To Pay or Not to Pay: Why Meeting Ransomware Demands Can Be The Best Option
A recent report shows that 83% of ransomware attack victims paid the ransom. The survey respondents - 192 US-based IT 'decision-makers' - wasn't a large participant pool, but the figure is high nonetheless. Even if more participants were used and this percentage dropped by e.g. 10%, the number would still be around the 75% mark; quite a sizeable total.
When it comes to the $$ amounts being paid to hackers, we're not talking small biccies, either, with payouts regularly reaching well into the milions. Two of the biggest recent 'reported' payouts include GPS and fitness wearable giant, Garmin, which purportedly paid a $10 million ransom following a cyber attack in July 2020, while CNA Financial is believed to have paid $40 million in March this year, after hackers initially demanded $60 million.
Other million-dollar ransoms that are known to have been paid include $2.3 million, by foreign currency exchange Travelex (January 2021), $4.4 million by the North American division of chemical distributor Brenntag (May 2021), and $4.5 million by US travel services company CWT (July 2020).
With cyber attacks, inlcuding ransomware, rising year after year, you'd think cyber insurers might balk at the constant payouts. However, this doesn't appear to be the case.
In fact, paying a ransom is usually the cheaper alternative, as the US city of Baltimore found out when it suffered a ransomware attack in 2019. City officials refused to give in to hackers and pay a $76,000 ransom. The alternative - prolonged delays and outages - saw the city total nearly $20 million in losses.
When another US city - Lake City, Florida - suffered a ransomware attack ($460,000 demanded), a city official said: "Our insurance company made the decision for us to pay. At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom."
Aside from some high profile targets that have been singled out, victims of cyber (ransomware) attacks are rarely chosen specifically. Hackers know that breaching a vulnerability will give them wider reach i.e. hundreds or thousands of businesses, to which they can distribute ransomware.
The answer to complete cyber safety isn't always going to be keeping your vulnerabilities patched and up-to-date. After all, human error is still the greatest threat to a company's cyber defences (nearly 90% of data breaches are caused by human error).
However, using a vulnerability alert service such as SecAlerts reduces the risk of a ransomware attack.
SecAlerts does all the legwork for you. Clients choose their software from more than 32,000 on the SecAlerts website and receive one easy-to-understand email listing all the vulnerabilities - CVEs - affecting their software.
Controlling the actions of your employees can be close to impossible. Knowing your vulnerabilities are patched goes a long way towards the security of your business / organisation and the peace of mind that comes with this.