Ransomware: a plague that brings companies and institutions to their knees. Should you pay the ransom? Here is the answer.

Estimated reading time: 5 minutes

The devastating impact of ransomware on businesses

Ransomware has become one of the most damaging cyber threats to businesses in recent years. Cyber criminals target company networks, encrypt important files, and demand a ransom to provide the decryption key. The dilemma of whether or not to pay the ransom is something every affected company has to face.

According to the 2021 Clusit report, ransomware attacks in Italy grew 105% compared to 2020, confirming themselves as the leading type of malware. The consequences of these attacks can be devastating, with systems locked, operations interrupted, and data encrypted. 66% of affected companies declared the impact ranged from moderate to catastrophic.

Recovery times after a ransomware attack are long: 48% of companies took at least 3 days to return to normal, but in some cases the disruptions continued for weeks. This causes significant productivity losses and missed earnings.

Why companies choose to pay the ransom

Despite the risks, about 30% of affected companies opt to pay the ransom. The motivations are:

• Quickly obtaining the keys to resume operations as soon as possible
• Avoiding immediate reputational impact by promptly paying the demand
• Lack of reliable backups to restore systems
• Presence of insurance policies covering the ransom
• Perception that it is the only way to regain access to data

Often companies are not aware of the risks associated with payment, namely:

• Having no guarantee of obtaining decryption keys
• Financing further attacks thus incentivizing criminals
• Incurring other costs and impacts post-payment

Cost/benefit analysis: is it worth paying the ransom?

Before making a decision it is important to thoroughly evaluate the costs and benefits of paying the ransom:

Potential benefits:

• Speed of system recovery and business continuity
• Lesser immediate reputational impact

Potential risks and costs:

• No guarantee of obtaining working keys
• Financing organized crime
• Violation of international sanctions
• Post-attack costs: forensic analysis, system restoration, communications
• Legal impacts and regulatory compliance
• Long-term reputational damages

Most analysts agree that the potential damages outweigh the actual benefits. Companies should invest more in ransomware prevention.

Increasing trend despite the risks

Despite these assessments, ransomware ransom payments are on the rise. In 2021 attackers globally earned about $603 million, of which $350 million in the United States alone.

This shows that a certain percentage of companies still prefer to pay, driven by the need to quickly restore operations. But experts agree that this strategy only risks further fueling the ransomware threat.

How widespread is ransom payment by geographic area?

The propensity of companies to pay ransom can vary significantly by geographic region:

• North America: about 33%
• United Kingdom: 46%
• Germany: 15%
• Nordic countries: 10%
• Australia: 42%
• India: 28%
• Singapore: 19%
• Brazil: 35%
• Chile: 13%
• Argentina: 19%

In some countries the authorities strongly discourage and deter any payment, influencing the choices of affected companies. Also the overall cyber maturity of a country can affect it.

Ransomware-as-a-Service: a growing criminal business

Much of the growth in ransomware attacks is due to the spread of Ransomware-as-a-Service (RaaS) models. Criminal groups develop and manage the malware and infrastructure, then rent access to affiliates for a percentage of the attacks’ proceeds.

RaaS has made ransomware attacks within reach of even less skilled criminals. This has led to a proliferation of the threat. Dismantling this model requires an international commitment by law enforcement and governments.

The importance of investing more in prevention

The best strategy for addressing the growing ransomware threat is to invest more heavily in prevention, detection, and incident response. Companies should:

• Implement strong multi-layered security defenses
• Perform regular complete backups and test their restoration
• Adequately train staff on cybersecurity
• Have tested incident response plans in place
• Always keep entire software fleet updated
• Closely monitor network for suspicious activity

Cyber insurance and actively collaborating with law enforcement in case of an attack are also advisable.

Government support against attacks

Government authorities and law enforcement are trying to counter the ransomware threat with initiatives on multiple fronts:

• Awareness campaigns towards citizens and companies
• Platforms for sharing threat intelligence
• Specialized units dedicated to fighting cybercrime
• International cooperation for joint investigations and operations
• Sanctions against organizations and states supporting ransomware
• Discouraging or banning ransom payments

However, efforts need to be intensified, given the global scale the phenomenon has taken on and the vast resources available to the attackers.

Conclusions: better prevent than pay

In summary, the best strategy for dealing with ransomware remains heavily investing in prevention, rather than indulging attacker demands by paying ransoms. A culture of cybersecurity, robust technological defenses, and active collaboration with authorities are the most effective tools to counter this evolving threat.

SOD (Secure Online Desktop) can provide various useful services to prevent the problem of ransomware attacks:

• Backup and disaster recovery: SOD can offer managed data backup services, both on-premise and cloud-based, to guarantee system restoration in case of a ransomware attack.
• Virtualized servers: The use of virtualized servers hosted by SOD makes it harder for ransomware to encrypt data, thanks to isolation between virtual machines.
• Threat monitoring and detection: SOD can monitor client company networks and detect suspicious activity to identify potential ongoing ransomware attacks.
• Sandboxing: Suspicious files can be analyzed in an isolated environment to detect ransomware payloads before they reach production systems.
• Security awareness training: SOD can provide cybersecurity training courses to make employees more aware of ransomware risks.
• Vulnerability assessment: Penetration testing and vulnerability assessment to identify and correct vulnerabilities in systems exploited by ransomware.
• Advanced endpoint protection: Endpoint detection and response solutions suitable for preventing and detecting ransomware attacks on company computers and devices.

By collaborating with SOD, companies can improve their defenses against the growing ransomware threat.

Useful links:

• Acronis Active Protection: difesa dai ransomware
• Acronis Cyber Cloud Active Protection: Racconto di due attacchi di ransomware