More than half of all Australian businesses were hit by cyber attacks in the 12 months from April 2020 to April 2021, according to the Australian Financial Review, and the majority of those businesses hit by ransomware decided to pay their attackers.

Statistics point to the probability that nearly all businesses will encounter a cyber attack at some point in their life. If the attack is successful, a ransomware demand is likely. However, as we wrote about earlier this year, 80% of organisations that pay their attackers will encounter a second attack.

The hard reality is that many organisations want to restore regular operations in the event of a ransomware attack as quickly as possible, meaning they will often pay whatever it takes to obtain their data back. So what is the ultimate impact of making a ransomware payment, and is it best practice to pay up?

What is the risk of not making a ransomware payment?

If your business experiences an attack, it’s crucial to identify:

  • If any data has been compromised
  • Precisely what that compromised data is
  • What the repercussions of losing that data could be

The first and most obvious risk is financial losses through an interruption to business operations. If your team does not have access to the data and documents they need to do their work, this can bring your business to a grinding halt.

And there’s a second risk that can be even more damaging — reputation. One of the cornerstones of any organisation is customer-client trust. A loss of data, for example, can be remediated. It may take days, weeks, or even months to recover, but it can be recovered.

Once clients lose trust, however, the business damage can last for years. People are unlikely to work with a financial institution known to have leaked personal bank account numbers or credit card information. An enormous investment of time, effort, energy and costs must go into rebuilding that trust.

Ultimately, the risks of not making a ransomware payment can be significant, including an immediate financial hit and long-term damage to your reputation.

What are other companies doing?

According to the 2021 Cyberthreat Defense Report by CyberEdge, a record 86% of organisations covered in their report suffered from a successful cyberattack in 2020. According to the same report, more than two-thirds of these organisations were victimised by ransomware. Most of the companies reported on (57%) made the ransomware payment.

With such high numbers, what can we as businesses do to help prevent and recover from these attacks? One excellent practice we have noticed over the years is to simply wait and see what other businesses are doing. What are some of their best practices when it comes to defending and preparing for ransomware attacks?

Given the large impact ransomware attacks are having, many companies are opting for a cyber insurance rider on their policies. These policies will often cover any payments made, as well as costs for recovering data and getting your business back on its feet. While it is better to never have a breach, breaches clearly happen, and companies are finding that ransomware insurance is a vital piece of their security.    

Successful navigation of this sticky situation also requires a robust Incident Response (IR) Plan.  An IR is exactly what it sounds like: it is a plan that takes into account as many contingencies as possible. This can help prevent panicking, knee-jerk reactions, and other responses that may have an adverse effect on your organisation. Companies that have a strong Incident Response Plan often have regularly scheduled backups on their data, which can help with recovery.

Will you get your data back if you make a ransomware payment?

Of course, if your organisation does choose to pay a ransom fee, the risk remains that the data may not be returned to them. Statistics prove that making a ransomware payment may lead to disappointment. CyberEdge surveyed 1,200 organisations and found 17.5% who decided to pay the ransom still ended up losing their data. While paying a small ransom to obtain your data may seem the best choice at the moment, the risk of being hit again increases, and there is no guarantee that any of the files will be returned.

Could making a ransomware payment make your business a target for further attacks?

Another risk if your organisation does decide to pay a ransom is that you will become a target to other cyber attacks. If money is exchanged and you are known to pay, the risk of being targeted again increases. Becoming a target because you decide to pay any ransom that comes your way is definitely not what you want to be known for.

Is making a ransomware payment legal?

Another important aspect is identifying whether the ransom payment is legal. As Mallesons advises, making a ransomware payment in Australia may be a criminal offence. If you know or suspect that the ransom payment is made part of a money-laundering operation or made towards a terrorist organisation, then making the ransomware payment is illegal. Of course, it should be noted that there are no specific laws in Australia prohibiting the payment of ransoms… but there are laws against helping to fund money laundering and terrorist organisations.

This creates a sticky situation for a CEO who has to make the quick judgment call of whether or not to pay. Again, there is no legislation in Australia that explicitly prohibits making a ransomware payment, but if the decision-makers are demonstrably aware that the organisation or person to whom the payment is being made is moving money illegally, then those decision-makers can still face criminal charges.

It should also be noted that there are pushes within our government to make ransomware payments illegal altogether.

So, should you make a ransomware payment?

The answer to the question of whether to make a ransomware payment is subject to the facts of each specific case. 

As we have mentioned, it is usually a bad idea to make these payments (there is no guarantee that data is returned, and it could leave you vulnerable to other ransomware attacks). Most cyber security professionals would generally tell you to avoid it, if possible.

However, there are some instances where paying it may be the better option (attempting to protect customer data, for example). To completely remove that option can be far more disruptive to business continuity and customer data. In other words, this is not an either/or situation: solutions in one scenario are not necessarily the best or only solutions in other scenarios.

In most circumstances, our recommendation is to avoid making a ransomware payment.

How do you prevent being affected by ransomware?

Not needing to pay a ransom all begins with having secure processes in place.

Backup your data

You would not start a new job without being prepared or go on overseas holidays without purchasing travel insurance. An organisation that chooses not to back up its data engages in risky behaviour. While there are several types of software that will handle this for you, a good security team will be able to automate this through whichever operating system you use.

Train your team

Employee training is vital to preventing ransomware attacks. Numerous studies have been done that reveals the vast majority of malware comes through something called a phishing email. It is really a simple concept: an attacker sends a legitimate-looking email with a legitimate-looking link or attachment to an employee; the employee clicks on the link or opens the attachment; malware is placed on the machine. Educating your employees on ways to spot phishing emails is one of the primary defences against these attacks.

Filter internet access

One last point we want to bring up here is related to phishing emails: internet links. Limit your employees’ exposure to untrusted sites. This includes links found in a phishing email, or links shared on social media, or any URL that is not necessary for day-to-day operations. We have found that the best way to handle this is clear and strong internet-use policies with filters in place. Unfiltered access to the internet leaves your business vulnerable to ransomware.

Deploy Strong End Point Detection and Protection 

Endpoints usually present the easiest target to cybercriminals, so it is essential to make sure they’re well protected. Deploy an endpoint security solution that is built to detect advanced threats, stop breaches and ransomware damage in real-time from Endpoints and Servers

How CT defends against ransomware

Our cyber security solutions can prevent ransomware attacks by protecting your assets, increasing business resilience and developing real-time threat intelligence. Implementing defences against ransomware also protects your reputation by establishing you as a secure, dependable organisation.

If you have suffered a ransomware attack or want to implement proactive defences against ransomware, visit our cyber security page to learn how we can protect your business.