Industry Trends

Ransomware Payments: What Should You Do?

By Aamir Lakhani | May 31, 2022

Ransomware is one of the top threats facing organizations and individuals today. In fact, according to a recent survey, 85% of organizations are more worried about a ransomware attack than any other cyber threat. By simply clicking a link or downloading a malicious file, anyone can unwittingly initiate a ransomware attack. And while often someone may feel desperate and want to pay the ransom or a ransomware settlement to regain access to critical data, it is a decision that should be considered very carefully.

Just like as a child, when kids steal a bookbag and demand lunch money to get it back, cybercriminals are doing the same thing to organizations after successfully deploying ransomware and taking sensitive data hostage by encrypting it. Unfortunately, in many cases doing more than just demanding a ransom.

Obviously, the stakes are higher for an organization that’s attacked. An organization’s survival may depend on getting the encryption key from the cybercriminals to decrypt and get back their stolen data. But the dilemmas seem surprisingly similar for both sets of victims.

Should You Pay Ransomware?

The question of whether you should pay the ransom in either case comes with the fear that you won’t get your bookbag back or the encryption key after paying. It is hard to put any faith in the goodwill of bullies or cybercriminals. Instead of returning your stuff (information) you likely want to keep private, they could simply empty your “bookbag” and all of its contents, including sensitive data, on the internet for all to access and use.

Or they could give your data to another bully or criminal to do what they will with it. In this instance, paying doesn’t solve your problem and makes you considerably poorer. In other words, paying the ransom could mean your organization has no “bookbag” and no “money for lunch,. And perhaps, worst of all, you now have a reputation as an easy mark and a “payer” that can be easily and frequently bullied.

The Problems Paying Ransom Creates

An organization doesn’t want to have a reputation as a payer in the cybercriminal underworld, because that could be the equivalent of painting a target on their back.

While I appreciate that some organizations may have no option but to pay ransomware attackers, I recommend not doing so unless you absolutely must take the risk because if you don’t your business is guaranteed to fail. In addition to becoming a repeat victim, paying the ransom emboldens the bad guys and funds more of their future attacks on you and others.

Is it Illegal to Pay Ransomware?

Victims of ransomware attacks who feel compelled to pay cybercriminals often wonder if it is illegal to do so. There is no law against paying ransom when an organization’s data and/or systems are taken hostage. However, it is strongly discouraged by U.S. government authorities and those of us in the cybersecurity industry to pay cyber ransoms or succumb to extortion demands.

Victims of ransomware are warned against paying ransom settlements by such organizations as CISA, NCSC, the FBI, and HHS. Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities that could potentially be illegal according to a U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) advisory.

Law Enforcement and Ransomware Attacks

Unfortunately, legal authorities sometimes have massive workloads and priorities, which means their resources may not be assigned in a manner that is needed for your organization. Mission goals may also not entirely align in all cases when enforcement might be prioritizing an investigation and your organization may prioritize a return to business processes and tasks. Regardless, law enforcement can be a great asset, but they should be part of your organization’s incident response plan not in lieu of one, which has been considered by your executive leaders, IT and InfoSec staff, and legal teams, among others. 

Looking for help after an attack is a key problem and the definition of “reactive.” You never to want to get to the point where you must pay the ransom. The way to avoid ransomware attacks is having a good defense.

How to Prevent Ransomware Attacks

The best practices for organizations and individuals to protect themselves from ransomware attacks is to incorporate these actions into your cyber defense posture:

  • Take cybersecurity training seriously and encourage employees to do so as well
  • Avoid clicking on suspicious links and practice good cyber awareness
  • Download only from trusted sources
  • Scan emails for malware
  • Employ firewalls and endpoint security products that are integrated with actionable threat intelligence
  • Back up important data
  • Use a VPN when on public Wi-Fi
  • Have an incident response plan in place

You can read more details about proactive strategies for protecting against ransomware online.

What to Do if You Are the Victim of a Ransomware Attack

Organizations can limit the ransomware’s impact by taking quick action. First you must isolate the ransomware. This can prevent horizonal attacks, where the ransomware spreads from one device to another via network connections.

To isolate the ransomware, you must shut down the infected system. Then disconnect anything that links the infected machine to the network or other devices on the network. By "pulling the plug" on the system, you can stop the further spread of the ransomware. This is when prior implementation of segmentation is really helpful to make this process a lot easier and effective.

Next, you need to figure out what type of malware has infected your system with ransomware. It’s typically not just a ransomware attack. Ransomware is usually the last part of a bigger attack. Understanding what kind of malware is involved can assist the security incident response team crafting a solution or, in some cases, use a decryption key that is already available for certain malware.

Recovering from a Ransomware Attack

To successfully recover data, your organization needs to have had a data recovery program set up prior to an attack. If backups are scheduled for several times a day, a ransomware  attack might only cost your organization a few hours.

Whether you use cloud services or on-premises hardware to make copies of your data, it doesn’t matter. You just need to be able to access the backup files from an unaffected device. 

Learn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard Security Subscriptions and Services portfolio.

Read more on threat research and protection from the FortiGuard Labs team: - FortiGuard Labs Perspectives