Ransomware remains one of the most popular cyber attack vectors. Given a choice between paying a hefty sum to recover valuable data or not paying and losing access forever, many victims end up choosing to pay.
First Published 1st July 2019
In the moment, many feel like they have no other choice but to pay.
4 min read | Reflare Research Team
Ransomware attacks have been a recurring topic of our research, mostly because the trend continues to accelerate. Last week saw two high-profile governmental and one high-profile corporate ransomware incident. In this briefing, we will therefore re-visit why ransomware is so popular and what you can do to protect yourself.
What happened?
Hackers got two towns in Florida to pay a combined US$ 1.1m in ransoms to release files they encrypted. Roughly during the same time, Aluminium maker Norsk Hydro refused to pay a ransom demand and ended up with estimated losses of US$ 57m. All three cases exemplify the “damned if you do, damned if you don’t” problem with ransomware.
Why is ransomware becoming more and more common?
Monetizing a successful cyber attack has traditionally been tricky. An attacker would need to either organize hard-to-trace cash ransoms from the victim through several mules, or would need to find a buyer willing to pay for the access or for stolen data. With the advent of cryptocurrencies however, ransoms can be demanded with relative safety and anonymity.
This effectively means that ransomware are the simplest, easiest and safest way for many attackers to monetize the access they gained from a successful attack. Since all three factors shape the underground attack market, ransomware attacks continue to increase in popularity.
Why you shouldn’t pay.
On the surface, it may seem that paying the ransom would be the logical thing to do. After all, the two Florida municipalities only lost a little over $1m while the aluminium maker lost in excess of $57m. However, the calculation isn’t as simple as that.
For one, like all extortionists, ransomware attackers base their ransom demands on what they believe they can receive. Therefore it is probable to assume that the ransom demands issued to Norsk Hydro would likely have been much higher than those issued in Florida.
For another, paying the ransom means that you have to trust the attacker to actually release the files and leave your network. In practice however, often neither happens. Attackers may simply demand new ransoms for files that they never intend to - or may not even have the ability to - decrypt.
Lastly, by paying ransoms you incentivize future attacks. And since organizations move slowly, the next attack may well hit you again instead of going for someone else.
What you can do to protect yourself
The only solid defence against ransomware attacks is off-site backups. Those backups should be configured so that they cannot be deleted or overwritten from the primary location. Otherwise, ransomware attackers may simply encrypt them as well. If good backups exist, ransomware loses its teeth. The cost and time investment is therefore well worth it.