Ransomware is currently one of the most frequent and, above all, one of the most impactful threats for companies around the world, including Mexico.
It affects companies of all types and sizes.
Although there are many ransomware variants and gangs, including Lockbit, AKIRA, APLHV, Cl0p, etc., they all have a common characteristic: their business model is based on double extortion.
“If you don’t pay the amount we demand, you will not only lose access to your data and systems we have encrypted, but we will publish the data we have exfiltrated.”
Regardless of the level of cybersecurity maturity of the affected company, the question often arises: should we pay?
What are the implications or consequences of paying?
Is it certain that, by paying, I will recover the data?
If I pay, how long will it take to be operational again?
While there is no definitive answer to these unknowns, our experience in dealing with multiple incident cases, as well as reports from many researchers who have dealt with this threat around the world, allows us to provide some insights to companies, and especially to decision makers, so that they can make an informed decision based on solid evidence and data.
¿What are the implications/consequences of negotiating?
- It is important to understand that it is not possible to have any guarantee that the decryption tool provided by the criminals after payment will work correctly, as there could have been data corrupted during the process.
This will only be checked after payment, so that money will have been lost.
- Recovery times, even for a fee, can be long, as decryption and restoration processes are lengthy and depend on multiple factors (file/image sizes, reconfigurations, etc.).
- There is no guarantee that the criminals will delete the extracted files, so even if you pay, it is possible that this information could end up being used for malicious purposes, or even end up being partially or totally leaked by means other than the attacker’s blog, at some point in the future.
- By paying, it will indirectly encourage the advancement of cybercrime, demonstrating not only the effectiveness of ransomware from an economic perspective, but also providing criminals with resources to continue, strengthen and expand their criminal activities.
- It is possible that the attacker may continue to have control and/or persistence over the networks and systems, either through knowledge of flaws, vulnerabilities or key information of systems or networks of the victim organization, or through artifacts, tools, backdoors and/or other mechanisms that they may have implemented.
Payment does not guarantee that the attacker will eliminate these mechanisms.
- Depending on the type of organization and the type of information leaked (or potentially leaked), you should review with the legal teams the implications before government agencies, such as BMV (Mexican Stock Exchange), Law for the protection of personal data held by individuals, or any other applicable to your operation.
Payment does not exempt you from these obligations.
¿How long does it take companies to recover after attacks?
This question is even more difficult to answer, as it depends on many factors, ranging from the level of maturity of the companies in terms of disaster recovery policies and processes (resilient backup strategy for example), IT team capabilities (systems administration and management, systems architecture, virtualization scheme, etc.), and also depends on the type of business and the type of company.
Recovering the organization’s operations is key and can take anywhere from a couple of days to weeks (some studies have averaged 24 days).1), but in many cases the process can take months.
Studies indicate that only 8% of organizations recover all of their data, after payment, and 29% recover half of their data, which takes several weeks or months to rebuild everything else.
24% take between 1 to 6 months, depending on the existence and availability of backups, and 84% of affected companies lost money/received less revenue due to the attack. 23.
As a reference, according to recent studies, organizations that have paid the ransom generally end up having a higher cost than those that do not.
Those that have paid, have incurred an average cost of 5.06 million USD in direct and indirect costs, during and after the attack, to which, in addition, must be added the cost of the ransom itself, which can be variable depending on the type of ransomware (from ~100,000USD to a few million USD).
In those cases where the organization has not paid and has decided to recover with its own means and/or from suppliers, the average cost is 5.17 million USD.
It should also be taken into account that, although the recovery time of computer systems may be relatively short, the time to recover business functionalities, the recovery of the image and trust of customers, the economic or legal consequences, could be much longer.
In conclusion, while the decision whether or not to pay a ransomware ransom is ultimately a very personal one for each organization and its senior management, and depends on many factors, not only technical but also business.
Still, the knowledge we have accumulated from hundreds of attacks over the past few years should help victims to make an informed decision for minimal impact.
