author photo
By Bruce Sussman
Tue | Feb 18, 2020 | 10:06 AM PST

When you realize your organization's network is infected with ransomware, it can cause panic.

And this is what cybercriminals are hoping for.

Nationally-known cyber attorney Shawn Tuma of law firm Spencer Fane hears it in the voice of those calling him for help:

"Whenever you have a significant cyber incident, it is a crisis event. It's like being in a building that's on fire. You're not looking at the finer points; it's a matter of how do I get out and protect what's most valuable."

When it comes to ransomware, that can mean a heated internal debate and a knee-jerk decision about whether to pay the ransom or not.

And if you pay, will it work? Will you actually be able to recover your data? We have new data that reveals insights on this tricky question.

Research: how many companies are paying a hacker ransom?

The new numbers come from Proofpoint's State of the Phish 2020 report, which takes a deep dive into ransomware payments and the results of those payments.

First of all, the research reveals that at least every other organization hit with this type of cyberattack will pay cybercriminals.

"We found that more than 50% of those who had a ransomware infection decided to pay the ransom," says Gretel Egan, Security Awareness and Training Strategist for Proofpoint.

"This was something that we really wanted to dig into more this year. If they decided to pay, how successful was that payment for them?"

Data: what happens if you pay hackers ransom?

Now to the big question for your organization: If I send money to cybercriminals, will my company data really be decrypted?

Proofpoint researchers found that nearly 70% of organizations successfully got their data back following a ransomware payment—the decryption keys worked.

But that's where the story grows dark. Look at what happened to the other 30% of those who paid a ransom:

  • 22% paid the ransom and never got access to their data.
  • 10% paid the ransom and then hackers demanded a second ransom from their organization.
  • Some organizations paid the secondary ransom demand and generally gained access to their data.
  • Most organizations in this position walked away with nothing at this point, refusing to pay a secondary ransom.

This data reveals that negotiating with hackers is like a roll of the dice.

But with headlines such as "Baltimore, $18 Million Later" and "Doctors Quitting Due to Ransomware Attacks," it seems like a gamble that a growing number of organizations will take.

Increasingly, insurance companies are covering the ransom demands because they can be more cost-effective than the alternative.

And now, there is the latest twist in ransomware that can raise the likelihood organizations will pay up. Says Egan:

"It's a kind of blackmail that some cybercriminals are going to now. Not only have they infected you, but if you decide not to pay, then they're threatening to go public with certain things from your data."

At least one organization sued a John Doe hacker in response to this type of ransomware attack. However, its proprietary data was made public.

This is why Egan says organizations need to look at what they are doing before an attack.

"It becomes so much more important to avoid these ransomware infections entirely whenever you can. Training users to understand how to spot dangerous attachments and dangerous links and correct those behaviors is becoming more critical than ever."

[On-demand web conference: The State of the Phish Report 2020]

What do the FBI and law enforcement say about paying hacker ransoms?

The FBI and various law enforcement agencies used to say organizations should never pay the ransom. They've spoken on this topic at SecureWorld conferences in previous years.

However, the latest U.S. law enforcement guidance on ransom payments has a carefully worded and updated view on this topic.

"There are serious risks to consider before paying the ransom. USG (U.S. Government) does not encourage paying a ransom to criminal actors.

However, after systems have been compromised, whether to pay a ransom is a serious decision, requiring the evaluation of all options to protect shareholders, employees and customers.

Victims will want to evaluate the technical feasibility, timeliness, and cost of restarting systems from backup."

What are you doing to educate your end-users to help prevent an attack?

And if you are the victim of a successful cyberattack, do you have an incident response plan that is ready to execute?

Hopefully, the new findings in this article will also help your organization make decisions based on data instead of panic.

Tags: Ransomware,