THE DECISION TO PAY IS COMPLEX
Paying a ransom may seem like the most sensible course of action to solve the problem. However, it is paramount to consider the potential repercussions and long-term consequences to businesses.
There is no guarantee that paying the ransom will undo the damage, and it may even incentivise attackers further by demonstrating a willingness to meet their demands. Hence, security teams need to work closely with the management team to ensure that essential business decisions consider these potential risks.
Companies must consider not only the ransom amount itself but also what it costs to repair the damage caused by the attack.
In many cases, the cost of the ransom is only a fraction of the costs incurred to the company, with one study estimating the total cost of mitigating an attack to be, on average, seven times the extortion amount, which includes the potential damage to the company’s reputation and legal liabilities.
If the threat actor intends to create an atmosphere of terror or fear, or to disrupt an economy, paying the ransom isn’t probably the best decision. That may be true, especially where there is plenty of geopolitical unrest. Additionally, governmental entities (and in many cases, government-owned entities) generally have a policy of not paying a ransom, whatever the threats.
The overall damage depends on several aspects – the cost of service outage, reputation, and regulator’s fines, among others. When it comes to data loss, the risk largely depends on the data’s sensitivity. For example, email addresses and names are way less valuable for the attackers (and less risky for the victim) than identification cards, passport copies or medical records.
In such cases, assuming the threat actors understand the importance of the data they hold, they will probably demand a higher ransom. For instance, an IBM report indicates that a breach in the healthcare industry can provoke a demand for more than twice the amount of a breach in other sectors.
Ransomware gangs often take great care to determine the value of their demands. An analysis of the chat logs of one such gang showed that they would meticulously estimate a target company’s revenue by using publicly available sources. They would then ask for a percentage of their revenue (for example, between less than 1 per cent to 5 per cent, with higher rates assigned to companies with lower sales). Their goal is to make it as easy as possible for companies to decide to pay the ransom.