Ransomware: should your company pay?
Falling victim to a ransomware attack and being threatened with a ransom will never be an ideal situation. You will be forced to make a challenging judgment call, often under high pressure, and with limited time to decide. In situations like these, preparedness goes a long way.
About the author
Mark Harris is Senior Research Director at Gartner.
Despite the FBI and Department of Homeland Security warning companies to avoid paying ransoms, Colonial Pipeline paid hackers $4.4 million in ransom this year for a decryption tool that restored oil operations. This decision was extremely controversial, and the company’s CEO was later brought before US Congress to testify that the debilitating impact to the country’s fuel supply drove the decision.
This situation, like many others, triggers a point of reflection: What how would your organization handle a ransomware attack? Should you, and would you, pay to retrieve your data back or restore your systems?
Choosing whether to pay the ransom is challenging, and a decision that must be made carefully at the board level, not by security and risk leaders – understanding what happens if you pay is key to making that decision.
So, what happens if you pay?
Hypothetically, if a company responds to the ransom and pay, the attackers will provide a decryption tool and renounce their threats of publishing stolen data. Unfortunately, however, the payment does not guarantee that all your data will be restored – attackers may simply take their money and run. Due to this, executives must thoroughly consider the realities of ransomware, including:
- Typically, only 65% of the data is recovered, with only 8% of organizations managing to recover all their data.
- Encrypted files are usually unrecoverable. Attacker-provided decrypters may crash or fail, causing files to be lost forever. In that scenario, your IT security team may need to build a new decryption tool by extracting keys from the tool the attacker provides.
- Recovering data can take many weeks, or months, especially if a significant amount of it has been encrypted.
- There is no guarantee that the hackers will delete the data they’ve stolen. Instead, they may possibly sell or even reveal the information…
