You suffer a ransomware attack and decide to pay the ransom to regain access to your data, but that may not be the end of it. Chances are that after paying you will be attacked again and will be issued with a further ransom demand.
How frequently do these double attacks occur? According to a recent report by Cybereason, 80% of global organizations that paid a ransom experienced a further attack, often by the same threat group that was behind the first one. The report – Ransomware: The True Cost to Business – is based on a survey of 1,263 cybersecurity professionals in the United States, United Kingdom, France, Germany, Spain, Singapore, and the UAE.
Out of the organizations that had experienced a ransomware attack and paid the ransom, 46% of organizations experienced a follow-on attack where they believed the same threat actor was responsible, with more than half of UK firms reporting a second attack they believed was conducted by the same group.
This is one of the risks of paying a cybercriminal group – there is no guarantee that one extortion attempt will be all they are interested in. An organization that fails to fix the vulnerability that was exploited or fails to identify and remove any malware or backdoors installed by the attackers, is likely to be extorted for a second time. There is also the risk that after paying, the attackers will not make good on their promise to provide decryption keys.
Naturally if a ransomware operation earns a reputation for not providing valid keys, fewer organizations will be likely to pay up. However, even so, after paying a ransom it may not be possible to recover al encrypted data. 46% of respondents who said they paid the ransom said they had been given keys to unlock encrypted files, but some or all of the data had been corrupted.
The take home message is clear – In the event of an attack, do not pay; however, in order to take that approach, it is essential for backups to be made that can be used to recover files. That means that backup processes must be implemented that perform daily backups, for those backups to be stored on isolated devices to prevent them also being encrypted, and for the backups to be tested to ensure data recovery is possible.
The consequences of these attacks can be incredibly serious. It may not be possible for many businesses to pay the extortionate ransom demands. It is no surprise therefore that many businesses fail after a ransomware attack. According to the survey, 25% of businesses had to permanently close after experiencing an attack, 29% said they had to cut back and jobs were lost, 66% said they suffered significant financial losses, 53% suffered serious brand damage, and 32% lost business leaders, either through dismissal or resignations.
“Paying a ransom demand does not guarantee a successful recovery, does not prevent the attackers from hitting the victim organization again, and in the end only exacerbates the problem by encouraging more attacks,” suggested Cyberreason CEO, Lior Div. “Getting in front of the threat by adopting a prevention-first strategy for early detection will allow organizations to stop disruptive ransomware before they can hurt the business.”