Editor's Note: Unlock the knowledge, resources and expert guidance you need to successfully prevent ransomware attacks from impacting your organization’s operations with this complimentary Ransomware Toolkit... After falling prey to a ransomware attack, most organizations are faced with the decision of whether they’re going to pay the ransom demand. We’ll save you some time: it’s not worth it, and here are three of the many reasons why it does not pay to pay. First off, paying the ransom doesn’t mean that your organization will regain access to their encrypted data. Too often that is because the decryption utilities provided by those responsible for the attack sometimes simply don’t work properly. Such was the case with the ProLock ransomware strain back in May 2020. As reported by Bleeping Computer at the time, the FBI found that ProLock’s decryptor might corrupt files larger than 64MB. Investigators went on to warn that victims could experience integrity loss of as much as 1 byte per KB for files over 100MB. It’s instances like ProLock that help to explain why some ransomware victims suffer data loss and corruption even if they paid the attackers and the attackers provide the decryption key. In our recently published ransomware report, titled Ransomware: The True Cost to Business, nearly half of respondents (46%) who fulfilled their attackers’ demands regained access to their data following payment only to find that some if not all their data was corrupted. Just 51% said that they successfully recovered all their data after paying, with three percent admitting that they didn’t get any of their data back after payment. Organizations could incur penalties from the U.S. government for paying ransomware actors who may reside or operate out of countries who are subject to U.S. sanctions. The U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) made this point clear in an advisory published in October 2020. The advisory explains that OFAC has included malicious cyber actors including ransomware attackers in its cyber-related sanctions program. The initiative empowers OFAC to impose penalties on U.S. persons who provide material assistance and/or other methods of support to any designated individuals. Those powers apply even if someone didn’t know that they were dealing with a sanctioned individual beforehand. As quoted from the advisory: OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if it did not know or have reason to know it was engaging in a transaction with a person that is prohibited under sanctions laws and regulations administered by OFAC. It’s therefore possible that organizations could face civil penalties from OFAC for paying malicious cyber actors such as a ransomware group. Finally, organizations who pay the attackers are sending the message that extortion schemes work on them, a message which malicious actors could use to justify subsequent attacks and extortion attempts. This fact cuts both ways: first, there’s nothing that says that ransomware attackers must satisfy their end of the agreement after receiving payment. That goes not only for handing over a *functional* ransomware decryptor, but also for deleting a victim’s stolen data was exfiltrated as part of a Double Extortion tactic. Double Extortion begins when ransomware attackers steal sensitive information before launching the ransomware encryption routine. As usual, the ransomware encrypts the victim’s data and demands payment in exchange for a decryptor. The threat actor puts extra pressure on the victim by threatening to release the exfiltrated data publicly should the victim refuse to pay the ransom demand. Although data backups are always a good idea for organizations, the Double Extortion tactic makes backups less effective as a primary strategy against ransomware attacks. Indeed, ZDNet covered a report in which researchers found that some ransomware gangs didn’t always honor their word after receiving a ransomware payment. Threat actors using REvil/Sodinokibi ransomware sometimes approached victims shortly after they had paid the ransom and demanded another payment for the deletion of the exfiltrated information. Other ransomware groups ended up publishing the victims’ data even after receiving a ransom payment. It’s not always the same malicious actors who strike again, either. We found in our research that 80% of organizations who paid a ransom demand ended up incurring another attack. Close to half (46%) said it was the same attackers that hit them again, while more than a third (34%) informed us that another threat actor might have been responsible for the follow-up infection. In general, the FBI advises that organizations refrain from paying ransoms because it simply emboldens malicious actors by telling them that extortion works. Those attackers can then justify expanding their operations and continuing to target organizations, making everyone less safe. The only way forward for organizations is to prevent an infection from occurring in the first place. To do that, they need to invest in an anti-ransomware solution that doesn’t rely on Indicators of Compromise (IOCs), as not every ransomware attack chain is known to the security community. They need a multi-layered platform that uses Indicators of Behavior (IOBs) so that security teams can detect and shut down a ransomware attack chain regardless of whether anyone’s seen it before. The Cybereason Operation-Centric approach means no data filtering and the ability to detect attacks earlier based on rare or advantageous chains of (otherwise normal) behaviors. Cybereason is undefeated in the battle against ransomware thanks to our multi-layered prevention, detection and response. Cybereason is dedicated to teaming with defenders to end cyber attacks from endpoints to the enterprise to everywhere - including modern ransomware. Learn more about ransomware defense here or schedule a demo today to learn how your organization can benefit from an operation-centric approach to security.Corrupted Data
Potential Civil Penalties for Paying
Ready and Willing to Pay up
Defending Against Ransomware Attacks
FAQs
Three Reasons Why You Should Never Pay Ransomware Attackers? ›
The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn't guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.
Why shouldn't you pay ransomware? ›The FBI does not support paying a ransom in response to a ransomware attack. Paying a ransom doesn't guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity.
Should you pay hackers? ›Bear in mind that when you are paying a hacker group, you're effectively funding a criminal organization. The group may even be involved in domestic or international terrorism. That is why the U.S. government discourages ransomware payments and is willing to penalize organizations that pay ransomware attackers.
What are the negative effects of ransomware? ›– Loss of productivity due to shutdown of critical business systems. – Loss of files and data, which may represent hundreds of hours of work. – Loss of customer data, which damages customer trust and reputation, and represents legal and compliance exposure. What are the Steps for Responding to an Ransomware Attack?
What are the top 3 causes of successful ransomware attacks? ›Phishing, remote desk protocol (RDP) exploitation and software vulnerabilities are the principal root causes of ransomware infections.
Should you pay ransomware or not pay? ›Paying the first ransom may not solve the issue. If a business decides to comply with the ransom request, the hacker will likely request more money. Even if the hacker provides the encryption keys immediately, it could take the organization weeks or months to restore its encrypted information.
Should paying ransomware be illegal? ›Ransomware Ban: The Only Solution
For as long as ransomware payments remain lawful, cybercriminals will do whatever it takes to collect them. The only solution is to financially disincentivize attacks by completely prohibiting the payment of demands. At this point, a ban is the only approach that is likely to work.”
Ransomware is a form of malware that encrypts a user's computer files for a period of time, rendering them inaccessible, until a ransom is paid to the attacker. The ransom is often demanded in a cryptocurrency such as Bitcoin, which facilitates the online and anonymous payment.
Why do experts disagree on whether businesses should pay ransomware demands? ›One significant risk is that paying the ransom does not guarantee the recovery of encrypted data. There have been numerous instances where organizations have met the demands of attackers, only to discover that the decryption keys provided were ineffective, or in some cases, no decryption keys were provided at all.
Do hackers actually get caught? ›So, How Do Hackers Get Caught? Despite what may seem like an insurmountable task, hackers are human and make mistakes. It's often these careless errors that will trip the criminals up and leave a trail of evidence that the police can follow.
Why is ransomware not illegal? ›
While the federal government has no explicit, comprehensive laws regarding ransomware, it considers ransom payments a type of transaction. Because of this technicality, it is illegal to engage with the attacker — doing so could result in harsh penalties.
Why is ransomware a concern? ›Ransomware is a type of malware that prevents you from accessing your computer (or the data that is stored on it). The computer itself may become locked, or the data on it might be stolen, deleted or encrypted.
What is the average ransom payment? ›Average ransom payments surged by 500% in the past year to reach $2m per payment, according to Sophos' The State of Ransomware 2024 report. This compares to an average payment of $400,000 calculated by Sophos in its 2023 study, demonstrating that ransomware operators are seeking increasingly large payoffs from victims.
What percentage of companies pay ransom? ›By the numbers: 29% of organizations paid a ransom in the last quarter of 2023 to get their stolen data back and unlock their systems during a cyberattack, according to Coveware's report, released Friday. That's a completely different story from the 85% who were paying in the first quarter of 2019.
What is the largest ransomware ever paid? ›- Kaseya (2021). The Kaseya ransomware attack made waves as hackers demanded a historic $70 million ransom to restore data for 1,500 affected businesses.
- Maesrk (2017). ...
- UK National Health Service (2017). ...
- Costa Rica (2022). ...
- Ukraine (2017 and 2022).
The FBI doesn't recommend making the ransom payment since it doesn't guarantee your data back, not to mention that the payment for the ransomware finances and encourages the cybercriminals to target more victims. For data recovery after a ransomware attack, you have other options.
What are the legal risks of paying ransomware? ›It is technically illegal to pay a ransom during a ransomware attack. After all, it's nearly impossible to trace where the attacker is or find out who they work for — and the government frowns on U.S. entities funding terror groups or countries under an embargo.