These days, ransomware has become a full-fledged business. And with companies like Colonial Pipeline and JBS USA Holdings opting to pay up, it’s proving to be quite the profitable business, worth billions of dollars in some cases. But is paying the ransom the right thing to do when you’ve been attacked? Do you have a choice?
The answer depends on who’s launching the attack, what they’re asking for, and how effective your data protection and recovery strategies are.
What Happens If You Don’t Pay the Ransom?
You’ve probably heard the recent debate about government bans on ransomware payments. Some countries are even considering making it illegal to pay ransom to hackers. This appears helpful on the surface—any deterrent is a good thing—but it’s not quite that simple.
In the case of the recent Kaseya ransomware attack, delaying a ransom payment might inspire hackers to lower the ransom. But that doesn’t mean costs won’t pile up in other ways. So what can happen if you decide not to pay a ransom?
Hackers Could Post Your Sensitive Data Online
Hackers will often exfiltrate valuable data during an attack. Then, they can threaten to post it online if you don’t pay up. These types of extortion-style attacks, where data isn’t encrypted but a ransom is still demanded, have risen from 3% to 7%.¹ Hackers know what types of data are most valuable (e.g., patient records, student records, and information about active law enforcement cases), and they know where to post it to do the most damage.
“You want to make attacking your organization as expensive, time-consuming, and difficult as possible for hackers. Your house should be harder to break into than your neighbors’.”
In these situations, a company’s hands may be tied. Some attackers even threaten to be PR liaisons to the press—either informing the media of your breach or denying it occurred if you pay up. This move means it’s more important than ever to be proactive with data security.
You want to make attacking your organization as expensive, time-consuming, and difficult as possible for hackers. Your house should be harder to break into than your neighbors’. (We’ll provide a few ways to do this below.)
You Could Face Prolonged Downtime—And the Costs That Come with It
If hackers take out your organization’s active directory, DNS, or other core services, or lock you out of your infrastructure entirely, you’re at their mercy without available recovery points. With this kind of attack, your employees can’t send emails, you can’t utilize VPN to access systems, and you can’t log in. If you’re locked out of your email, the IT team would need to pick up the phone and make the call to sound the alarm—then go in-person to perform a manual restore.
If this goes on for more than 15 minutes—let alone days—the problems start to stack up.
Data from ESG research shared during Pure//Accelerate® Digital 2021.
We saw what happened when Colonial Pipeline was down: massive supply chain disruptions that sent shock waves across the nation. But even internally, an outage can be disastrous. For the City of New Orleans, an attempted hack meant employees were locked out and couldn’t perform their work.
To mitigate this, organizations need available recovery points to get back up and running quickly. A plan to address this type of attack—say, with Rapid Restore and SafeMode™ snapshots—can build recoverability into your data security strategy.
The Cost to Recover Could Be More than the Ransom
If you don’t pay up, it will be up to you to get systems back online and recover data from whatever backup and restore solutions you have. In some cases, without the right backup and recovery solution, this process can cost more than paying the ransom. This often boils down to the speed of recovery and the complications that come with it.
When the city of Baltimore followed the FBI’s advice and refused to pay the $76K ransom, they were left dealing with the consequences of having zero access to their data.² The city had to spend $10 million on recovery efforts, not including the $8M in lost revenue from a two-week outage of bill payment systems and real estate transactions.
What Happens If You Do Pay the Ransom?
So, let’s say you decide to pay. In a perfect world, your data would be restored in a blink, the hackers would go on their way, and you’d be back in business. But that’s rarely the case—and there are sometimes even implications if you do.
Paying the Ransom Won’t Guarantee You Get Your Data Back
It’s never a good idea to take a criminal at their word—especially when they’ve already got their end of the deal. On average, organizations that paid the ransom only had 65% of their encrypted data restored.¹ For another 29%, more than half of their stolen data remains encrypted. This means it’s extremely unlikely you’ll get all of your data back, even if you pay.
Hackers’ Solutions May Be Too Slow
Even if you do pay up and get your data back—via a decryption key or tool provided by hackers, as in the Colonial Pipeline case—it could still take days. Sometimes these tools are slow. Other times, your forensics or recovery solutions may also take days or weeks once you’re back in.
To address this concern with speed and efficiency, Pure Storage® has alliances with top backup and restore partners such as Rubrik, Veeam, and Cohesity.
It Could Encourage Them to Attack You Again
There’s another problem with paying the ransom. Authorities say paying the ransom can indicate vulnerabilities, making you an easy target. This might encourage hackers to attack you again, at a higher price—some groups even add names to a list of targets willing to pay.
If you haven’t upgraded your backup and recovery solutions by then—or in the event they demand a second payment—you’ll be in the same predicament.³
In an article on DataBreachToday, CTO of BreachQuest Jake Williams said “If Kaseya does pay, it will definitely set a precedent that will likely spur more attacks like this, hoping the other vendors follow suit.”
Minimizing the Cost and Impact of a Ransomware Attack
The price of ransomware almost always amounts to more than the cost of the ransom. Why? Whether you choose to pay or not, you could incur additional costs such as shareholder lawsuits, regulatory compliance suits, increased insurance premiums, loss of intellectual property, and other investigations.
I mentioned above that you want to make attacking you as costly and time-consuming as possible for hackers. The more it costs to attack you—in time and resources—the less attractive you are as a target. A few ways to do this include:
- Maintaining good data hygiene
- Event logging and analytics layers
- Application scanning and encryption key management
- Tabletop planning
- Testing recoverability
- End-user education to minimize the likelihood that compromised passwords and phishing scams create inroads for an attack
- A tiered backup architecture with data protection solutions that offer fast, reliable access to huge amounts of your data
- Virtual air gaps that keep mission-critical backups virtually (and physically) separate from production data
- Multifactor-authenticated, immutable snapshots. Ransomware attackers are more often going after your backups to really put you in a bind. Having multifactor-authenticated snapshots that can’t be edited or deleted, even by a rogue admin, take this bit of leverage off the table.
Prevention is certainly critical in combating ransomware—and you should deploy every tool and technology at your disposal to increase the cost of an attack. But if you’re worth enough, they will come after you—and prevention is nothing without a recovery solution for the “after” of an attack. There’s one thing that matters most in the after: recovery time. And it’s how Pure Storage solutions can help.