Incident response

Ransomware-based attacks: Should you pay the ransom?

Pierluigi Paganini
December 8, 2016 by
Pierluigi Paganini


Ransomware represents one of the most dangerous cyber threats for netizens and private companies across the world.

In the criminal underground, such kind of threat is becoming even more popular, malware authors are developing new ransomware that presents sophisticated features and are able to evade detection.

Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Ransomware allows criminal organizations to rapidly cash out the effort of their illegal activities, despite the numerous recommendation to avoid paying the ransom still a large number of victims prefer to pay it to decrypt their documents.

"Ransomware has completely dominated the current threat landscape," explained Bharat Mistry, cyber-security consultant at Trend Micro.

"During the first part of 2016, we blocked and detected almost 80 million ransomware threats and identified 79 new ransomware families – comparing to 29 in the whole of 2015. That's a 179 percent increase. Quite a few of those were built with routines that are designed to attack enterprise machine and endpoints. It's time companies take heed."

According to Symantec, throughout the majority of 2015, the average number of ransomware infections fluctuated between 23,000 and 35,000 per month. Experts observed a spike in March 2016 (56,000) due to the Locky ransomware that was spread through the Necurs botnet.

The FBI estimated the profits related to ransomware at one billion dollars in 2016. We have to consider that actual ransom payment totals cannot consider all those cases that are not reported to the authorities because victims decide to pay up.

Ransomware a profitable affair … because companies prefer to pay up the ransom

According to research conducted by the security firm Trend Micro, 74 percent of UK organizations who have experienced a ransomware-based attack claimed they would never pay up if infected, but 65 percent of them do end up paying the ransom.

In the UK the number of ransomware infections continues to increase, data provided by the British law enforcement and security firms are aligned with the one observed across the world.

A survey conducted by Trend Micro showed 44 percent of UK businesses experience a ransomware infection in the last 24 months. 27 percent of the victims faced the dreaded infections several times in this period, in some cases they got the malware as much as five times.

We warn of such behavior that expose the organizations to the criminal organizations and doesn't represent a solution to the problem.

According to the experts from Trend Micro, only 45 percent of the victims decrypted the data upon paying the ransom, this means that 20 percent of the companies that paid up the ransom never got their data back.

Ransomware targets both employees and customers of the organizations becoming a major security issue for UK businesses.

"Those who have been targeted by ransomware say that a third (33%) of their employees were affected by the infection, along with an estimated 31% of the organisation's customers," reads the survey published by Trend Micro.

"When faced with a ransom situation, most organizations simply cannot afford to part with the encrypted data and are forced to fork out the requested amount, often more than once. Caving in to the demands of cyber-extortionists only reassure them of their strategy and perpetuates the threat cycle. That's why companies must adequately protect themselves against ransomware and avoid playing by attacker's terms" added Bharat Mistry.

What is the economic impact on the businesses?

According to the survey, the average amount of ransom requested in the UK was £540, but one of five of the companies received ransom requests for more than £1000.

Ransomware is a "Hit and Run" business, crooks use social engineering tricks in inducing victims in rapidly pay up the ransomware.

Eighty-nine percent of respondents confirmed that the requests they received were a time limit on paying the ransom and 57 percent of companies reported having less than 24 hours to make the payment. In this way, criminal organizations try to maximize their efforts in a limited period of time by limiting their exposure to law enforcement agencies.

The economic impact of ransomware infection could also be measured evaluating the effort spent to restore the encrypted file and the business opportunity lost during the infection.

"Organisations estimated they spent 33 man/hours on average fixing the issues caused by the ransomware infection," State Trend Micro.

Why do companies pay the ransom?

37 percent who were surveyed Explained That they paid because of the fear of penalties for the date losses.

32 percent of companies decided to pay up the ransom because the encrypted data included highly confidential information. 29 percent of the companies decided to make the payment because the low ransom amount compared to the impact on the organization.

Fortunately, 66 percent of organizations that refused to pay up explained they do not intend to give in to extortion, and 60 percent of the businesses, fortunately, had a backup system in place that allowed them to recover the data from backup files. Just 26 percent did not consider the data encrypted valuable for their activity or confidential.

Almost any company reported the ransomware-based attack to the law enforcement (81%), but they received assistance in about 51 percent of the cases.

What is the situation across the world?

According to a Malwarebytes' survey, conducted by Osterman Research,

Almost half of all companies have been the victims of a ransomware during the past 12 months. The report stated that while globally 40 percent of the victims have paid up the ransom, 97 percent of US firm refused it.

A look at the statistics reveals that 75 percent of enterprise victims paid up in Canada, 58 percent in the U.K., and 22 percent in Germany.

Figure 1 - Companies who paid the ransom (Osterman Research)

Experts believe that the discrepancy between the countries is partially caused by the fact that that in the United States the infection mostly likely hits lower-level employees.

Another factor of interest is the lateral movement of ransomware once infected company systems. In the U.S., the infections were less likely to spread to other computers. 9% of the US surveyed executives reported that the infection had spread to more than 25 percent of endpoints, in other countries this percentage can go up to 41 percent.

This means that in the US organizations have a few endpoints impacted by ransomware-based attacks, and less data is exposed to the crooks.

A dangerous trend observed by the experts is the increasing number of attacks against senior executives and C-suite, which are more likely to pay up the ransomware.

The ransomware threat is growing quickly, ransomware is one of the fastest-moving cyber threats in the IT security landscape.

A look at the infection vectors, confirms that the email was the primary channel to spread the malicious code. 31 percent of the attacks start with email links and 28 percent through malicious attachments. Malicious domains hosting exploit account for 24 percent, while USB sticks are at 3 percent.

A problem of cost vs. benefit

As explained by the popular security expert Ryan Naraine many institutions have real difficulty in allocating the necessary resources to defeat ransomware and are obliged to pay up crooks to avoid further damages to their business. Naraine quoted the administrator from a healthcare organization who motivated his choice to pay up the ransom

"… an IT administrator for a local healthcare outfit approached me and pointedly told me his company was in the midst of paying the ransom after a pretty nasty infection, and he wanted me to know that my "never pay" advice was impractical.

"It's really bad. We have no computers to use. All our backups are encrypted. It's a case of desperation. We either pay $800 or we spend thousands to rebuild systems and try to recover data. In practice, we have no choice but to pay the ransom," he explained. "Dude, it is real desperation. We simply can't do business unless we pay," wrote Naraine.

The expert highlighted the company's duty of care to the people who use their services, this means that in such ai situation there is no other way of retrieving those data and the payment represents a possible solution.

Experts argue that private enterprise and government organizations have a different approach to the threat ransomware.

For government agencies ransomware is a sort of terrorist act, this means that they are obliged to do not negotiate with crooks. In the private enterprise, the situation is more complicated, and there is the obligation to their shareholders and customers.

Whether to pay a ransom depends on the real impact on the organization, in term of cost. The evaluation of this impact is essential to allocate necessary measures to prevent these incidents.

Another aspect to consider is that a ransomware infection is often the final symptom of a serious problem of the cyber security posture of the organization. Malicious code could be already present in the organization with obvious consequences.

When organizations pay a fee, they implicitly admit a serious problem with their infrastructure. Rather than succumb to the psychological blackmail, it is essential to protect the systems in advance.

It is important to remember that paying the ransom does not ensure that data will get back, on this point are stressing the law enforcement agencies worldwide, as confirmed in the advisory issued by the FBI.

Before making a decision about pay up a ransom or not, businesses should consider the following points:

  • The decision to pay or not a ransomware has to be anticipated respect the effective infection. Organizations have to consider such kind of incidents and need to be prepared with an adequate response procedure. Companies could decide to pay only in the case some specific data are affected due to the high cost of recovery or due to any other kind of problems occurred (i.e. backup damage). A company that decides to avoid paying up ransomware should install and maintain an effective backup system. A specific policy should address this aspect.
  • The costs of not paying, especially just after the incident, can be unsustainable for the company. An organization should evaluate this cost, a wrong evaluation could mean the decline of their business.
  • The payment of the ransom usually ends up with data and systems being recovered. The intent of the crooks is to make profits and rapidly. They are not scammers, and their goal isn't to steal money, they have to maintain their business, and their reputation is an essential component of their activity. However, in many cases, the pressure of the law enforcement interferes with their plans and they leave the business without decrypting the victims' files.
  • It is important to involve legal experts that could support the organization and drive it into the necessary action to do (i.e. data breach notification).
  • Evaluate the opportunity of a cyber insurance, be careful of the policy that must cover ransomware-based attacks.

FBI - Tips for Dealing with the Ransomware Threat

Let me close with a list of tips shared by the FBI to prevent and respond to ransomware-based attacks.

Prevention Efforts

  • Make sure employees are aware of ransomware and of their critical roles in protecting the organization's data.
  • Patch operating system, software, and firmware on digital devices (which may be made easier through a centralized patch management system).
  • Ensure antivirus and anti-malware solutions are set to update and conduct regular scans automatically.
  • Manage the use of privileged accounts—no users should be assigned administrative access unless absolutely needed, and only use administrator accounts when necessary.
  • Configure access controls, including file, directory, and network share permissions appropriately. If users only need read specific information, they don't need write access to those files or directories.
  • Disable macro scripts from office files transmitted over e-mail.Implement software restriction policies or other controls to prevent programs from executing from common ransomware locations (e.g., temporary folders supporting popular Internet browsers, compression/decompression programs).

Business Continuity Efforts

  • Back up data regularly and verify the integrity of those backups regularly.
  • Secure your backups. Make sure they aren't connected to the computers and networks they are backing up.

What to expect in the future?

According to the experts at the security firm Proofpoint, a growing number of criminals will look at ransomware as a source of cheap and easy income. This consideration will encourage malware authors to develop new threats and improve the existing ones.

Researchers from Kaspersky warn of a rapid diffusion of mobile ransomware. From April 2015 to March 2016, researchers at Kaspersky observed ransomware attacks on 136,532 Android users, four times the number observed during the previous 12-month period.

Figure 2 - Android Ransomware (Kaspersky)

Prevention is better than cure!



Learn Incident Response

Learn Incident Response

Get hands-on experience with incident response tools and techniques as you progress through nine courses.

Pierluigi Paganini
Pierluigi Paganini

Pierluigi is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group, member of Cyber G7 Workgroup of the Italian Ministry of Foreign Affairs and International Cooperation, Professor and Director of the Master in Cyber Security at the Link Campus University. He is also a Security Evangelist, Security Analyst and Freelance Writer.

Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.

Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.