Ransom demands after a successful ransomware attack are a sensitive topic. The sum demanded can be very high. Just like the pressure to pay them. But there is no guarantee that you will get your data back. You may even be liable to prosecution by paying. In addition, every payment makes the ransomware business model even more profitable and thus worsens the overall situation. But without data and usable IT, everything in your company has been at a standstill for days and the costs …!

We cannot make the individual decision for or against a ransom payment for anyone. In acute cases, we advise our members personally and individually. Of course, this is not possible in a blog article.

But we want you to know at least your basic options. Therefore, we provide a cursory overview of current recommendations, conditions, studies and figures on the subject of ransom payments. And in acute cases, we are always there for you personally.

Good to know: Negotiation is priced into the ransom

As part of the recent ransomware attack on Mediamarktsaturn, cybercriminals demanded a total of $240 million in ransom. The demand sounds astronomical – and it is. This is because the sums are often set extra high by cybercriminals in order to have room for negotiation.

What do the authorities advise?

The BSI, the BKA and the police advise against ransom payments. Among other things, because it is not certain whether the data will be decrypted after payment and because further ransoms could be demanded.

Sophos Study: Ransom Returns Only 2/3 of Data on Average

The British security software company Sophos publishes an annual study on ransomware . In 2021, 5,400 IT decision-makers in 30 countries were surveyed. With regard to

ransom payments, there were revealing answers:

• Companies that paid a ransom received on average only 65% of their encrypted data back.
• Only 8% had all data decrypted again.
• In almost a third – 29% – a maximum of half of the data was decrypted.
• When weighing up the costs and benefits of a ransom payment, companies should therefore assume that they will get about 2/3 of their data back.
• An almost banal, but nevertheless important result of the study: The industries that were able to restore their data most often from backups were the least likely to pay ransoms.

The view of cyber insurance: Paying ransoms exacerbates the problem in the long term

Under certain circumstances, companies have previously been able to reclaim ransoms they had paid as part of a ransomware attack from their cyber insurance. Now the first insurance companies are deviating decisively from this practice.
The background to this is that ransomware attacks are becoming more frequent and complex – and the damage is increasing as a result. In order for cyber insurance to remain economical, they must take measures. For example: increase their premiums, tighten their insurance conditions and/or limit damage coverage.
An additional factor for insurance companies is that every ransom payment promotes the ransomware business model for cybercriminals. In the long term, this leads to even more attacks and ransom demands and thus to ever higher risks for insurance companies.

You should be aware of these risks of paying a ransom:

It is possible that the encrypted data is not decrypted or only partially decrypted. For some ransomware, the cybercriminals do not have a decryption program at all. And some of the decryption programs that actually exist contain code errors, so they don’t work.
Cybercriminals are well connected. They also share information about which companies were willing to pay ransoms. These companies are then attractive targets for renewed attacks.
Ransom payments can be legally problematic. It is therefore advisable to consult a lawyer.

We at Perseus advise: Only pay in an extreme emergency

In general, we do not recommend paying a ransom. We deviate from this recommendation in individual cases. Our Senior Security Analyst Valentin Savulescu explains: “If a ransom payment is the only or still the best option, then we advise it. For example, if there are no backups at all in a company or all backups have also been encrypted and the critical data cannot be reconstructed from other sources. For example, from files, documents, online archives or communication. In addition, if there is no alternative to a ransom payment and it would already be a great help if the data was at least partially decrypted.”
He adds: “But even a ransom payment is not an easy solution. For example, we must first check every decryption program provided by the cybercriminals. Because it can simply be another malicious program. There is also no guarantee that the delivered decryption program will work. And after the payment, the company has to protect itself extremely well to prevent further incidents.” In addition, Savulescu recommends keeping a copy of the encrypted data – in case it can soon be decrypted without paying a ransom.

Alternatives to a ransom payment

Test with Nomoreransom.org’s CryptoSherriff whether your encrypted data can be decrypted without paying a ransom. Nomoreransom.org is an initiative of the Dutch police’s National High Tech Crime Unit and Europol’s Cybercrime Centre, among others.
Use backups to restore the data. Even with older backups, you’ll probably get more data back than if you paid the ransom.
Contact Perseus to take advantage of all the technical possibilities of decryption and data recovery.

Important:

Whether you pay a ransom or not, after a successful ransomware attack, it’s imperative that you fully secure your system against renewed attacks. Perseus will be happy to assist you.

We help you in acute cases

Are you facing a ransom note? Then contact us immediately so that we can discuss how you can best react now.

Note: Be covered for emergencies. For example, with Perseus 24/7 emergency assistance. In the event of an emergency, Perseus members can count on our incident response around the clock every day. Let us advise you!