Cyber Security: Ransomware – To Pay or not to Pay, that's the Question.

Until now it was quite clear: blackmailers should not be paid. That is still the recommendation of the authorities in charge. However, in case of a ransomware emergency, the decision is not that easy any more. After all, it can prove very costly for a company to be blocked for days or even weeks. In such a situation, ethical concerns are soon pushed into the background. It is therefore all the more important to take the necessary precautionary measures.

  #Governance Risk Compliance   #Security Awareness   #Security Risk Assessment   #SIEM   #Cyber Defense Center   #Vulnerability Management  
Markus Kaegi
+41 58 510 16 98

Officially, the Swiss Federal Reporting and Analysis Centre for Information Assurance (Melani) strongly advises against paying ransom money in the event of a ransomware attack. The head of the agency, Pascal Lamia, leaves no doubt: "We always advise against paying ransom demands," he said recently in the media. However, he describes this rule as “only a recommendation to affected companies” - they would have to make their own decisions if it came to such an eventuality. He also adds that many affected companies have not invested enough money in IT security. [i]


An average ransomware attack takes 7.3 days.

The experts at Forrester are also of the opinion that paying a ransom can be worthwhile. Forrester analysts Josh Zelonis and Trevor Lyness write in a new report: "We recommend that you at least consider the payment of ransom as a viable option, even if you have intended not to pay. The average ransomware attack lasts 7.3 days. During this time, business comes to a standstill, and your company will have to find new ways to fulfill its core tasks."

Currently, two Florida cities are making headlines, both paying more than $500,000 to blackmailers who had paralyzed their IT. [ii]Unfortunately, these are not isolated cases; in Europe, too, such payments have been made. [iii]


There are good arguments against payment of ransom

Arguments against paying blackmailers are often based on ethical considerations. Payment creates incentives and rewards criminal activity. Already, growth rates are high in the cybercrime industry and its impact is devastating in many cases. It is no longer hobby hackers and small-time criminals who are playing around on the internet. It is IT professionals who sell their services to the mafia, terrorists, and even governments. Business is booming, because the risks are low, and the profits are high [iv]; ransomware payments create an abundant source of revenue for criminals.

There is also a practical reason against payment: victims do not know whether their payment will have the desired effect. The blackmailers are anonymous and can promise whatever they want. Experts even assume that ransom payments increase the risk of further attacks on the same target. Despite all this, an affected organization cannot be prevented from engaging with blackmailers. While it is generally inappropriate to engage in illegal behavior, this type of involvement does not violate the law.


Your employees can be dangerous

So, what can be done? Companies must expect to be attacked and prepare themselves accordingly. This includes adequate investment in cyber security, insurance if appropriate, and the ability to fully recover the system after a disaster. It is also very important that companies know how to handle crypto currency. [v]After all, ransom is paid in cyberspace where the trail cannot be traced - Bitcoin has been proven to be the preferred blackmail currency.


Ransomware or so-called blackmail Trojans do not simply end up in a company IT system just like that. It is well known that people are the weakest link in this chain. [vi] Dangerous are those employees who click on links they should never click on or visit websites they should never visit. Opening unknown email files can also prove very, very expensive. Security vulnerability management and training helps as part of the investment in cyber security - before it's too late.


“That doesn't concern us.” A fatal error

The biggest threat to your business is the belief that you are not a cyberattack target. Since it's only a matter of time before the first real attack hits you, you need to become aware of your infrastructure and use the most advanced technology to develop a clear view of security-related information.

UMB will detect known vulnerabilities in your systems and analyze traffic with advanced log and risk management technologies, as well as network activity monitoring. It uncovers the profiles of your attackers and reveals hidden security threats before they can harm your business. Contact me today for a security analysis performed by the UMB Security Intelligence Team.


[i] NZZ, 17.6.2019 Warum es sich für Firmen lohnen kann, Lösegeld an Cyber-Kriminelle zu zahlen
[ii], 26. Juni 2019 Second Florida city pays giant ransom to ransomware gang in a week
[iii], 3. März 2016 Erpressung mit Trojaner - Stadtverwaltung zahlte Lösegeld
[iv] Computerworld, 22.2.2018 600 Milliarden Dollar Schaden durch Cybercrime
[v], 2019 Loslegen mit Bitcoin
[vi] Digital Society Report, 11.3.2019 Cybersicherheit: kein Strom, keine Zivilisation