Ransomware Payments Produce Unintended Consequences

The University of California at San Francisco announced recently that it paid a $1.14 million ransom to regain access to medical school data that was encrypted during a ransomware attack. The incident illustrates a disturbing trend — ransomware attacks are steadily increasing, as are the ransom amounts being demanded.

The average ransom demanded in attacks during Q1 2020 was $111,605 — triple what it had been in the final quarter of 2019, according to research by Coveware. Law enforcement officials and security analysts say the fact that organizations have become more willing to pay ransoms has only emboldened cybercriminals.

Although paying the ransom often seems like the quickest and most effective way of getting encrypted data restored, security experts have always advised against it. The FBI stresses that paying the ransom doesn’t guarantee you’ll get your data back, plus it gives the perpetrators incentive to target more victims. A new Vanson Bourne survey sponsored by Sophos seems to support that viewpoint.

The far-reaching survey of more than 5,000 IT decision-makers found the total cost of recovery almost doubles when organizations pay a ransom. Organizations that chose not to pay a ransom had average costs of more than $730,000, including business downtime, lost orders, operational costs and related expenses. The average cost rose to more than $1.4 million when organizations paid the ransom.

Backup Your Best Bet

Paying the ransom doesn’t appear to significantly increase an organization’s chances of getting its data back. The numbers suggest that a well-designed backup environment remains your best bet for recovery.

According to the Sophos study, 51 percent of all organizations suffered a ransomware attack in the previous 12 months, and 94 percent were able to get their data back. More than half (56 percent) restored their data from backups, 26 percent paid the ransom and 12 percent got their data back by other means.

Robust backup helps ensure that resources can be accessed in the event of an attack. Data should be backed up frequently to meet recovery point objectives and keep potential data loss to an acceptable level. Because restore time will often determine the true impact of a ransomware attack, recovery time objectives need to be established based on an acceptable period of downtime.

It’s important to remember, however, that ransomware attacks typically spread across the IT environment and can affect backup systems. Backups must be isolated to ensure malware can’t get to them. This can be done with an “air-gapped” environment, cloud backups or by physically storing backup data offline.

In the event of a successful attack, infected computers should be isolated as soon as possible to protect networked and shared resources. It’s also a good idea to change all network and online account passwords as soon as possible.

Easy Money

The threat of ransomware is likely to increase in the near term because these attacks are lucrative and can be launched with little expertise. Ransomware delivery kits designed for attacking large corporations are available on the dark web for about $200 — a small price to pay for the potential of earning millions in ransoms.

Ransomware-as-a-Service (RaaS) requires even less technical expertise. Like SaaS applications, RaaS exploits are available through a cloud-based subscription model. They feature simple user interfaces and require no coding. These can be acquired through the dark web for about $50 a month.

Ransomware is flourishing because it is an easy source of income for cybercriminals. While paying the ransom may seem like the easiest way to get your data back, the data suggest otherwise.  Vigilance and a well-designed backup and recovery plan are your best bet for limiting the damage from these attacks.