To pay or not to pay? For organizations victimized by ransomware, that’s a tricky question that may not have a good answer. A report from the Boston tech security firm Cybereason argues that paying off cybercriminals may not get businesses off the hook.
In a global survey of nearly 1,300 security professionals, two-thirds said that their company had suffered a significant financial loss due to an ransomware attack. About one-third of the victims had paid a ransom. But of those, 80 percent said they suffered a subsequent attack after paying, often by the same criminals responsible for the original breach.
The report also said that while most victims who paid got their data back, 46 percent found that some or all of the data had been corrupted, making it difficult or impossible to use.
“This is the reason I came to the conclusion that it doesn’t pay to pay,” said Cybereason chief executive Lior Div.
In addition, the Cybereason survey found that ransomware takes a major toll on businesses. Two-thirds of ransomware victims suffered a substantial revenue loss, 29 percent were forced to lay off workers, and 26 percent were driven out of business altogether.
Steve Morgan, founder of the market research firm Cybersecurity Ventures, in Northport, N.Y., said he generally agrees with Div. “In theory, it’s a bad idea to pay ransom demands, generally speaking,” he said in an e-mail. “And far too many ransoms are paid when they can be avoided.”
But in some cases, Morgan said, refusing to pay could have deadly consequences.
“Let’s say a hospital suffers a ransomware attack and their oncology equipment used to treat cancer patients goes down as a result,” he said. “And it’s a rural hospital with no easy way to transport patients elsewhere for treatment.” In such a case, Morgan said, “it is a judgment call by the hospital, who is responsible for patient lives.”
Kellen Dwyer, a former deputy assistant US attorney general, said that even when lives aren’t at stake, a refusal to pay could be fatal to many businesses.
“I just don’t think that’s realistic for most companies,” said Dwyer, a partner at the law firm Alston & Bird specializing in cybersecurity law. “Most companies know that there are risks in paying, but they do it because they feel they have no choice.”