back to article Most organizations hit by ransomware would pay up if hit again

Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again, according to a new report, compared with two-thirds of those that have not experienced an attack. The findings come from a report titled "How business executives perceive ransomware threat" by security company …

  1. Flocke Kroes Silver badge

    Danegeld

    [paying the ransom] ... encourages these cybercriminals to do it again.

    "Encourages"? I thought it guaranteed another hit as soon as the criminals have worked through their list of previous paying customers.

    1. MachDiamond Silver badge

      Re: Danegeld

      ""Encourages"? I thought it guaranteed another hit as soon as the criminals have worked through their list of previous paying customers."

      Yes, since most companies aren't going to learn the first time.

  2. chivo243 Silver badge
    Devil

    Fat Tony

    yeah, that's nice data you have there, would be shame if anything happened to it? How long before these guys start asking for protection money?!!

    1. chivo243 Silver badge
      Thumb Up

      Re: Fat Tony

      I forgot to add they could call it PaaS2... Protection as a Service!

  3. Tony.

    Tax man always wins.

    Interested in how a company would pay in the UK, you're buying a service, I doubt they are VAT registered so are you not facilitating tax evasion?

    1. Andy Non Silver badge
      Coat

      Re: Tax man always wins.

      The scammers are missing a trick there. If they VAT registered they could hit organisations for an extra 20%. As to whether the tax man ever got the 20% is a different matter.

    2. mark l 2 Silver badge

      Re: Tax man always wins.

      If you are a UK VAT business you don't have to buy goods and services from other VAT registered entities. If an individual or business has a turnover of less than £85K in a 12 month period they don't have to register for VAT.

      And its not your responsibility as a business to ensure they are complying with UK tax laws if you are purchasing from them.

      1. Tony.
        Go

        Re: Tax man always wins.

        It never used to be, but they spread the responsibility,

        "The corporate criminal offence (CCO) of failure to prevent the facilitation of tax evasion came into effect in 2017, making it a criminal offence for relevant bodies (companies, limited liability partnerships and partnerships) to fail to prevent the facilitation of tax evasion by their employees, agents and others performing services for or on their behalf. "

  4. Anonymous Coward
    Anonymous Coward

    Surely there's an economic tipping point here?

    Given that the organizations behind these attacks are typically in places where the phrase "rule of law" actually NEEDS those quote marks, one wonders - in an entirely theoretical way - at what point it becomes more expensive to pay the ransom than, say, to hire a squad of thugs to "persuade" the crew to cease operations. It's not as though it's totally impossible to ID these folks, just difficult and costly (see "rule of law" above, ISP employees can be bought, too).

    1. Anonymous Coward
      Anonymous Coward

      Re: Surely there's an economic tipping point here?

      Yes indeed. A group of well built men in balaclavas brandishing baseball bats smashing up their scamming computer equipment may give them cause to consider their choice of livelihood.

    2. Claptrap314 Silver badge

      Re: Surely there's an economic tipping point here?

      Given how much dirt gets pours over id claims by nation states here, I think I see a flaw in your idea...

    3. veti Silver badge

      Re: Surely there's an economic tipping point here?

      Do you really want to get into a contest that amounts to "who has more money and better underworld contacts?" with these people?

    4. CrackedNoggin

      Re: Surely there's an economic tipping point here?

      I don't think that always works - See the recent "More charged in UK Lapsus$ investigation" (The Register).

      British police have charged two teenagers as part of an international investigation into the Lapsus$ cyber extortion gang. The boys, aged 16 and 17, are set to appear at Highbury Corner Magistrates' Court on Friday, according to the City of London Police, the force responsible for the capital's financial district.

      And from bankinfo dot security dot com

      Chats, Attacks Continue After Arrest

      It is too early to say if this will be the end of Lapsus$, as the arrests may still be a false flag, bad attribution, or even a framing job, Westin tells ISMG.

      This may well be true. A Lapsus$ Telegram chat group - whose members have previously leaked data of compromised companies - continues to be active despite the arrests. Days after the police began a crackdown on Lapsus$ members, the group said it has returned from a "vacation" to leak more critical data.

      On Thursday, nearly a week after the first set of reported arrests linked to the group, Lapsus$ leaked what appeared to be 70GB of data associated with the Luxembourg-based software development company Globant. It also appears to have leaked credentials of several DevOps platforms belonging to the company, including Jira, Confluence, Crucible and GitHub.

    5. Anonymous Coward
      Anonymous Coward

      Re: Surely there's an economic tipping point here?

      Plus, many of the culprits are beyond friendly borders and any any thugs would need to be backed up by a coalition of nation state militaries (un)prepared for WWIII. It's not impossible to get those guys - just not immediately - you have to wait until they come to Disneyland.

      I'd start by rolling back every measure allowing cryptocurrency to interact with the financial system. But crypto now has deep roots in the wealth profile of our Free World Leaders, so that's not going to happen until things get a lot worse, and even then I wouldn't count on it.

  5. VoiceOfTruth

    Incredible

    -> Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again

    I can just about understand it, paying up *once*. I don't like the idea of it, or agree with it, but I can just understand it if:

    - they really can't get their data back from backups (already a failure)

    - and they can't recreate that data within a reasonable time (reasonable depends on the nature of the data)

    - and if that data is critical (so treat it as such)

    - and they really have no other reasonable choice if you want to stay in business (recognise the importance of the data, and ensure it is 100% backed up and recoverable)

    But paying up multiple times? No way. That is definitely a failure on the part of the victim. What steps did they take (or rather what didn't they take) after the first time? It's like being burgled while they used 'This is the Lockpicking Lawyer and what I have for you today is an egregious example of a bad lock' locks, then didn't replace them when then Bob the Burglar opened them using a fork, a spoon, or a spare bottle top. At some point you have to say 'these locks are no good'.

    1. Doctor Syntax Silver badge

      Re: Incredible

      People object to victim blaming but in such circumstances - well, if you're going ot paint a target on your back, what do you expect?

    2. MachDiamond Silver badge

      Re: Incredible

      "- they really can't get their data back from backups (already a failure)"

      Depends on the malware and how often data is backed up. If the malware waits until a certain date to do its thing, it may be on the backups as well and as soon as you restore, it starts encrypting again.

      It is more than bad locks. It's the higher ups wanting to access the whole building, or all of the company's building with one key. Except, it's worse since the locks can be opened from anywhere in the world. If somebody in housekeeping can click on a link that springs the trap that infects the whole company, the systems aren't segmented enough. There isn't much usefulness in the warehouse conveyor system PLC's being remotely accessible from the internet. For troubleshooting, maybe there's a way to connect one specially so it can be inspected, but then disconnected once that procedure is done. SneakerNet isn't a bad thing. You do still need to make sure you don't track anything in.

      1. VoiceOfTruth

        Re: Incredible

        I agree with what you are saying - a lack of segmentation, and a desire for certain people to have it easy for themselves. Hopefully they only learn this lesson once.

    3. veti Silver badge

      Re: Incredible

      Sure it's a failure, but it makes sense.

      If you've thrashed out the pros and cons, and made the decision once that paying was the best way out, why would you change that decision the next time? What would be different, specifically?

      1. VoiceOfTruth

        Re: Incredible

        -> why would you change that decision the next time? What would be different, specifically?

        Frequency? The amount? If you paid up once a year £10,000 or $10,000 (just for the sake of argument), you might say that's the price of doing business. What happens if it comes round once every 6 months? Or every month? Or the amount goes up to 100,000?

        If you are burgled once because your processes weren't up to a good enough standard to recover from, you owe it to yourself (and probably your investors, customers, and staff) to see that as a problem and to fix it.

        Let's imagine you have a bicycle and somebody steals it after you put it somewhere with a weak lock. Would you really put your next bicycle in the same place with the same lock? Perhaps you have deep pockets.

  6. Pete 2 Silver badge

    who pays?

    > Almost nine in 10 organizations that have suffered a ransomware attack would choose to pay the ransom if hit again

    But would the cost of the ransom be deducted from the IT (or security dept.) salary budget?

    Maybe from the CIO's bonus, too?

  7. Doctor Syntax Silver badge

    "64 percent of companies surveyed already having suffered an attack, but more worryingly, that executives seem to believe that paying the ransom is a reliable way of addressing the issue.... In contrast, among those that have not so far suffered a ransomware attack, only 67 percent would be willing to pay, and they would be less inclined to do so immediately."

    Which way does that causality run?

    Is it that those who have been attacked had and still don't have anything in place to deal with it other than paying ransom and those who haven't been attacked have not yet seen that particular version of the light?

    Or is it that those who haven't been attacked haven't escaped by chance but, being less inclinedt to pay, have put in place stronger protections?

    1. veti Silver badge

      Or is it that those who have been attacked have a more realistic appraisal of what it would take to prevent another attack? As opposed to those who are still living in denial?

      1. W.S.Gosset Silver badge

        This was my reading of it, too.

  8. Michael Hoffmann
    Trollface

    Time for a Thieve's Guild?

    Once again, Pterry may have been a visionary: just introduce a Ransomware Guild, with the proviso that they also enforce unlicensed gangs.

    <company gets hit by ransomware>

    "But we're fully paid up! What do we pay our fees for?

    <guild, likely with better resources than most law enforcement agencies anyway, hunts down the freebooters and turns them into dog food>

    Companies that pay their fee get a nice little icon on their website! Maybe introduce another EV system so your browser can show it right in the bookmark bar. May I suggest the silhouette of a person with dropped pants bending forward?

    1. MachDiamond Silver badge

      Re: Time for a Thieve's Guild?

      "Once again, Pterry may have been a visionary: just introduce a Ransomware Guild"

      Or Michael Atamanov with "The Hive of Tintaro" from the Reality Benders series. Depends on your choice of fiction. Of course, you can't go wrong with Discworld. I was just listening to Interesting Times again a couple of days ago. I had to. It was mentioned in the Bobiverse series by Dennis E. Taylor. Another favorite. The next installment of the Expeditionary Force books by Craig Alanson is due out in a couple of weeks.

    2. veti Silver badge

      Re: Time for a Thieve's Guild?

      Yes, because if you can't trust malware scammers to honour their promises, who can you trust?

    3. Anonymous Coward
      Anonymous Coward

      Re: Time for a Thieve's Guild?

      Never mind the moral and legal implications (and ramifications) of trusting enforcers who are less than careful about accuracy and who, in the course of their investigations, will likely be deliberately fed some false leads as well.

      Let's suppose it possible to catch some of the villians on this side of friendly borders - (which currently does at least sometimes occur anyway, using legal policing powers.). There are still many villians beyond the reach of any conceivable local "enforcers".

  9. Claptrap314 Silver badge
    Pint

    This is why

    we cannot have nice things.

    ----------------------------------> For crying in.

  10. T. F. M. Reader Silver badge

    Is ransom even important?

    You pay only for getting your data back, assuming you have no other recourse, e.g., restoring from backups. [Aside: getting you data back is an assumption. IIRC Colonial pipeline paid, but the decryptor didn't work very well.]

    It seems to me that this is a small part of dealing with a ransomware attack. Surely cleaning up and identifying how the criminals got into your network and plugging all the holes and making sure no warez remain after cleanup, including in backups, etc., is bound to be a much higher cost to the organization compared to the ransom payment itself.

    So is the "I'll pay again" statement completely reasonable in the context of "I'll have much bigger problems if I am hit again" or is it completely unreasonable in the context of "restoring from backups is bloody hard but still just a small part of what I'll have to go through if I am hit again"?

    Can one get insurance to cover the ransom payment? If I can I won't care about paying the next time - I will have already paid my premium. That's until the premium grows enough after the Nth breach... Can I get insurance to compensate for the downtime while dealing with the breach, as above? The premium may be a lot higher than just for the ransom - maybe better invest in actual security: teams, tools, procedures, equipment, etc?

    No, I have not made any actual calculations. Hence all the question marks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Is ransom even important?

      >> Surely cleaning up... a much higher cost

      Yes... and how much extra cost to maintain a "clean house" afterwards?

      At sites where I have worked, I remember disaster recovery as not being THE priority.

      i.e. they all had backup plans but recovery.. more of a theory.

      I'm not sure how to estimate tipping points... I do know it's expensive to do things well.

      Personally I've always like overkill and lobby for as much as I can get. e.g. redundant, isolated systems, images, backup's, cataloged install media, up to date maps, etc...

      When a recovery was finally needed at one site... even though I had just about everything on hand that I had ever asked for, it still did not go as fast/simple as I had originally planned.

  11. DevOpsTimothyC Bronze badge

    Cost of doing business

    I suspect most of the places who would pay again see it as the cheaper cost of doing business.

    For many it's simply cheaper to pay off the odd ransomware attack than to hire a suitably skilled person or team of people to secure their systems.

    1. CrackedNoggin

      Re: Cost of doing business

      It's easier to live life reacting than planning ahead. That's why quarterly results take precedence over long term planning. I see little evidence that way of life is actually cost effective in the long run.

      Disconnecting crypto from the financial system would put a huge damper on ransomware. Banning, and enforcing that ban, of ransomware payments would also be very effective. But you know such legislation could never get through without enormous loopholes.

      1. Anonymous Coward
        Anonymous Coward

        Re: Cost of doing business

        200% tax on ransom payments, with the rate doubling each time?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022