To pay or not to pay, that is the ransomware question

While an effective backup system that enables the business to restore encrypted data without shelling out the ransom is crucial, it’s not enough on its own

While plenty may be paying the ransom, it’s not as simple as just getting back to business. 

Coughing up the ransom in an attempt to get bad actors to restore encrypted data following a ransomware attack is far from a quick or cheap fix.

In reality, the full cost of recovery almost doubles when victim organisations pony up, says Sophos’ The State of Ransomware 2020 survey, which polled 5 000 IT decision-makers in businesses across 26 countries and six continents, namely Europe, the Americas, Asia-Pacific and central Asia, the Middle East, and Africa.

Clear and present danger

When it came to the average cost of addressing the impact of ransomware attacks, factoring in business downtime, lost orders and operational costs, but excluding the ransom, it came to $730 000. However, when the ransom was paid, this average cost rose to $1.4 million, almost twice as much.

Over a quarter (27%) of those hit by ransomware confessed to paying the ransom.

In South Africa, 24% of the businesses surveyed said they had suffered a ransomware attack in the last year, with 44%

Cof them saying they expect a ransomware attack in the future. Generally, just over half (51%) of all the companies surveyed had suffered a ‘significant’ ransomware attack over the past year, a slightly lower number than the 54% that reported this in 2017.

Around the world, data was encrypted in nearly three quarters (73%) of successful attacks, a number that was slightly lower in South Africa, with 56% reporting this.

Chester Wisniewski, principal research scientist at Sophos, said businesses might feel intense pressure to pay the ransom to avoid damaging downtime. “On the face of it, paying the ransom appears to be an effective way of getting data restored, but this is illusory. Sophos’ findings show that paying the ransom makes little difference to the recovery burden in terms of time and cost. This could be because it’s unlikely that a single magical decryption key is all that’s needed to recover.”

Back up, back up, back up

Often, says Wisniewski, the malefactors might share several keys and using them to restore data then becomes complex and time-consuming.

The survey also revealed that more than half (56%) of IT managers surveyed said they had managed to recover their data from backups without having to pay up. Around the world, in only 1% of cases, forking out did not lead to the recovery of data. However, when it came to public sector entities, this figure rose to 5%, and 13% of public sector organisations surveyed said they never managed to restore their encrypted data, compared to 6% of the overall sample.

Turning the screws

But it’s not all doom and gloom for the public sector. Surprisingly, these organisations were the least affected by ransomware, with under half (45%) of those surveyed admitting to being hit by a significant attack over the last year. On a global level, it became clear that attackers were eyeing media, leisure and entertainment businesses in the private sector, as 60% of respondents in these sectors reported attacks.

SophosLabs has also examined the tools, techniques and procedures of the Maze ransomware gang. This is a highly advanced strain of malware and combines data encryption with data theft and the threat of exposure. This particular approach, which Sophos says is now being mimicked by other ransomware families, such as LockBit, is designed to pressure the victim into paying the ransom.

What should companies be doing to prevent and mitigate ransomware attacks? According to Wisniewski, while an effective backup system that enables the business to restore encrypted data without shelling out the ransom is crucial, it’s not enough on its own.

“Advanced adversaries like the operators behind the Maze ransomware don’t just encrypt files, they steal data for possible exposure or extortion purposes. Some attackers also attempt to delete or otherwise sabotage backups to make it harder for victims to recover data and increase pressure on them to pay. The way to address these malicious manoeuvres is to keep backups offline, and use effective, multi-layered security solutions that detect and block attacks at different stages.” 


sponsored by
sponsored by