Should you make a ransomware payment?

Between 2019-20 and 2021-22, cyber security incidents doubled in Australia.

Although Australia has indeed been one of the worst hit countries of late, according to the Veeam 2023 Global Report on RansomwareTrends, global ransomware attacks have also increased by more than 12% from the previous year, when 76% of 1,200 surveyed organisations reported at least one attack.

This year’s Data Protection Trends Report also surveyed 1,200 unbiased IT leaders from 14 different countries across Asia-Pacific and Japan (APJ), Europe, the Middle East and Africa (EMEA), and the Americas, with each country having suffered at least one attack in the past 12 months. The results were alarming.

• 85% of organisations suffered at least one ransomware attack in the past 12 months. That’s more than twice the global rate of inflation.
• This year, more organisations will suffer a ransomware attack than turn a profit.
• 77% of ransoms were paid by insurance, but insurance companies are catching on, with 21% of organisations finding out that ransomware is specifically excluded from their security insurance.

These are just some of the stats that continue to stun – and likely scare– organisations across the world.

Other statistics still point to the probability that nearly all businesses will encounter a cyber attack at some point in their life. And if the attack is successful, a ransomware demand remains likely. But what is the ultimate impact of making a ransomware payment, and is it best practice to pay up?

Read on to discover what this most recent ransomware report has to say.

As we’ve previously highlighted, the risks of not making a ransomware payment can be significant, including an immediate financial hit and long-term damage to your reputation.

The 2023 Data Protection Trends Report states that 41% of surveyed organisations have a “Do-not-pay” policy on ransomware. Yet 80% of the organisations attacked paid the ransom. And, a quarter of those who did pay the ransom still could not recover their data even after paying up.

Yet if you don’t make the payment, you increase your risk of financial losses through an impending attack, thus interruption to your business operations. Not to mention the risk to your reputation. Once you lose customer trust, that damage can last for years.

In summary, the risk should really be explored and understood on a case-by-case basis before any payments are – or aren’t – made.

We’re constantly being reminded to back up our work for best protection. Yet within the Veeam’s 2023 Data Protection Trends Report, targeting back-ups has become standard operating procedure for these attackers. In fact, over 93% of ransomware attacks explicitly target back-ups, with 3 in 4 backup repositories affected.

Notably, the report states that 87% of surveyed organisations have a risk management program that drives their security roadmap. Yet only 35% believe their program is working well.

In summary, 60% of these organisations need significant or complete overhauls between their backup and cyber teams. So even if you have a back-up, you should still review your case thoroughly before making any payment decisions.

Paying the ransom does not guarantee that you’ll get your data back. In the past year, 1 in 4 of Veeam’s surveyed organisations who paid the ransom didn’t see their data again.

And it’s usually the production data that’s targeted. Of those surveyed, 45% of their protection data was affected in an attack – effectively two out of five pieces of data. This includes critical information such as databases, sensitive files, and email accounts. Imagine losing all of that forever?

These statistics are unfortunately consistent with last year’s 47% affected statistic, with no reason to assume future attacks won’t result in a similar catastrophic amount of data loss or impact.

According to Veeam’s 2023 Data Protection Trends Report, the average time-to-recovery after a ransomware attack is 3.4 weeks. That’s 136 hours of business downtime.

What must be remembered is that, when you recover from such an attack, there’s an unpredictable amount of time to identify which servers are indeed infected, and to determine that the backup/replica versions are not also affected or might reintroduce malware. It is only then that the recovery process can begin.

Much to some organisations’ disbelief, you are not in the clear when you pay the ransom and, if possible, recover your data.

In fact, according to this latest Veeam’s report, 56% of organisations risk re-infection during the restoration of their data after an attack. This is often because the attackers now know who you are, and know you will likely pay.

There is currently no law against paying a cyber ransom. The government is, however, deciding whether there should be, as part of its development of a 2023-2030 Australian Cyber Security Strategy (review the related Cyber Security Strategy discussion paper).

However, in saying that, if you know or suspect that the ransom payment is part of a money-laundering operation or helping to fund a terrorist organisation, then making that ransomware payment may well be considered a criminal offence. In making your ‘To pay or not to pay’ decision, you should seek legal advice if unsure.

To answer this question, we need to consider the current stats.

Only 16% of the 1,200 organisations surveyed in the 2023 Data Protection Trends Report were able to recover instead of paying the ransom. To do that, they had to have recoverable data within the repositories.

The report goes on to state that for 2023, only 2% of organisations do not have immutability, in at least one tier of their backup solution, with many reporting that they have immutability or air gaps across multiple tiers.

There is hope, however. One in six organisations can recover their data without ever paying the ransom … And, this year, it is very achievable for backup data to be immutable across its entire data protection lifecycle, including short-term disk, within business continuity/disaster recovery (BC/DR) capable clouds and long-term tape storage.

The answer to the question, therefore, of whether to make a ransomware payment remains subject to the facts of each specific case. But what’s definitely worth noting is that the only alternative to simply paying the ransom is having a secure backup.

We have learned some valuable lessons from the 1,200 ransomware victims surveyed in the 2023 Data Protection Trends Report, who, together, suffered around 3,000 cyber attacks in 2022.

The most important lesson was the need for a secure backup.

According to the report, your best backup protection is to employ a few key technologies:

• Immutable storage within disks and clouds, as well as air-gapped media, to ensure recoverable data.
• Staged restorations, to prevent re-infection during recovery.
• Hybrid IT architectures for recovering the servers to alternative platforms like any other BC/DR strategy.

The Veeams 2023 Data Protection Trends Report demonstrates a continuing need to have secure data and systems processes in place. We also advise that you consider the following advice.

Back up your data

While there are several types of software that will handle backup for you, a good security team will be able to automate this through whichever operating system you use.

Train your team

Employee training is vital to preventing ransomware attacks. Educating your employees on ways to spot phishing emails, for example, is one of the primary defences against these attacks.

Filter internet access

Limit your employees’ exposure to untrusted sites. Unfiltered access to the internet leaves your business vulnerable to ransomware.

View the full Veeam 2023 Data Protection Trends Report.

If you’d like to understand more about ransomware attacks, or are keen to implement proactive defences against these threats, reach out to us at any time so we can help identify the best solution for you.