- Most executives have and are willing to pay ransoms in the event of an attack, despite broad and consistent advice to the contrary.
- Nearly four in five organizations impacted by ransomware attacks have paid the ransom to regain access to corporate data, according to a survey conducted last month by Kaspersky.
- The findings, while not surprising, highlight the extent to which a widely acknowledged best practice is rarely followed. Cybersecurity professionals, including Kaspersky, consistently advise businesses hit by ransomware to never pay the ransom.
Payments incentivize ransomware threat actors and reinforce their use of malware for financial gain. Executives often approve ransomware payments because it works, but the benefits are short-lived.
“If they’ve come in and owned you, so to speak, and you pay them, they’re likely to do it again because you’ve just taught them that you’re willing to pay. It’s a matter of if, not when,” said Charles Jacco, principal at KPMG’s cybersecurity advisory practice.
Nearly two-thirds of companies confirm they’ve fallen prey to ransomware, and 97% of the leaders that paid ransoms in the past will do so again, according to Kaspersky’s survey of 900 senior executives.
Companies that are more aware of the ransomware threat — the number of attacks almost doubled last year — 43% are inclined to pay ransoms immediately, compared to the 26% that were less informed, according to Kaspersky.
One in five companies that didn’t pay ransoms still regained access to their data, but because the majority of companies do pay it’s unclear how much success this approach might have if it were followed more broadly.
The ransomware challenge, specifically whether or not to pay, remains largely theoretical for executives until they experience an attack. The guidance from cybersecurity advisors, regulators, and law enforcement agencies is clear but the predominantly held view that ransom payments teach bad behavior is rarely put to the test when enterprise data and financial performance are on the line.
Last year’s attack on CNA Financial, which occurred as the rate and scale of ransomware incidents grew throughout 2021, emphasized the difficult choice business leaders must make following an attack. The company, which offers cyber insurance tools among other services, reportedly paid its attackers $40 million after a ransomware attack blocked access to its network and exposed sensitive data.
The payout is likely the highest-known paid ransom to date. Other widely publicized incidents, including the cyberattack on Colonial Pipeline that temporarily shut down fuel delivery for most of the East Coast and southern U.S., resulted in a $4.4 million ransom payment. CEO Joseph Blount later apologized for authorizing the payment, but maintained it was in the best interest of the country.
The appropriate response to a ransomware attack is situational, and an enterprise’s response largely depends on the type of data or infrastructure put at risk, but generally businesses should not pay the ransom, Jacco said.
“If they’re halting your business and you're losing millions or billions [of dollars] every day that you can’t get your data back, obviously it’s probably cheaper to pay it than it is to not have your business operating,” he said.
Indeed, a lack of awareness on how to respond to ransomware and the length of time it takes to restore data means businesses often lose more money waiting for restoration than paying the ransom, Kaspersky concluded in its report.
Preventative measures and early detection remain the best line of defense against ransomware, but enterprises should also develop a playbook to follow in the event of an attack, Jacco said. An organization’s ability to do so effectively at scale varies based on its size, nature, and IT skill set, however companies can prioritize and limit the vulnerability of critical assets, he added.
Businesses can also pay a ransom to make the pain go away and then choose to bolster their defenses in response, effectively using the incident as an opportunity to be less susceptible to future attacks.
“Those that choose to not pay the ransom are probably very mature in their cybersecurity capabilities and probably do have a way of recovering that information,” Jacco said.