Ransomware is big business, but what should you do when you’re affected? Pay or not? “That’s easier said than done.”
In early July, IT distributor IngramMicro was hit by a ransomware attack where the perpetrator demanded a ransom from the company. Not long after, Microsoft Sharepoint became a victim, and SonicWall VPN also fell prey. This (very recent) list of ransomware attacks could go on and on.
In a ransomware attack, criminals encrypt data so that the victim no longer has access. The attackers then demand a ransom in exchange for the key to their data. Victims who see no way out and pay anyway still risk never seeing their data again, or they are attacked again later.
read also
“not Paying for Ransomware? Easier Said than Done”
Moreover, SMEs in Europe are reportedly “up to three times more likely to be victims of cyber extortion. Large companies usually invest heavily in cybersecurity, while SME” s still lag behind. How can you as a company arm yourself against this type of cyber attack, and does paying solve all problems?
To Pay or not to Pay?
When you’ve been hit, should you pay? Everyone advises against it, but unfortunately, it’s not black and white. The ransom demands are often not small either. The average ransom demand in 2024 has increased by twenty percent. According to the annual State of Ransomware report from Sophos, 46 percent of surveyed organizations pay ransom to recover encrypted data.
There are special teams that help companies negotiate with hackers. Sometimes not paying is not an option because your entire business revolves around the encrypted data and you can’t do without it. Try saying coldly that you don’t want to pay, after which the hacker promptly deletes your data.
read also
In 3-2-1 to a successful backup strategy
“We once had to help a company that had no backups of its system. Restoring everything as before would cost two million dollars. The ransom that the hackers asked for was 1.5 million dollars. You might think the ransom is a better deal, but afterward, you have to rebuild your network and all the systems around it to close all the ports where the hacker entered. In this case, that cost another two million dollars. Then the choice is quickly made: don’t pay and start all over again,” says Chester Wisniewski, Principal Research Scientist at Sophos.
A successful attack always costs money, whether you pay or not.
Chester Wisniewski, Principal Research Scientist at Sophos
A successful attack always costs money, whether you pay or not. Therefore, get good guidance from a specialist to analyze what your costs are. Having backups is definitely an important asset to save costs, as long as they are not infected as well.
A Hacker Remains in your System
Paying doesn’t mean you’re off the hook. As Wisniewski described above, it costs a lot of money to clean up systems. Your systems remain infected and the hacker still has access through access points, RDP (Remote Desktop Protocol), VPN, firewall: everything can be infected.
Almost all ransomware attacks use a toolkit that always follows the same pattern. This helps forensic investigators look for certain patterns to make systems as clean as possible. “Getting a corporate network 100 percent clean almost never succeeds”, sighs Wisniewski. “There are too many devices and places where hackers hide.”
“Even when you rebuild everything and finish it cleanly, there’s still no certainty. Think about passwords within an Active Directory, for example. Chances are that one of the employees chooses a poor new password that closely resembles the previous one that the hacker has in their possession. You’re never 100 percent certain in the security world, unfortunately.”
read also
Hackers Primarily Breach Systems through People: Social Engineering Attacks on the Rise
A recent study shows that nearly one in three organizations that fell victim to ransomware faced another attack. In the Benelux, 40 percent of organizations that paid ransom did not get all their data back. According to the research, the healthcare sector and local governments are the most affected. These sectors are therefore receiving the necessary support. For example, Europe has made 145.5 million euros available for the cybersecurity of SMEs and the healthcare sector.
Prevention and Rapid Detection
What can you do as a company to minimize the chance of infection? IT teams usually know the problems, but especially with SMEs, you notice that they often solve yesterday’s vulnerabilities and don’t look to the future. However, 100 percent prevention is not possible, even with the best antivirus, EDR, next-gen firewall, and various network layers. That doesn’t mean that every extra step can’t stop or slow down a hacker, giving you time to act.
“The time when hackers and criminal organizations did purely automatic work is behind us. Today, half of their work consists of manual tasks to fish for data. As a company today, you can’t choose between prevention and detection; you need both. Any hacker can get in somewhere. It’s often crucial as a company to detect that and act quickly”, says Wisniewski.
read also
Researcher warns of ransomware running directly on your CPU
Most attacks today take three to ten days to activate ransomware. That gives companies little time to respond before it’s too late. After two days, there is often no data loss yet, but after five days, part or maybe everything is gone. Network segmentation is also a good tactic to discourage hackers. Each layer requires a manual approach again, which gives you more time to respond before it’s too late.
What Does the Hacker Do with your Data?
After a ransomware attack, every company wants to get back to work as quickly and safely as possible. They often don’t consider that the hacker still has their data. Even when you pay, you never know for sure if the hacker has deleted all your data from their personal storage.
Nothing prevents them from making that data available on the “dark web” to make money from it again. “I personally think that data is always valuable and that nobody really deletes it. Malicious hackers are not noble people. Just look at the criminal organizations that target hospitals, town halls, and schools. They have zero moral values”, says Wisniewski, frustrated.
Rarely Justice
Because hackers often go unpunished, it doesn’t look like ransomware will lose popularity. “It’s often a geopolitical issue”, sighs Wisniewski. “We usually know who the criminals are. We share that information with the FBI, Europol, or other competent authority. I suspect they know exactly where they are and who they are, but often they can do little.”
read also
“not Paying for Ransomware? Easier Said than Done”
Moreover, ransomware has been taking on a new dimension for several years. Artificial intelligence makes it easier to carry out ransomware attacks on a large scale. For example, Kaspersky recently examined FunkSec’s ransomware. The company discovered that large parts of the code were developed with generative AI. AI has a lot in store for attackers, but defenders can use this weapon just as well.