In May 2021, Colonial Pipeline, the largest pipeline operator in the U.S., was compromised. The company, which had to shut operations for 11 days, ended up paying a ransom of 75 bitcoin (approx $4.4 million). In June, a Justice Department task force recovered about $2 million of this payment.

Following this (partial) recovery, U.S. Energy Secretary Jennifer Granholm said she supported banning ransomware payments altogether. The U.S. FBI has always discouraged victim organizations from making ransomware payments. As attacks continue to surge in 2021, the agency is reiterating this advice. The Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency and consulting firms also echo this message (varying degrees).

But is not paying the ransom the right solution? What about banning ransomware payments altogether? Will these choices reduce the size of the problem? Or will it cause even more problems for hapless companies stuck between a rock and a hard place?

The Growing Ransomware Problem 

In 2020, the total ransom amount paid by victims increased by 311% to reach nearly $350 million (in cryptocurrency). Notable victims include United Health Services, Orange and Acer. The problem has become so widespread that the ransomware “industry” is already worth £10 billion a year ($14 billion). 

Canadian companies are also falling victim to ransomware attacks. In late 2020, the Canadian Centre for Cyber Security warned that ransomware attacks against Canadian businesses and critical infrastructure providers (e.g. hospitals) would “almost certainly continue,” and many victims will “likely continue to give in to ransom demands.”

Why Companies Pay Ransom

The $4.4 million payout by Colonial Pipeline is one of the biggest reported in the history of ransomware. Other high-profile cases include CWT Global, a U.S. travel company that paid $4.5 million in July 2020 and Brenntag, which handed over $4.4 billion to the same hacking group that attacked Colonial.

Why do companies pay?

The answer – to restore access to their systems and data. The average cost of ransomware-caused downtime per incident has increased almost seven times from $46,800 in 2018 to $283,000 in 2020. Companies pay because the alternative – costly downtime, idle resources and service interruptions – can have a massive impact on their finances and reputation.

Many victim organizations never fully recover their data or systems. As the number of ransom-paying organizations has risen to 32% in 2021 (from 26% in 2020), only 8% got all their data back. Nearly a third couldn’t recover more than half the encrypted data.

But is banning ransomware payments altogether the answer to such challenges?

The Banning Ransomware Payments: A Start But Not The Solution

We’ve seen that if ransoms aren’t paid, then extortion through data leakage is the follow-up. This happened to law enforcement in the US, and the hackers leaked informant’s information online. There is no guarantee that the criminals will return all of the stolen assets if the ransom is paid. Last year, only 29% of ransomware victims could restore all of their encrypted or blocked files, regardless of whether they paid the ransom.

Banning ransomware payments will limit the funding of unorganized crime. Suppose companies continue to choose to pay ransoms. In that case, cybercriminals will launch even more lethal attacks due to the additional funding, and organizations who are not cyber mature will be caught unaware in the face of a potential crisis. Banning ransomware payments and making the act of paying ransom illegal will help reduce the number of attacks as law-abiding citizens will be less likely to pay a ransom since it is not a legal option. 

The Solution: Is There a Better Approach?

There are steps that companies can take to protect themselves and minimize their chances of victimization. The solution requires businesses to be proactive and to make cybersecurity a business priority. To start with, a robust information architecture and resilience methodology are critical. By understanding what information, technologies, tools and people they need to maintain business continuity, an organization can implement the right processes to protect these assets, such as taking regular data backups, minimizing the size of the attack surface, and monitoring endpoints with Endpoint Detection and Response (EDR) tools.

Prevention programs like anti-malware and firewalls, reliable security protection tools for email and web, and regular software patches are also essential. In addition, Incident Response (IR) planning can help them respond quickly to attacks and contain their impact. And last but not least, with regular application security testing and penetration testing – conducted by skilled, experienced and certified pen testers like Packetlabs – organizations can understand the tactics, techniques and procedures (TTP) attackers use to gain access to enterprise assets. They can also identify the weaknesses of their security controls and implement strong countermeasures to reduce risk.

For more information on how to prepare for and deal with ransomware attacks, please contact us today.