In May, the FBI sent out a warning: Don’t pay ransomware attackers. FBI Cyber Division Assistant Director James Trainor said in the formal statement:
Paying a ransom doesn’t guarantee an organization that it will get its data back—we’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cyber criminals to target more organizations, it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding other illicit activity associated with criminals.
It’s sound advice, but companies aren’t heeding it. Radware conducted a study that included a question about ransomware payments. It found that 84 percent of U.S. and UK IT executives at firms that had not faced ransom attacks said they would never pay a ransom. However, the story is different among firms that had dealt with a ransomware attack: 43 percent of those companies paid up. And 23 percent of U.S. companies admitted that they were prepared to pay – so much so that another study, this one by Citrix, found that a third of respondents claim they are stockpiling bitcoins in anticipation of a ransomware payment.
I asked Ben Desjardins, director of security solutions at Radware, why firms are prepared to pay. He said that in general, the situations where a firm elects to pay the ransom are the result of a combination of panic and lack of understanding about the credibility of the threat, how prepared they are for the attack, and how far-reaching the effects could be on their operation. It appears that it is a matter of taking the easy way out, but, he adds, that’s almost never the right strategy:
The fact is that paying the fee doesn’t guarantee the cyberattack will go way. There are many examples of hackers continuing to attack firms after the business has made the requested payment. Often they come back having raised the stakes, presenting a greater threat in conjunction with increased ransom demands.
So what should be done to prepare for a ransomware attack? The FBI recommended improving prevention efforts that include employee training on how to avoid downloading ransomware and developing a business continuity plan so ransomware can’t shut down the system. In a prepared statement, Carl Herberger, Radware’s vice president of Security Solutions, agreed with the FBI’s suggestions, stating:
It’s easy to say you won’t pay a ransom until your system is actually locked down and inaccessible. Organizations that take proactive security measures, however, reduce the chance that they’ll have to make that choice.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba