Sunday, March 20, 2022

How To Evaluate The Short Term & Long Term Consequences Of Making A Ransomware Payment

 


As I wrote yesterday, things with the Ukraine are starting to heat.  And with this, comes the even greater chance of far nastier Ransomware attacks than we have ever seen before.  I have written about this topic and even talked about it with podcast guests about the one fundamental question:  Should you pay the Cyberattacking group or not?

Overall, people seem to agree with me that no, you should not pay it up.  But, quite surprisingly, in a recent market which was conducted by ThycoticCentrify, found the following:

*83% of the respondents claimed that they had no choice but to pay the actual ransom;

*90% of them have even allocated a special budget to pay ransom in case they were hit;

*66% of the respondent say that they would much rather pay the ransom so they can move on and minimize any further losses.

This study can be found at this link:

https://thycotic.com/resources/ransomware-survey-and-report-2021/

But, even despite this, there are still compelling reasons why you should not pay a ransom to the Cyberattacker.  Here are some of them:

1)     There is no guarantee:

The rationale is that if you do make a payment, then the Cyberattacker will send you the decryption keys so that you unlock your computer and retrieve your files.  But don’t count on this ever happening, if you take into account these stats:

*Only 51% of victims were able to successfully retrieve their data;

*46% were able to access their data, but much of it was altered or corrupted;

*Another study found that only 8% of victims got their data back in its whole;

*50% of the respondents could only gain access to just 65% of their data.

SOURCES:

https://www.cybereason.com/press/new-cybereason-ransomware-study-reveals-true-cost-to-business

https://news.sophos.com/en-us/2021/04/27/the-state-of-ransomware-2021/

2)     You could be hit again:

If you have been hit, and you pay up, the chances are that are even greater that you will be hit again, at some other point down the road.  Look at this:

*80% of those companies polled in another survey said that they were hit again, after paying the ransom.

SOURCE:

https://www.cybereason.com/press/new-cybereason-ransomware-study-reveals-true-cost-to-business

The reason for this is simple:  The Cyberattacker now knows where your weak spots (even after you have totally remediated them) are, and they know you will pay up even a higher amount the second time around.

3)     It will lead to greater levels of sophistication:

At the present time, it appears that the Cyberattacker still uses the basic methodologies in which to craft new Ransomware variants.  In other words, they are simply building a better mousetrap. But with more money coming from ransom payments, they now have more $$$ to actually conduct research and development in order to create much sophisticated variants, right from scratch.  One example of this is known as the “BlackCat”, and more information about this can be seen here at this link:

https://unit42.paloaltonetworks.com/blackcat-ransomware/#Technical-Details

4)     The “Doxing” effect:

This is when a Cyberattacker throws a double whammy at you:  Not only do you lose your files and devices, but they also threaten you by exposing those PII datasets to the outside world, and even selling them on the Dark Web. This is also technically known as “Double Extortion” attacks, and in fact, in just the last two years since 2019, there has been a 935% increase in this kind of attack.

SOURCE:

https://blog.group-ib.com/hive

But, once again here, don’t count the Cyberattacker to keep their promise.  For instance, even if you do pay up, there is still a strong likelihood that they will still sell the PII datasets on the Dark Web, or expose them out to the public.

5)     You could be held for treason:

Just recently, the United States Federal Government has enacted a series of laws which would make it actually illegal for you to even make a ransom payment.  This was brought on by the Office of Foreign Assets Control, also known as “OFAC”.  In numerous bulletins they have sent out over the course of last year, they have made it clearly known that both individuals and businesses have been sanctioned and fined.  They also have recently what is known as the Trading with the Enemy Act, also known as the “TWEA”.  This law essentially prohibits US citizens from making ransom payments to known Cyberattacker groups that can be found on the so called Specially Designated Nationals and Blocked Persons List, also known as the “SDN”. Also, any future ransom payments will be scrutinized heavily by the Financial Crimes Enforcement Network, also known as the “FinCEN”.  This is a branch of the US Department of Treasury.

More information about this can be seen at the following links:

https://www.darkreading.com/risk/us-treasury-warns-of-sanctions-violations-for-paying-ransomware-attackers

https://home.treasury.gov/system/files/126/ofac_ransomware_advisory.pdf

My Thoughts On This:

Well, there you have it, five key reasons why you should not pay the Cyberattacker, backed up with some hard-core statistics.  I still hold to my position that one should never pay up.  Companies are now using the logic that is far less expensive to pay the Cyberattacker than to do deal with the long-term financial impacts. However, this is short, sided thinking. 

The bottom line is that one has to think for the long term as well, and that indicates one should never up at all.

No comments:

Post a Comment

How To Launch A Better Penetration Test In 2025: 4 Golden Tips

  In my past 16+ years as a tech writer, one of the themes that I have written a lot about is Penetration Testing.   I have written man blog...