Z3ncurity
"To Pay Or Not To Pay" the Ransom?

"To Pay Or Not To Pay" the Ransom?

Zen Chan's photo
Zen Chan
·

6 min read

Ransomware | Cybersecurity

Ransomware Extortion Doesn't Stop After Paying, According to Recent Research.

Image from pixabay.com

To pay or not to pay? Two recent research that looked into the experience of victims stresses the lack of reliability of ransomware actors (of course!), as in most cases of settling the ransom, the extortion continues.

Cybersecurity specialist Venafi recently conducted the survey and concluded that over 80% of ransom demands are double or triple extortion. The most important findings from the respondents are:

  • 83% of successful ransomware attacks over the past year have featured double/triple extortion
  • 71% of ITDMs (IT Decision Makers) believe the practice is more common than it was 12 months ago
  • 38% of ransomware attacks threatened to use stolen data to extort customers.
  • 35% of ransomware attacks threatened to expose stolen data on the dark web.

Data shows us that, from the victim's experience, there is often data that would be lost or exposed even if you pay the ransom in the first place.

Victims Are Paying

While Law enforcement agencies and cybersecurity professionals keep reminding organizations and individuals against paying ransoms, significant payouts have been made in just the last six months alone, indicating the increasing severity of ransomware.

According to Chainalysis research in 2021,

approximately USD350 million in ransoms was paid in 2020, more than a 300% increase from the previous year.

When we look into the data this year, according to an email security vendor — Proofpoint analysis, "2022 State of the Phish Report Explores Increasingly Active Threat Landscape, Importance of People-Centric Security."

Nearly 70% of survey participants said their organization experienced at least one [ransomware](proofpoint.com/us/threat-reference/ransomware "Ransomware") infection in 2021. Almost 60% opted to negotiate with attackers, and many paid more than once (with mixed results).

One reason is what I mentioned above — there is no guarantee that the data can be retrieved; the second reason is that it will encourage more ransomware attacks because it reinforces the possibility of profit.

In the same research,

  • 54% regained access to data and systems after their first payment.
  • One-third of the victims ended up paying extra ransom demand before they finally got the decryption key.
  • Another 10% received additional ransom demands but refused to pay.
  • 70% of the survey participants report having experienced at least one ransomware attack in 2021. 60% of them opted to negotiate with the attackers, and many of them ended up paying ransom more than once.

One thing worth mentioning is that hackers often hide inside the victims' infrastructure for weeks or even months before launching ransomware attacks. As a result, they plant multiple "bombs" and "traps" inside victims' environments. As a result, hackers have the necessary controls and permissions to return and trigger another attack even if the victim pays the ransom.

The Absence of Credibility

"Credibility" was supposed to be the key to the ransomware "business" success. However, there are several possible reasons why ransomware actors give empty guarantees to their victims and thus the lack of credibility.

Firstly, most Ransomware-as-a-Service (RaaS) operations are not staying for long. Therefore, they look to maximize their profits as fast as they can. If all you do is a one-time thing, as such, they don't care about long-term reputation — take the money and go.

Secondly, many RaaS affiliates don't obey the rules established by the ransomware operators. This is because the operators are trying to sell their products to more people. As a result, only the core groups are concerned about the rules, and others are rarely prioritized.

Thirdly, even though some hackers may keep their promise after receiving the ransom payment and provide the key to decrypt the data, others may find ways to get access to the copy of your original data and leak them. Finally, even if the data isn't informed immediately, someone may maintain the rest of the data breaches for long in numerous threat actor systems. As a result, it almost always reaches the broader cyber-crime community.

Eventually, If You Can't Avoid to Negotiate with Ransomware Groups

If you are already infected, that means someone is already inside your environment. Seeing the ransomware lock screen is the final step instead of the start. The clock is ticking after you click on the link provided by the attacker. So, the organization's staff must pull together a cohesive plan before starting the countdown.

1. Preparation

But to make a plan that works, you must answer some fundamental questions before proceeding:

  1. What is the breach?
  2. What is the best outcome for the organization?
  3. Who is responsible for communicating internally and externally?

Once the information is adequate, victims should get the adversaries to switch to a secured communications channel immediately. Why is that? Being attacked means the system is vulnerable for a period. Often the demand communications got infiltrated by third parties who started interfering and disturbing during a negotiation.

2. Be Respectful

Adversaries may have an advantage, but they are also humans. And humans make mistakes. Therefore, victims have a chance to negotiate lower ransom prices or avoid paying ultimately. Correspondingly, business owners can understandably become emotional when under attack. But to make things better, we should look at ransomware negotiation as a business transaction, if possible.

3. (Important) Ask for More Time

Adversaries will usually try to pressure the victims into making quick decisions (thus making mistakes). Sometimes, they may threaten to leak stolen files or double extort with a timer. The more stress an attacker forces, the worse a victim's decision.

Attackers, in most cases, gave their request for a deadline extension. This can be helpful for several reasons. First, you will need time to assess the crisis and rule out any possible restoring of your data at the beginning of the process. People aren't good at delaying gratification— attackers will want to close the loop fast to move on to other targets. Thus, this strategy is wise for victims who wish to buy some time.

4. We Don't Have the Cash

Other strategies include offering a smaller amount than demanded soon, with a promise for later and more flat-out trying to convince the ransomware group there's no money to pay.

5. Hide Cyber Insurance (Even You Do Have)

If attackers know you have cyber insurance covered, the negotiation will become more complicated. In some cases, attackers tell the victims that there will not be a discount below the insurance coverage amount.

6. Proof?

Other tips the report provides for those negotiating with a ransomware attacker are asking for a test file to be decrypted, proof files have been deleted, and a full explanation of how the attackers pulled off the breach.

Asking for the exit details could be helpful for the post-attack recovery since there is no guarantee that their files won't be leaked or sold for double extortion. Thus, explaining their exit plan would help the security team check the systems and ensure they are gone.

Final Words — Paying Only Make Things Worst

Without question, organizations experienced both new and familiar cybersecurity challenges in 2021, which would worsen in the coming year. But, unfortunately, all else is useless regarding that all scenarios ultimately lead to the same result — with the only difference becoming the motivation of ransomware actors.

The best strategy for ransomware victims is not to pay ransomware demands. Instead, think about restoring systems and data from backups and alerting the incident's law enforcement and data protection authorities.

Thank you for reading. May InfoSec be with you🖖.

Did you find this article valuable?

Support Z3ncurity by becoming a sponsor. Any amount is appreciated!