While a “do not pay” ransomware policy may sound good in theory, denying cybercriminals their demand for payment in exchange for pilfered data is easier said than done.
That reality comes through via a new study from Cohesity, a specialist in AI-powered data security management, which polled more than 900 IT and security decision makers “who take an if not when" approach to cyberattacks on their organization.
The survey found that 94% of respondents said their company would pay a ransom to recover data and restore business processes while 5% said “maybe, depending on the ransom amount.”
Most of those surveyed have paid a ransom in the last two years, and the vast majority said they expect the threat of cyberattacks to increase significantly in 2024. And, alarmingly, 79% of respondents said their company had been the victim of a ransomware attack between June and December 2023. Accordingly, 96% of respondents said the threat of cyberattacks to their industry will increase this year, and 71% predict it will increase by more than 50%.
9 of 10 Companies Paid Ransom
Sixty-seven percent of respondents said their company would be willing to pay more than $3 million to recover data and restore business processes, and 35% said they were willing to pay $5 million in ransom. The research also showed the importance of being able to respond and recover, as 9 in 10 said their organization had paid a ransom in the prior two years, despite 84% saying their company had a “do not pay” policy.
“Organizations can’t control the increasing volume, frequency or sophistication of cyberattacks such as ransomware,” said Brian Spanswick, chief information security officer and head of IT at Cohesity. “What they can control is their cyber resilience, which is the ability to rapidly respond and recover from cyberattacks or IT failures by adopting modern data security capabilities.”
Spanswick said that “it is no surprise” that the majority of companies surveyed have been ransomware victims.
“What is alarming is that 90% have paid a ransom, breaking their ‘do not pay’ policies, and most are willing to pay over $3 million in ransoms because they can’t recover their data and restore business processes or do so fast enough,” he said.
Ransomware Tactics Expand
As each ransomware incident is unique, a company’s cyber insurance carrier as well as law enforcement can likely best determine if ransom should be paid in a particular instance. Now, as the attack surface continues to widen, the sophistication and intensity of each ransomware attack seemingly grows.
Shedding light on that notion, Delinea, a privileged access management (PAM) provider, said in its annual State of Ransomware report that the increasing number and frequency of ransomware attacks reveals a change in strategy among cybercriminals.
The familiar tactics of crippling a company and holding it hostage have been replaced by new strategies that use “stealth” to exfiltrate private and sensitive data, Delinea reported. As such, cybercriminals frequently threaten to sell the information to the highest bidder on the darknet or use it to reap a handsome cyber insurance payment.
Keep in mind that cyber threats can come from inside as well as the outside of an organization. As the 2024 Insider Threat Report from Securonix attests, 90% of respondents said insider threats are more or as difficult to detect and prevent than external attacks.
Additional insight comes via Experian’s 11th annual Data Breach Industry Forecast, for which Michael Bruemmer, vice president of Global Data Breach Resolution, commented, “Cybercriminals are continually working smarter not harder. They are leveraging new technologies like artificial intelligence and applying their talents in different ways to be more strategic and stay a step ahead.”
What MSSPs Say About Paying Ransom
So, what if your MSSP or MSP customer or end-user is hit with a ransomware attack? Is it advisable to pay up? That depends on a variety of circumstances and as well as the application of an organization’s incident response plan, according to the experts MSSP Alert spoke to for a recent article.
One key consideration is whether any data exfiltration contained personally identifiable information (PII) or any sensitive data. The loss of old, legacy or non-sensitive data is not something that should necessarily throw a victim into panic and cause them to immediately cough up the cash to get the information back, advised Quentin Simmons, senior lead analyst of Digital Forensic and Incident Response for eSentire, a managed detection and response (MDR) specialist.
Cohesity found that despite governments and public institutions going to great lengths to encourage stronger cybersecurity and data management, only 46% of respondents said government initiatives, legislation and regulations are actually driving their companies’ data security, data management or data recovery initiatives.