Blog August 14, 2024

Why Playing the Game with Cyber Attackers is Risky

Learn why playing the game with cyber attackers is risky, and what your organization can do to stay prepared.

Cybersecurity, Data Protection, Disaster Recovery, Ransomware

The arrival of new ransomware groups and the proliferation of Ransomware as a Service (RaaS) schemes have contributed to a sustained surge in cybercrime attacks over the last several years. When faced with a ransomware attack, some organizations may be tempted to engage with the attackers and pay the ransom to regain access to their data quickly.

That approach, however, is akin to playing a dangerous game — one that organizations simply cannot win. Engaging with cyber attackers not only encourages further criminal activity (now you’re a known target and you’ve funded criminal activity) but also puts the organization at risk of financial, operational, and reputational damage. Moreover, there is no guarantee that paying the ransom will result in the successful recovery of the encrypted data. In essence, by engaging with cyber attackers, organizations are placing themselves at the mercy of criminals who have no incentive to “play fair”.

More Prevalent and Sophisticated Every Year

Ransomware attacks prevent access to a device and the data stored on it, typically by encrypting files. Once the data is encrypted, the criminal group behind the attack demands payment in exchange for the decryption key. In some cases, the attackers may also threaten to leak the stolen data if the ransom is not paid. The device itself may become locked, and/or the data on it might be encrypted, stolen, or deleted. This leaves the victim organization unable to access critical information and systems, causing significant disruptions to business operations.

Further complicating things, criminal groups are constantly evolving their tactics, techniques, and procedures (TTPs) to evade detection and maximize their chances of success. For example, the rise of Ransomware as a Service (RaaS), a business model whereby ransomware operators cash in, has made it easier for criminals to launch attacks, as they can purchase pre-built ransomware tools and infrastructure from other criminal groups. This has lowered the barrier to entry for cybercriminals and contributed to the increase in attacks.

Even with full awareness of the threat, avoiding ransomware attacks has become increasingly challenging for organizations. Ransomware can infiltrate a network through multiple channels, such as phishing emails, unpatched software vulnerabilities, or compromised remote desktop protocols (RDPs). Once inside the network, the malware can spread rapidly, encrypting files and systems before being detected. As is the case so often in cybersecurity, the tiniest weak link in a defensive posture can disproportionately expand the attack surface.

Risks of Playing the Game

Engaging with cyber attackers and paying the ransom can result in significant financial damage to an organization. The average cost of a data breach in the U.S. is a staggering $9.4 million, and this figure does not include the ransom payment itself. In addition to the direct costs of the attack, organizations may also face indirect financial consequences, such as lost revenue due to operational downtime, increased insurance premiums, and potential legal fees.

The typical downtime caused by a ransomware attack is between seven and 21 days, which can be catastrophic for businesses that rely on continuous operations. Even if an organization decides to pay the ransom, there is no guarantee that they will be able to quickly restore their systems and data, as the decryption process can be time-consuming and may not always be successful. In fact, a 2021 study found, shockingly, that 92% of companies that paid a ransom did not get all their data back.

Falling victim to a ransomware attack can also have significant reputational consequences for an organization. Customers, partners, and stakeholders may lose trust in the organization’s ability to secure their data and maintain reliable operations. This loss of trust can lead to decreased customer loyalty, lost business opportunities, and damage to the organization’s brand image.

Should Organizations Pay the Ransom?

Ideally, no.

There are a few limited reasons why an organization would consider paying the ransom. In a minority of cases, the attackers do provide a decryption key promptly after receiving the payment, allowing the organization to restore access to their systems and data. By paying the ransom and potentially recovering data more quickly, organizations may be able to minimize the duration of operational downtime caused by the attack. However, this is something you’ll only find out after you’ve paid.

The list of cons, however, is lengthier. Foremost of which is that there is no guarantee that the attackers will provide a working decryption key or that the organization will be able to recover their data successfully. Cybercriminals are not bound by any legal or ethical obligations to follow through on their promises, and they may simply take the payment without providing the necessary tools to restore access to the encrypted data. In some cases, the decryption keys provided may be faulty or fail to work properly, leaving the organization without access to their data despite having paid the ransom.

Worse, paying the ransom can encourage further criminal activity by demonstrating to attackers that their tactics are effective and profitable. When organizations pay, they are essentially funding the development of more sophisticated ransomware strains and incentivizing attackers to continue launching attacks. This can lead to an increase in the frequency and severity of ransomware incidents, as attackers become more emboldened and better equipped to carry out their malicious activities.

The Double Encryption Trap

Some ransomware groups use two different strains of ransomware simultaneously to encrypt an organization’s data. Even if the victim pays the ransom and obtains the decryption key for one strain, their data remains inaccessible due to the second layer of encryption.

Double encryption techniques can significantly increase the complexity and costs associated with recovering from a ransomware attack. Organizations may find themselves in a situation where they have to negotiate with multiple attackers and pay multiple ransoms to regain access to their data. This can lead to increased financial losses and prolonged operational downtime, as the recovery process becomes more convoluted and time-consuming.

Legal Implications

The Office of Foreign Assets Control (OFAC), an enforcement agency of the U.S. Treasury, updated its guidance on ransomware in 2021, and strongly discouraged the payment of cyber ransom or extortion demands. The OFAC described numerous legal pitfalls surrounding the decision to pay. In some cases, ransomware attacks may be carried out by state-backed actors or groups associated with sanctioned countries. Paying the ransom in these situations may be considered a violation of international sanctions and could result in legal consequences for the organization.

Organizations that choose to pay the ransom may also face potential fines and legal consequences, depending on their jurisdiction and the specific circumstances of the attack. Paying the ransom may be viewed as supporting or facilitating criminal activity, which can lead to legal repercussions. Additionally, if an organization fails to properly disclose the breach or comply with relevant data protection regulations, they may be subject to fines and other penalties.

The Only Defense: Proactive Preparedness

Given the significant risks associated with ransomware attacks, organizations have a pressing responsibility to invest in robust prevention and recovery strategies that minimize the likelihood of an attack and ensure rapid recovery in the event of a breach.

Key strategies include regularly updating software and systems, providing employee training on cybersecurity best practices, implementing strong access controls and multi-factor authentication, and maintaining secure, offsite backups of critical data — namely, leveraging comprehensive ransomware protection solutions like Ransomware Recovery as a Service (RRaaS):

Ransomware Recovery as a Service

Recovery Point’s RRaaS begins with a thorough assessment of an organization’s current ransomware preparedness, identifying vulnerabilities, gaps, and areas for improvement. This assessment provides a foundation for developing a comprehensive recovery strategy tailored to the organization’s specific needs and risk profile.

RRaaS includes a suite of core components, including the implementation of immutable backups. These backups are designed to be unchangeable and protected against modification or deletion, ensuring that an organization’s critical data remains secure and recoverable even in the face of a ransomware attack. RRaaS also incorporates air gapping, which involves physically separating backup systems from the main network. This separation adds an extra layer of protection, making it more difficult for attackers to compromise backup data and increasing the likelihood of successful recovery.

To ensure the effectiveness of the recovery strategy, Recovery Point’s RRaaS includes regular testing and validation exercises. These exercises simulate ransomware attack scenarios, allowing organizations to refine their recovery processes, identify areas for improvement, and build confidence in their ability to recover from an actual attack. RRaaS offers organizations the flexibility to deploy the solution across a range of IT environments, including on-premises, colocation facilities, public clouds, and hybrid configurations. This flexibility ensures that the solution can be adapted to meet the specific needs and constraints of each organization.

With its comprehensive recovery strategies, isolated recovery environment, and automated processes, RRaaS enables organizations to recover rapidly from a ransomware attack. Recovery Point brings decades of experience and deep expertise in data recovery, ensuring organizations receive the guidance, support, and best practices they need to effectively prepare for and recover from today’s most pernicious ransomware attacks.

Contact Recovery Point today to learn more about protecting your organization against the ever-growing threat of ransomware and cyberattacks.

 

Contact us to connect with our team now.

Connect with us on LinkedIn,  X (formerly Twitter), and Facebook.