ransomware

To Pay Up or Not Pay Up

Investigating the repercussions of ransomware attacks

The number of ransomware attacks and the frequency of institutions paying those ransomshas increased over the past years. Unfortunately, this hasn’t correlated with those institutions getting their data or systems back. So, should organizations stop paying ransoms?

What is ransomware?

Ransomware is a type of malware that encrypts the victim organization or individual’s data. Hackers will then demand a monetary ransom to prompt the victim into paying to get system access back.

According to the 2021 Verizon Data Breach Investigations Report (DBIR), ransomware accounts for about 10% of the breaches studied. While this might not sound like a high percentage, the sheer number of payments made rose over 300% from 2019 to 2020. Based on the trajectory the number of payments will likely increase similarly in 2021. 

The issue is worsened by the availability and popularity of cryptocurrencies, as threat actors have more ways to stay anonymous. 

Who is getting attacked, and why?

Research has shown that every sector, from government to health care, is threatened. Threat actors aren’t always after financial payout from the ransomware attack. They might be after data itself, the demise of an organization’s reputation, or have some other nefarious goal.

When any company is attacked, banks are tempted to pay up as soon as negotiations are clear. Colonial Pipeline and JBS Meatpacking are two recent victims of ransomware attacks, and both paid massive ransoms in the billions of dollars.

The pressure to ‘pay up’ is intense, as a compromised system can result in financial loss, negative customer or user impact, and be a major drain on time and internal resources.

The thing about cybercriminals…

When dealing with cybercriminals, you don’t want your money resting on trust, as Mike Wilson notes in his American Banker article. There is no guarantee of any other security assurance either. Hackers could easily leave behind other malware, making it easier for them to attack again in the future.

While government intervention with the digital threat landscape is increasing, there is no quick fix to the thousands of attacks that happen every week. Even if paying off a ransomware attack became illegal, it would be nearly impossible for a governing body to chase down victims or cybercriminals. Banks can’t rely on the government to help them recoup costs.

Pay up or not?

There is no single solution to what action financial service firms should take if they become victims of a ransomware attack. There are too many factors—immediacy, size of the organization, the urgency of accessing the system—but with that said, one path forward is clear.

Engaging with preventative measures to defend against cyber-attacks is the most solid advice that organizations can take.

Like what?

We know that compromised credentials are one of the largest attack vectors. People are bad at contemporary password hygiene, especially when considering the issue of password reuse. The chain reaction of weak and reused passwords means that users credentials can be stolen, bought and sold on the dark web, and hacked again.

Therefore, it’s crucial that institutions take compromised credentials seriously and engage with cybersecurity measures that assist them in defense. Companies should consider employing multi-factor authentication (MFA) as well as utilizing a credential screening service.

It’s not realistic to aim for a cultural shift around personal password use, so requiring employees to use both password managers and credential screening on an ongoing basis can be a solid start to a defensive strategy.

Banks and other financial institutions should take notice of the increase in ransomware attacks and build system recovery into their cybersecurity plans. Deterring hackers will be a much more effective strategy than just paying up when an attack inevitably occurs.