Groups that are hit by a ransomware attack may be tempted to pay the ransom to reduce downtime and save on recovery costs, but a survey conducted by Sophos suggests organizations that pay the ransom actually end up spending a lot more that groups who can rescue files from well-established backups.
The FBI does not advise meeting a ransom demand as giving hackers money allows them to conduct more attacks and could see a victim targeted further and there is no guarantee that valid keys will be handed over to decrypt data. The higher cost can now be added to the list of reasons not to pay a hacking group’s ransom demand.
The survey was carried out by market research firm Vanson Bourne between January and February 2020 on around 5,000 IT decision makers at firms with between 100 and 5,000 employees across 26 countries including the United States, Canada, and the United Kingdom.
51% of the people questioned said they had experienced a ransomware attack in the previous year, 73% of whom said the attack resulted in the encryption of data. 26% of attacked groups paid the ransom and 73% did not. 56% of firms said they were able to rescue their files from backups. Out of the firms that paid the ransom, 95% said they were able to rescue their data. 1% of firms that paid the ransom said they were unable to rescue their data.
84% of groups said they had a cyber insurance policy, but only 64% said that policy covered ransomware attacks. Out of the 64% that did have insurance cover for ransomware attacks, 94% said the ransom was paid by their insurance firm.
Victims of ransomware attacks were asked to supply an estimate cost of the attack, including downtime, staff costs, equipment costs, lost business, and other associated expenses. The average cost in cases where the ransom was not paid was $732,520 whereas the cost was around double that amount at groups that paid the ransom -$1,448,458.
The ransom payment must be covered, which is often large, and many of the expenses linked with an attack have to be covered even if the ransom is paid. It may seem like an easy option to pay the ransom to recover more quickly, but the reality is recovery may not be shortened considerably even if the ransom demand is met. In most cases a separate decryption key is required for each endpoint so recovery will still be an incredibly time-consuming process, which may not be simple It is also not unusual for data to be corrupted during encryption and decryption.
The take home message is to ensure that you have the option of rescuing files from backups, which means ensuring a number of different backups are made with one copy stored on an air-gapped device. Backups must also be audited to ensure data hasn’t been corrupted and file recovery is possible. You should then respect the FBI’s recommendations and not pay the ransom unless you have no other option.