Ransomware demands after a successful ransomware attack are a sensitive issue. The amount demanded can be very high. So can the pressure to pay it. But there is no guarantee that you will get your data back. You may even make yourself liable to prosecution by paying. Additionally, each payment makes the ransomware business model even more profitable, worsening the overall situation. But without data and usable IT, everything in your company has already been at a standstill for days and the costs… !
We cannot take the individual decision for or against a ransom payment off anyone’s hands. In acute cases, we advise our members personally and individually. Of course, that’s not possible in a blog article.
But we would like you to know at least your basic options. So here we provide a cursory overview of current recommendations, conditions, studies and figures around the topic of ransomware. And in acute cases, we are always there for you personally.
Good to know: Negotiation is priced in the ransom
In the recent ransomware attack on Mediamarktsaturn, cybercriminals demanded a total of $240 million in ransom. The demand sounds astronomical – and it is. This is because the sums are often set extra high by the cybercriminals in order to have room for negotiation.
What do the authorities advise?
The BSI, the BKA and the police advise against ransom payments. Among other things, because it is not certain whether the data will be decrypted after payment and because further ransoms could be demanded.
Sophos study: ransomware brings back only 2/3 of data on average
The British security software company Sophos publishes an annual study on the topic of ransomware. In 2021, 5,400 IT decision-makers in 30 countries were surveyed. With regard to ransomware, there were revealing responses:
- Organizations that paid a ransom got back, on average, only 65% of their encrypted data.
- Only 8% had all their data decrypted again.
- For almost a third – 29% – at most half of the data was decrypted.
When considering the cost-benefit of paying a ransom, companies should therefore assume that they will get back about 2/3 of their data. An almost banal, but nevertheless important result of the study: The industries that were most often able to restore their data from backups paid ransoms the least often.
The cyber insurance perspective: Paying ransoms exacerbates the problem in the long run
Under certain circumstances, companies were previously able to reclaim ransoms paid as part of a ransomware attack from their cyber insurer. Now, the first insurance companies are decisively deviating from this practice.
The background to this is that ransomware attacks are becoming more frequent and more complex – and the losses are getting higher as a result. To ensure that cyber insurers nevertheless remain profitable, they have to take action. For example: increase their premiums, make their insurance conditions stricter, and or limit damage coverage.
An additional factor for insurance companies is that every ransom payment promotes the ransomware business model for cybercriminals. In the long run, this leads to even more attacks and ransomware, and thus to ever higher risks for insurers.
You should be aware of these risks of a ransomware payment:
- It is possible that the encrypted data will not be decrypted again, or only partially. This is because for some ransomware, the cybercriminals do not have a decryption program at all. And some of the decryption programs that actually exist contain code errors, so they do not work.
- Cybercriminals are well connected. They also share information about which companies were willing to pay ransoms. These companies are then attractive targets for renewed attacks.
- Ransomware payments can be legally problematic. It is therefore advisable to consult a lawyer.
We at Perseus advise: Pay only in case of extreme emergency
In general, we recommend not paying a ransom. We deviate from this recommendation in individual cases. Our Senior Security Analyst Valentin Savulescu explains: “If paying a ransom is the only or still the best option, then we advise it. For example, if there are no backups at all in a company or all backups have also been encrypted and the critical data cannot be reconstructed from other sources. For example, from files, documents, online archives or communications. Furthermore, if there is no alternative to paying a ransom and it would already be a great help if the data is at least partially decrypted.”
He adds, “But even a ransom payment is not an easy solution. For example, we have to check every decryption program provided by the cybercriminals first. This is because it may simply be another malware program. There is also no guarantee that the supplied decryption program will work. And once payment has been made, the company needs to safeguard itself extremely well to prevent further incidents.” Additionally, Savulescu recommends keeping a copy of the encrypted data – just in case it can soon be decrypted without paying a ransom after all.
Alternatives to a ransom payment
- Use Nomoreransom.org’s CryptoSherriff to test whether your encrypted data can be decrypted without paying a ransom. Nomoreransom.org is an initiative of the Dutch police’s National High Tech Crime Unit and Europol’s Cybercrime Center, among others.
- Use backups to recover the data. Even with older backups, you’ll probably get more data back than if you pay the ransom.
- Contact Perseus to exhaust all technical options for decryption and data recovery.
Whether you pay a ransom or not, after a successful ransomware attack, it is essential that you comprehensively secure your system against re-attacks. Perseus is happy to assist you with this.
We help you in acute cases
Are you currently facing a ransomware attack? Then contact us immediately so we can discuss how best to respond now.
Perseus members can count on our Incident Response every day, around the clock
Also staffed around the clock is this emergency number for non-members: +49 30 233 2730 95