Consider that Hollywood Presbyterian Medical Center paid $17,000 to restore access to its electronic medical records system. That's a pittance compared to potentially $533,911 in lost revenue while the hospital's IT department tried to reclaim the data and patients went to different hospitals, based on rough calculations by Andrew Hay, the CISO of DataGravity. Maybe it's $17,000 now, but the gang might easily demand $50,000 next week, and so on.
It’s simple economics. The seller sets prices based on what the buyer is willing to pay. If victims refuse to pay, attackers have no rationale to raise the ransom amounts.
4. You encourage the criminals
Take the long-term view. Paying ransom restores the data for the organization, but that money will undoubtedly fund additional criminal activity. Attackers have more money to spend on developing more advanced versions of ransomware and more sophisticated delivery mechanisms. Many cyber crime gangs operate like legitimate companies, with multiple revenue streams and different product lines. The money from ransomware schemes can be used to fund other attack campaigns.
"There is always a liability piece to what the money is funding," said William Noonan, deputy special agent of Cyber Operations for the U.S. Secret Service, speaking at a Verizon RISK Team event during the RSA Conference in San Francisco.
Paying the ransom feeds the problem.
One reason to pay
Each of the above arguments are perfectly valid. But there’s a compelling reason why many wind up paying: They need their files back. They don’t have a choice.
When ransomware hits all the case files at a police department, there's no time to wait for someone to try to break the encryption and recover the files. When active investigations are pending, restoring from backups may take too long. Set aside the should-haves and could-haves -- if the organization did not have a sufficiently robust backup strategy in place to restore the files (or the backups got corrupted, too), preaching about the importance of prevention is extremely unhelpful.
Many victims may also decide to pay out of fear that if they don’t, the attacker will cause more damage in retaliation.
Organizations who opt to pay are not alone. In a recent BitDefender study, half of the ransomware victims said they paid, and two-fifths of the respondents said they would pay if they were ever in that situation. Industry estimates suggest the CryptoWall gang has extorted victims out of more than $325 million since June 2014.
An ounce of prevention ...
It can’t be stressed enough that persistent backups make it possible for organizations to recover from a ransomware infection without having to pay the criminals. A good backup strategy includes Linux, Mac OS X, and Windows. This is not a Windows-only problem, as ransomware has been found for all three operating systems. Mobile devices aren't immune, either. Think holistically across all platforms.
- Back up regularly, and keep a recent backup copy offsite and offline. Backing up to shared volumes doesn’t work if they are mounted locally on the computer -- ransomware can access those files, too. After running a backup, unplug the USB drive so that ransomware doesn’t also infect the storage device. Regularly test the backup to make sure the files are archived correctly. The aftermath of a ransomware infection is not the time to discover that critical files were not being stored or jobs weren’t kicked off in a timely manner.
- Many ransomware attacks rely on malicious email attachments or links in spam emails. Make sure everyone, from rank-and-file employees and IT staff all the way to senior executives, know the basics: Don’t click on links without scrutinizing the email to make sure it’s legitimate; verify the message before opening a file attachment; and if the document asks to enable macros, don’t do it. It might be a good idea to install Microsoft Office viewers so that files can be scrutinized without opening them in Word or Excel -- which makes it harder for malicious code to execute.
- Keep all software updated. Many exploit kits rely on unpatched vulnerabilities in popular applications such as Microsoft Office, Internet Explorer, and Adobe Flash. Roll out those updates as soon as possible, and make it harder for attackers to push ransomware on to computers as part of a drive-by-download attack.
Sign up for CIO Asia eNewsletters.