Illustrations vector created by storyset – www.freepik.com​