Ransomware: To pay or not to pay? - Part 1
The average ransomware payment in 2021 increased 82% compared to 2020 and there are an average of seven attacks every hour in the U.S.
Editor’s Note: This is the first part of a two-part series examining some of the issues businesses should consider before paying a ransomware demand. Part 2 will appear tomorrow.
Ransomware is among the most offensive and damaging types of cyberattacks an organization can experience. The bad actors behind these attacks use malware to access systems and encrypt the data it encounters, crippling organizations and putting personal customer data at risk. Adding insult to injury, the attackers demand payment of a ransom before they will release the data back into the hands of the organization.
According to a recent Trend Micro report, 84% of U.S. organizations experienced either phishing or ransomware attacks in the last year. (Phishing is the primary method used to initiate a ransomware attack.) Unit 42 security consulting group says the average ransomware payment was $570,000, an 82% increase over 2020 and it is estimated there are seven ransomware attacks every hour in the U.S., equating to 65,000 attacks in the past year alone, according to Recorded Future, a Boston-based cybersecurity company.
Insurance companies, claims managers, forensic accountants, cybersecurity firms and attorneys are among the first responders to a ransomware attack, helping to assess the potential losses and to assist the victim organization in its recovery. One of the first questions a victim organization will ask is, “Should we pay the ransom?”
Recognize that a ransomware situation is not unlike any other type of negotiation. With every negotiation, you must consider what each party would consider a win or a loss and what they’re going to walk away with.
When deciding to pay a ransom there are some key questions to answer:
What has been compromised?
Facing a ransomware attack is not the way to start any day. In many cases, the first employee signing on for the day is greeted with a screen delivering a stark warning of a loss of access to data and possibly a threat of exposure of that data. Depending on the employee’s position with the organization, a flurry of questions will emerge. What is going on? How will I complete that project due today? Is this just my computer or does it impact other systems? Who should I call? The answer to one question, however, is usually clear at this point. There has been a compromise.
Relying on the strength of its incident response plan and team, the organization now must answer the more important question – What has been compromised?
The answer to this question will look different for organizations based on the industry and type of business. A compromise to the advance control systems of a manufacturer could have a devastating impact on production schedules and contractual obligations, and potentially a significant rippling supply chain impact. The inability to access electronic medical records (EMR) and other systems can cause significant risks to patient care, including putting lives at risk. In 2021, many living on the East Coast of the U.S. experienced a major disruption when the fuel supply was adversely impacted resulting from a ransomware attack on Colonial Pipeline’s systems. A public entity, such as a school district, might have more pressing reservations and limitations weighing on the decision of whether to use public funds to pay the ransom.
In these situations, the organization needs to make quick decisions, not the least of which is measuring the impact of the compromise on its business against the price demanded for a decryption code. Factored into that decision, of course, is the risk that the code simply does not work at all or is sufficient enough to resolve the business-critical compromise.
Preparedness for such compromises may help ease the decision and the decision-making process, but understanding the scope of the compromise will factor greatly into the decision to pay the ransom.
How much will the downtime cost us?
How long will the business be impacted? What will the downtime cost be in terms of lost income or sales interruptions? What is the data recovery cost without the ransom? These are the questions racing through the minds of decision-makers as they recover from a ransomware attack.
With ransomware attacks in manufacturing on the rise, companies need to identify what is at stake. If operations stop, what is the resulting financial impact on a company’s net income? Will there be reputational damage resulting in future financial losses? Will customers find alternate suppliers, resulting in canceled orders due to an inability to fulfill obligations? When operations resume, does the manufacturer still have customers willing to endure the interruption caused by the ransomware attack?
A forensic accountant with experience in measuring business interruption losses and familiarity with insurance policy coverages can assist in identifying potential costs by utilizing a company’s available financial data to quantify the impact on sales and the resulting loss of income. Along with identifying insurance policy coverages and limits, the forensic accountant also can provide insight concerning the type of support necessary to seek reimbursement from the insurance carrier.
Several factors are involved in the decision of whether or not to pay the ransom. How critical is the data being held for ransom to operations and is it necessary to recreate all of it? Is the encrypted data critical to day-to-day operations which would result in significant costs to recreate, such as a healthcare facility’s patient data? Does the victim of the ransomware attack maintain data backups that can be used to restore data efficiently? Each organization will have to consider these questions relative to its unique situation.
Was individually identifiable personal information impacted?
Data breaches can trigger obligations under federal and state privacy laws, as well as contractual and ethical obligations. Those obligations include notifying affected persons and federal and state agencies, as well as providing credit monitoring and identity theft resolution services. Understanding the nature of the compromised data is central to understanding whether these obligations will apply. If, for example, the malicious encryption reaches only files containing template forms and technical reports, the owner of those files likely will not have a breach notification obligation under federal and state laws.
Of course, the inability to recover those materials could lead to a significant interruption in the business. In those cases, the business might decide to pay the ransom, considering several factors such as the amount of the demand and the impact on the business.
Traditionally, ransomware attacks encrypted files and demanded a ransom payment in return for a decryption code. In a disturbing trend, attackers couple encryption with exfiltration of data, seeking ransom for the “promise” of nondisclosure as well.
Again, assuming exfiltration occurred or is reasonably likely, the nature of the exfiltrated data will affect the payment decision, along with the nature of the business and other factors. A professional services firm may be far more motivated to do what it can to prevent the disclosure of sensitive client communications, as compared to a seller of widgets trying to prevent the disclosure of product descriptions and marketing materials. That seller might think differently if the data set included customer transaction information.
Part 2 of this series will examine the issues surrounding regulatory impacts of a breach, what insurance will or won’t cover and the public relations issues to consider around a cybersecurity event.
Danielle M. Gardiner, CPA, CFF, (dgardiner@lowersforensics.com) is senior vice president of Lowers Forensics International. Joseph Lazzarotti (joseph.lazzarotti@jacksonlewis.com) is an attorney at law with Jackson Lewis P.C. Special thanks to Shiraz Saeed (ssaeed@archinsurance.com), vice president – cyber risk product leader at Arch Insurance Group for his contributions.
Disclaimer: This article should be considered for general information purposes only, representing the personal views of the authors and contributors within, and do not reflect the views of Arch Insurance Group.
Related: