Guido Vrola - Fotolia
Law enforcement has encouraged enterprises to not pay ransom, but experts said the decision isn't so simple when faced with business downtime during the ransomware recovery process.
Weeks after the NotPetya attacks, FedEx admitted its TNT unit was still relying on manual processes for operations because its ransomware recovery process wasn't finished. More recently, in its second-quarter 2017 earnings report, Merck described the financial impact of a cyberattack that occurred on June 27 -- the day NotPetya began its spread -- although the company did not specifically say what kind of attack it was.
The earnings report released on Aug. 28, 2017, said the company was still "in the process of restoring its manufacturing operations." And while Merck said in its report it did "not yet know the magnitude of the impact of the disruption," it did alter its financial outlook in order to reflect "the current state of the company's manufacturing operations, as well as its plans to restore those operations and potential costs associated with the remediation efforts."
Chris Roosenraad, director of product management at Neustar Inc., based in Sterling, Va., said the cost of the service disruption will "almost always be more than the ransom demand, if you're being honest about the costs, [including] the time of all the IT staff, of the investigators (internal or external), of the PR team and lawyers to prepare a response in case it gets public, etc. And that is all regardless of if you pay or not, you still have to spend those costs."
Willis McDonald, senior threat researcher at Core Security in Roswell, Ga., said he understood why an organization may choose to pay ransom.
"From a business perspective, it can make sense to pay the ransom and be done with the issue even if you have solid backups. The cost in man hours it takes to coordinate and transfer data from backups can easily surpass the cost of paying the ransom and distributing the decryption key or binary throughout a large organization," McDonald told SearchSecurity. "The driving force in paying the ransom or not for most businesses really comes down to the cost in wages to recreate or restore operations and data. This is assuming that the attackers can prove that restoring the ransomed data is possible."
Rick Holland, vice president of strategy at Digital Shadows, based in San Francisco, said ransomware recovery can be difficult even if an enterprise has an effective disaster recovery program and data backups.
"Backups are a snapshot in time, so there is the potential for data or transactions to be lost between the last backup and the time of ransomware encryption. If a revenue-generating application is offline for more than a few hours, the revenue losses could be significantly higher than a ransomware payout expense," Holland told SearchSecurity. "The release of intellectual property associated with TV shows and box-office films could greatly reduce ad revenue and box-office revenue. Stolen data that contains [personal health information] or [personally identifiable information] could result in fines from government agencies and class action lawsuits from those impacted by the release."
Jason Kichen, director of cybersecurity services at Versive, based in Seattle, said the traditional ransomware recovery process of restoring from data backups is becoming less useful.
"The latest ransomware attacks often target network-connected computers, and this often includes servers and systems that serve as backup for critical business data. Offline backups are key to ensuring business continuity, but this sort of setup is often costlier and has a higher amount of overhead," Kichen told SearchSecurity. "The level of effort to restore from backups can be significant, and it will often be less expensive in the long run to pay the ransom and re-enable business operations, as opposed to not paying the ransom and restoring systems from backup."
Problems with paying ransom
However, despite the cost equation favoring paying the ransom, experts said this was not as straightforward a ransomware recovery plan as it may appear.
"There should be a calculation as to how likely you are to get a decrypt key if you do pay, and the PR associated with your end decision. For instance, if you do pay, and it becomes known, you may take a PR hit, and you may increase the chances you get targeted again in the future [because] you're now known to pay ransom," Roosenraad said. "Or you may not get hit again for a while, because you've paid your protection money. That depends on the attackers, and may or may not be something you can figure out before you pay the ransom."
Weston Henry, lead security analyst at SiteLock, based in Scottsdale, Ariz., said paying ransom is no guarantee of data retrieval, and businesses would do better to have a long-term ransomware recovery plan.
Willy Leichtervice president of marketing, Virsec
"The short-term cost of remediation and lost revenue may outweigh paying a ransom, but the long-term benefits are a secured network and reliable data restoration," Henry told SearchSecurity. "There is no guarantee that a business will get its data back if a ransom is paid."
Willy Leichter, vice president of marketing at Virsec, based in San Jose, Calif., said paying a ransom is never the solution.
"Even if you pay a ransom, you have no guarantees that your data will be returned and that the infiltration isn't still active in your networks. In fact, you're tagging yourself as a willing target who will inevitably be hit again," Leichter told SearchSecurity. "A robust system of backups is by far the best defense against a ransom, but it doesn't insulate you from potential lawsuits or compliance violations if data is lost. If your networks have been compromised, you have risk."
Holland said paying ransom could also invalidate insurance policies.
"In a climate where insurance underwriters are adding more rigor to their cyber policies and looking for opportunities to not pay out on a policy, capitulating to a ransom demand could have significant implications," Holland said. "Additionally, if the word comes out that a business has given in and paid out a ransomware attempt, then it is likely that more attempts will be made in the future."
Learn how to guarantee data consistency for hybrid cloud backup and recovery.
Find out how to evaluate data backup and restoration efforts.
Get info on the warning from Europol about ransomware escalating.