In December 2017, a county government employee fell for a phishing email scam, which resulted in 48 servers being infected with the LockCrypt ransomware. The attack paralyzed many crucial services in Mecklenburg County, North Carolina, because the county’s tax, finance, deed, social services, and other systems were no longer available.

The cybercriminals were asking for a ransom of $23,000 (USD). Although county government officials were in contact with the hackers, they were still undecided about whether to pay the ransom when the deadline arrived.

What would you do if your business found itself in this situation? It can be a hard question to answer.

Rationale for Not Paying

Mecklenburg County ultimately decided not to pay the ransom, which is what most security experts recommend. There are several reasons for this recommendation. For starters, if you pay the initial ransom, hackers might ask for more money. That’s what happened to the Kansas Heart Hospital in Wichita. It paid the ransom, but the cybercriminals only partially restored the hospital’s files and then demanded more money to decrypt the rest.

Even worse, you might pay the ransom but never get your files back. Only 47% of victims who pay the ransom get their files back, according to Symantec’s “2017 Internet Security Threat Report”. Plus, some hackers sophisticated ransomware variants are designed to delete rather than encrypt victims’ files. So, even if you pay the ransom, your files are history. There is no longer honor among thieves, according to two Talos researchers who discovered one of these variants, which they dubbed Ranscam.

Paying the ransom can also have long-term implications for your business. It might lead to new cyberattacks against your company in the future since the cybercriminals know you will pay to get your data back. They will be banking on the chance that your systems or employees are still vulnerable. On a broader scale, the more organizations pay up, the more hackers will target them.

Rationale for Paying

Although idealistically it is best to not pay the ransom, many organizations do. Reasons why they give into hackers’ demands vary.

Sometimes, it is easier or quicker to pay the ransom than reconstruct files from backups. This was the reason why the Hollywood Presbyterian Medical Center in Los Angeles, California, paid cybercriminals around $17,000 to get its patient records back. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” according to Allen Stefanek, the center’s president and CEO.

Similarly, organizations might find that it is cheaper to pay off the hackers than reconstruct their data from backups. Typically, ransom demands are much less than those encountered by Mecklenburg County and Hollywood Presbyterian Medical Center. In 2017, most ransom demands ranged from $500 to $2,000 for businesses, according to Statista. Plus, the ransom amount can often be negotiated down. In one experiment, F-Secure researchers found that three out of four ransomware criminal gangs were willing to negotiate their ransom fees, reducing them an average of 29%. There is even one strain of ransomware named Scarab that does not specify a ransomware amount. Instead, victims must email the cybercriminals in order to negotiate a price for recovering their files, according to Forcepoint Security Labs.

Not having usable backups of crucial data is another reason why some organizations give into cybercriminals’ demands. This is why an attorney in Tulsa, Oklahoma paid $500 to get his firm’s files back. Similarly, Bingham County officials in Idaho gave hackers $3,500 to get back the data stored on three servers. The ransomware attack had actually paralyzed all 28 of the county’s servers, which the hackers initially ransomed for $33,000. The county had recoverable backups for 25 of those servers, so it negotiated the price down to $3,500 to get the decryption keys needed for the three servers without usable backups. (The backups for two of the servers turned out to be corrupt, and one server had not been backed up at all.)

Some organizations might decide to secretly pay the ransom to minimize the chance of word getting out that they fell victim to a ransomware attack. Hundreds of ransomware attacks in a variety of industries have been kept secret, according to Robert Shaker, the chief technology officer of Incident Response Services for Symantec’s Cyber Security Group.

What Would You Do?

Whether or not to pay a ransom for your data is a hard decision that hopefully you will never have to make. No matter your decision, a ransomware attack would likely cause other problems for your business. A 2017 Malwarebytes study found that 22% of the small and midsized organizations that experienced a ransomware attack had to cease business operations immediately, resulting in downtime and lost revenue. Thus, it is important to do everything you can to protect your business from ransomware. We can help you develop an effective strategy.

Photo by quinn.anya