Ransomware creates a concerning choice for companies
Ransomware often comes up as a topic of interest simply because it’s so prevalent. Every other week there’s another story about a local business or organization feeling the impacts of ransomware – such as Ramsey County feeling the pressure from a health-organization-related cyber attack.
In essence, examples like the above demonstrate there’s no organization safe from a ransomware strike, regardless of size. Like we say a lot at Bytagig, if there’s valuable information, threat actors want it. And, if you’ve read anything about ransomware here, you understand why ransomware is so dangerous. Cheap, effective, and brutal, it requires minimum expertise with a potentially huge payout. RaaS can be bought on the dark web and deployed within days, increasing the numerous attack surfaces out there.
But that isn’t the primary reason ransomware is so difficult to combat. In fact, the problem is quite philosophical, depending on the company.
To pay or not to pay
Again, ransomware’s prevalence is so common because of its effectiveness. And why is it effective? Because users are forced to pay to protect data and information. Part of that isn’t bad in the sense it protects user information, considering said data is often comprised of extremely personal info.
But, it also encourages ransomware users to continue striking at their targets. The FBI and CISA stance is to never pay a ransom, but at what cost? That’s both literal and figurative. Attackers are well aware of the attempts to refuse their terms, and as such threatens to publish the information they’ve stolen. And they do. While this ultimately removes their ace, it’s still incredibly damaging to the enterprise, its brand image, and the victims of the cyber attack. People suffer greatly because of it, creating a moral quandary.
Where does the philosophical aspect come in? Simple: to pay or not to pay?
It’s a litmus test for a business and what they’re willing to sacrifice to avoid paying a ransom. For an enterprise, say a quarter of customer data was compromised in some way, such as email, social security, and home addresses. It’s not a harrowing figure, but is that the cut-off point? In this scenario, does the company avoid paying ransom simply because the numbers aren’t high enough?
The fallout from either of these scenarios – paying demands or not – are not ideal.
Paying an attacker’s demand does protect your userbase from losing data, keeps your brand strength intact, and demonstrates you’re willing to go the distance to safeguard your staff and customer base. At the same time, however, you’ve encouraged a predatory system and have to deal with the costly fallout, both with the ransomware price and whatever damages were incurred. Additionally, regulatory penalties can apply if violations occurred, such as breaches related to HIPAA.
On the other hand. . .
Refusing to pay obviously doesn’t give into the threat actor’s demands, discourages them from continuing malicious activity, and can keep you safe from regulatory penalties. However, ransomware attackers will likely publish the data they’ve stolen and can sell that info to other users on the dark web (or that info can fall into the wrong hands).
In most cases, various organizations elect to pay the ransom because the consequence for not doing so is simply too dire.
With the continued threat climate created by COVID-19, ransomware will continue to be a mainstay concern. The best offense is an intelligent, proactive defense.
Not sure where to begin? An MSP can help. Contact Bytagig for more information on how we can help you.