Law enforcement has encouraged enterprises to not pay ransom, but experts said the decision isn't so simple when faced with business downtime during t
Law enforcement has encouraged enterprises to not pay ransom, but experts said the decision isn’t so simple when faced with business downtime during the ransomware recovery process.
Weeks after the NotPetya attacks, FedEx admitted its TNT unit was still relying on manual processes for operations because its ransomware recovery process wasn’t finished. More recently in its Q2 2017 earnings report, Merck described the financial impact of a cyberattack which occurred on June 27th — the day NotPetya began its spread — although the company did not specifically say what kind of attack it was.
The earnings report released on Aug. 28, 2017 said the company was still “in the process of restoring its manufacturing operations.” And, while Merck said in its report it did “not yet know the magnitude of the impact of the disruption” it did alter its financial outlook in order to reflect “the current state of the company’s manufacturing operations as well as its plans to restore those operations and potential costs associated with the remediation efforts.”
Chris Roosenraad, director of product management at Neustar Security Solutions, said the cost of the service disruption will “almost always be more than the ransom demand, if you’re being honest about the costs.”
“The time of all the IT staff, of the investigators (internal or external), of the PR team and lawyers to prepare a response in case it gets public, etc” Roosenraad told SearchSecurity via email. “And that is all regardless of if you pay or not, you still have to spend those costs.”
Willis McDonald, senior threat researcher at Core Security, said he understood why an organization may choose to pay ransom.
“From a business perspective it can make sense to pay the ransom and be done with the issue even if you have solid backups. The cost in man hours it takes to coordinate and transfer data from backups can easily surpass the cost of paying the ransom and distributing the decryption key or binary throughout a large organization,” McDonald told SearchSecurity. “The driving force in paying the ransom or not for most businesses really comes down to the cost in wages to recreate or restore operations and data. This is assuming that the attackers can prove that restoring the ransomed data is possible.”
Rick Holland, vice president of strategy at Digital Shadows, said ransomware recovery can be difficult even if an enterprise has an effective disaster recovery program and data backups.
“Backups are a snapshot in time, so there is the potential for data or transactions to be lost between the last backup and the time of ransomware encryption. If a revenue generating application is offline for more than a few hours, the revenue losses could be significantly higher than a ransomware payout expense,” Holland told SearchSecurity. “The release of intellectual property associated with TV shows and box office films could greatly reduce ad revenue and box office revenue. Stolen data that contains [personal health information] or [personally identifiable information] could result in fines from government agencies and class action lawsuits from those impacted by the release.”
Willy Leichtervice president of marketing, Virsec
Jason Kichen, director of cybersecurity services at Versive, said the traditional ransomware recovery process of restoring from data backups is becoming less useful.
“The latest ransomware attacks often target network connected computers, and this often includes servers and systems that serve as backup for critical business data. Off-line backups are key to ensuring business continuity, but this sort of setup is often costlier and has a higher amount of overhead,” Kichen told SearchSecurity. “The level of effort to restore from backups can be significant, and it will often be less expensive in the long run to pay the ransom and re-enable business operations as opposed to not paying the ransom and restoring systems from backup.”
Problems with paying ransom
However, despite the cost equation favoring paying the ransom, experts said this was not as straightforward a ransomware recovery plan as it may appear.
“There should be a calculation as to how likely you are to get a decrypt key if you do pay, and the PR associated with your end decision. For instance, if you do pay, and it becomes known, you may take a PR hit, and you may increase the chances you get targeted again in the future [because] you’re now known to pay ransom,” Roosenraad said. “Or you may not get hit again for a while, because you’ve paid your protection money. That depends on the attackers, and may or may not be something you can figure out before you pay the ransom.”
Weston Henry, lead security analyst at SiteLock, said paying ransom is no guarantee of data retrieval and businesses would do better to have a long-term ransomware recovery plan.
“The short-term cost of remediation and lost revenue may outweigh paying a ransom, but the long-term benefits are a secured network and reliable data restoration,” Henry told SearchSecurity. “There is no guarantee that a business will get its data back if a ransom is paid.”
Willy Leichter, vice president of marketing at Virsec, said paying a ransom is never the solution.
“Even if you pay a ransom, you have no guarantees that your data will be returned, and that the infiltration isn’t still active in your networks. In fact, you’re tagging yourself as a willing target who will inevitably be hit again,” Leichter told SearchSecurity. “A robust system of backups is by far the best defense against a ransom, but it doesn’t insulate you from potential lawsuits or compliance violations if data is lost. If your networks have been compromised, you have risk.”
Holland said paying ransom could also invalidate insurance policies.
“In a climate where insurance underwriters are adding more rigor to their cyber policies and looking for opportunities to not pay out on a policy, capitulating to a ransom demand could have significant implications,” Holland said. “Additionally, if the word comes out that a business has given in and paid out a ransomware attempt, then it is likely that more attempts will be made in the future.”