One of the key decisions that must be made after a successful ransomware attack is whether the victim organization can or should pay the ransom. Of course, there are many considerations in such a decision. For example, whether the payment is legally permissible, the ease of restoring the system if the ransom is not paid, and the damage that could be done to the company or its consumers if the system is not timely. Whether it has been restored, or whether there are reputational risks or ethical concerns, among many other considerations.
A new study by privacy and cybersecurity insurer Hiscox sheds light on additional practical concerns to consider when balancing potential risks and benefits.
More specifically, Hiscox has released its sixth annual Cyber Readiness Report 2022. In it, Hiscox cites a number of interesting findings.
- Ransomware attacks are up about 19% from 16% last year.
- About 60% of the companies surveyed paid the ransom in response to a successful ransomware attack.
- About half of the companies that paid ransoms ended up paying more than once after more successful attacks.
- Especially in the United States, the number of ransomware attacks will remain roughly flat from 2021 to 2022, but the payouts will increase. More victims paid ransoms to attackers this year than last year.
- Only 59% of the companies that paid the ransom successfully recovered their data.
- 29% of companies that paid the ransom still had their data compromised.
In short, organizations considering paying a ransom understand that not only are there legal, reputational, and business risks, but such a payment may not even mitigate the damage of an attack. must be done after Moreover, while it was widely understood that paying ransoms could facilitate future criminal acts against others, statistics showed that such payments were actually against the paying organizations themselves. It has been suggested that it may lead to further attacks.
The decision to pay the ransom or not is complex and thus it would be desirable not to have to first consider this question on the fly. Therefore, before an attack occurs, thoroughly consider the factors used in payment decisions and, ideally, document those factors along with your organization’s specific weighting analysis. A manual that can be adopted by internal policy or consensus to provide guidance in case the worst happens.
