Ransomware has been a plague on businesses small and large. An estimated 61% of organizations worldwide experienced a damaging ransomware incident in 2020, a 20% increase over the same period in 2019, according to security specialists HMH Consultants. A successful ransomware attack is inevitably an expensive, disruptive disaster. Ransomware cyber insurance claims grew by 260% in 2020. This flood of ransomware has led to a wave of questions from businesses wondering what to do to stay safe and what to do if they get hit – including whether they should pay the ransom.
This huge surge in cybercrime has helped produce a thriving dark web economy for stolen data. And where there’s demand, there will be cybercriminals ready to supply eager buyers. The most common way for them to do that is through ransomware. An organization that falls prey to ransomware doesn’t just lose its data. Those unfortunate organizations also lose an average of six working days to system downtime, with 37% saying downtime lasted one week or more after that incident. Not to mention the exorbitant costs of investigation, remediation, and recovery; it’s no wonder that 60% of companies that are hit by a cyberattack go out of business.
One solution that cybercriminals eagerly present to businesses they’ve attacked is to pay the ransom. An estimated 52% of organizations choose to negotiate with the extortionists or simply pay the ransom that is demanded. Paying off a ransomware demand isn’t cheap; the average ransomware payment in the third quarter of 2020 was $233,817, up 31% from the second quarter of last year. In some ransomware variants, like the current weapon of choice double extortion ransomware, victims can be on the hook for two payments – or even three if they’re ensnared by the new triple extortion variety.
If a company doesn’t pay the ransom, the cybercriminals will still profit from selling the victim’s data. If a company does pay the ransom, their money gets disseminated all over the dark web. Ransoms don’t just go to one person or organization – even an ancillary participant in a ransomware attack will profit. Ransomware practitioners have a high chance of walking away with substantial cash, and everyone gets paid. Major gangs often run their scams through affiliates, so the actual attacker is very likely an independent contractor of sorts. They’ll be responsible for running everything about the operation from planning to execution. The affiliate may be a smaller gang or just a group of freelancers getting together for one job. The boss gang may supply the tech, or the affiliate may be bringing their own. Frequently, the attackers will hire freelancers through dark web forums and gather resources from dark web data markets and dumps.
If the operation is a success, the attackers will then notify the victims that they’ve got their data. Many gangs maintain their own dark websites where they announce their wins by supplying a sample of the stolen data and the ransom demand. Some cybercrime gangs are regularly in contact with industry journalists. The larger gangs maintain their own publicity operations, contacting industry publications directly with evidence and press releases. The REvil organization, a major Russia-based gang, has its own website to announce successful hits and a communications staff that handles press releases, announcements, and interviews with journalists just like any other business.
For the attackers affiliated with the DarkSide ransomware gang that just conducted a successful attack against Colonial Pipeline, that payday was an estimated $5 million. But they were victims of their own success. Pulling off that operation drew intense scrutiny from law enforcement and terrorism officials, ultimately driving the gang to announce that they were shutting down.
This is not uncommon. Ransomware gangs frequently break up when the heat is on. The gang will pay out its funds to its stakeholders who freelance until the coast is clear. Before the gang went dark, DarkSide had received $90 million in bitcoin ransom payments, according to blockchain analysts at Elliptic. Of the total haul, experts estimate that $15.5 million went to DarkSide’s developer while $74.7 million went to its affiliates. They further estimated that the average ransomware payment in a DarkSide operation was about $1.9 million.
How well does paying off the gang work out? Not very well at all. Just like any other extortion racket, the results of paying the ransom are wildly variable, but none of them are good. An estimated 66% of organizations that pay the ransom can recover their data at least in part. Another 34% of companies that pay the ransom never see their data again. Paying the ransom to cybercriminals carries no guarantees that your data won’t be copied, or they won’t leave a backdoor into your systems that allows them to return at their leisure. Payment is also unlikely to be covered by cyber-insurance. While in the past insurers may have covered it, many are saying no these days.
It’s also illegal. In October 2020, The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) announced that paying ransom to cybercriminals is unlawful. In an official advisory, the agency stated that organizations that facilitate ransomware payments to hackers on behalf of ransomware victims, including financial institutions, cyber insurance firms and companies involved in digital forensics and incident response, are violating OFAC regulations. Also included in the advisory, OFAC said that they may impose civil penalties for sanctions violations if a person or organization is paying a ransom to a gang located in a country that the US government has sanctioned.
Even before OFAC’s ruling, experts across the cybersecurity spectrum agreed: never pay cybercriminals the ransom. Instead, use a smart, strong defensive strategy to avoid being a victim of ransomware.
HMH can help you provide essential protection for your systems and data from intrusion by cybercriminals with a stolen or phished password, including single sign-on (SSO), multifactor authentication (MFA), automated password resets and simple remote management.
To learn more about how the HMH Consultants digital risk protection platform simply call or arrange an interview and learn how they can help you to secure your business and your customers against ransomware threats.