Paying a ransom for a ransomware attack can be a difficult situation for many companies. Attackers want to get the most money out of the company they are attacking, but have the ransom be placed at a price and appear not to be taxing. The path of paying the attacker’s ransom is usually not recommended by professionals in the cybersecurity field as the attacker may be deceptive and not fully release the data if at all. Also, the vulnerability of how the attacker invaded the network still needs investigating and patching, therefore another attack through the same entry point does not occur again. Further, companies need to consider how replaceable their data is. Do they have a non-infected hot site that the data can be pulled from? These companies should be considering these different aspects when making the decision to pay the ransom.
Many cybersecurity professionals do not recommend paying attacker’s ransom for many reasons. The main reason is that there is no guarantee that the attacker will follow through with releasing the data. The attacker may also encrypt the data and once released is still unusable to the company. There may be an additional ransom for decrypting the data. Additionally, many professionals may see that in their day to day that security is overlooked as a necessity for the organization and they may want to use this opportunity to get their system up and running again but also to make it more secure. There can now be an incentive to defend the company network, keep patches up to date, and everything else that goes along with better defending the company from another cyber attack.
Even in the case where there is data compromised, not just locked; data is stolen and threatened to be released. I would argue that the data is already compromised and will most likely be sold whether the ransom is paid or not so the company should not pay the ransom and instead focus on data privacy and account compromise/recovery procedures.
Overall, the only case where I would agree to pay something is if the price was relatively reasonable, which “reasonable” would be up for debate depending on the attack, and there was absolutely necessity as in there is barely anything running or some kind of dire state.
The best way to prepare for a ransomware attack is to have back up data, continual scanning for vulnerabilities, and have procedures in place for responding when the attack occurs. With having secure backup data, then the company can revert with minimal downtime. By having scanning on the network and entry points, vulnerabilities can be fixed to lower the chance of one being used to enter the system. Finally, by having procedures in place for detection, the company can be alerted to the compromise quickly to contain spread and to remediate for short downtime.
References
https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-ta rgets-carefully-wpna.pdf?la=en%E2%80%8B https://web.archive.org/web/20210107050233/https://www.wired.com/story/notpetya-cyberattack-ukraine-r ussia-code-crashed-the-world/ https://www.wired.com/story/atlanta-spent-26m-recover-from-ransomware-scare/