attacco ransomware Piergiorgio Venuti

Ransomware: a plague that brings companies and institutions to their knees. Should you pay the ransom? Here is the answer.

Estimated reading time: 5 minutes

The devastating impact of ransomware on businesses

Ransomware has become one of the most damaging cyber threats to businesses in recent years. Cyber criminals target company networks, encrypt important files, and demand a ransom to provide the decryption key. The dilemma of whether or not to pay the ransom is something every affected company has to face.

According to the 2021 Clusit report, ransomware attacks in Italy grew 105% compared to 2020, confirming themselves as the leading type of malware. The consequences of these attacks can be devastating, with systems locked, operations interrupted, and data encrypted. 66% of affected companies declared the impact ranged from moderate to catastrophic.

Recovery times after a ransomware attack are long: 48% of companies took at least 3 days to return to normal, but in some cases the disruptions continued for weeks. This causes significant productivity losses and missed earnings.

Why companies choose to pay the ransom

Despite the risks, about 30% of affected companies opt to pay the ransom. The motivations are:

  • Quickly obtaining the keys to resume operations as soon as possible
  • Avoiding immediate reputational impact by promptly paying the demand
  • Lack of reliable backups to restore systems
  • Presence of insurance policies covering the ransom
  • Perception that it is the only way to regain access to data

Often companies are not aware of the risks associated with payment, namely:

  • Having no guarantee of obtaining decryption keys
  • Financing further attacks thus incentivizing criminals
  • Incurring other costs and impacts post-payment

Cost/benefit analysis: is it worth paying the ransom?

ransomware attack

Before making a decision it is important to thoroughly evaluate the costs and benefits of paying the ransom:

Potential benefits:

  • Speed of system recovery and business continuity
  • Lesser immediate reputational impact

Potential risks and costs:

  • No guarantee of obtaining working keys
  • Financing organized crime
  • Violation of international sanctions
  • Post-attack costs: forensic analysis, system restoration, communications
  • Legal impacts and regulatory compliance
  • Long-term reputational damages

Most analysts agree that the potential damages outweigh the actual benefits. Companies should invest more in ransomware prevention.

Increasing trend despite the risks

Despite these assessments, ransomware ransom payments are on the rise. In 2021 attackers globally earned about $603 million, of which $350 million in the United States alone.

This shows that a certain percentage of companies still prefer to pay, driven by the need to quickly restore operations. But experts agree that this strategy only risks further fueling the ransomware threat.

How widespread is ransom payment by geographic area?

The propensity of companies to pay ransom can vary significantly by geographic region:

  • North America: about 33%
  • United Kingdom: 46%
  • Germany: 15%
  • Nordic countries: 10%
  • Australia: 42%
  • India: 28%
  • Singapore: 19%
  • Brazil: 35%
  • Chile: 13%
  • Argentina: 19%

In some countries the authorities strongly discourage and deter any payment, influencing the choices of affected companies. Also the overall cyber maturity of a country can affect it.

Ransomware-as-a-Service: a growing criminal business

Much of the growth in ransomware attacks is due to the spread of Ransomware-as-a-Service (RaaS) models. Criminal groups develop and manage the malware and infrastructure, then rent access to affiliates for a percentage of the attacks’ proceeds.

RaaS has made ransomware attacks within reach of even less skilled criminals. This has led to a proliferation of the threat. Dismantling this model requires an international commitment by law enforcement and governments.

The importance of investing more in prevention

The best strategy for addressing the growing ransomware threat is to invest more heavily in prevention, detection, and incident response. Companies should:

  • Implement strong multi-layered security defenses
  • Perform regular complete backups and test their restoration
  • Adequately train staff on cybersecurity
  • Have tested incident response plans in place
  • Always keep entire software fleet updated
  • Closely monitor network for suspicious activity

Cyber insurance and actively collaborating with law enforcement in case of an attack are also advisable.

Government support against attacks

Government authorities and law enforcement are trying to counter the ransomware threat with initiatives on multiple fronts:

  • Awareness campaigns towards citizens and companies
  • Platforms for sharing threat intelligence
  • Specialized units dedicated to fighting cybercrime
  • International cooperation for joint investigations and operations
  • Sanctions against organizations and states supporting ransomware
  • Discouraging or banning ransom payments

However, efforts need to be intensified, given the global scale the phenomenon has taken on and the vast resources available to the attackers.

Conclusions: better prevent than pay

In summary, the best strategy for dealing with ransomware remains heavily investing in prevention, rather than indulging attacker demands by paying ransoms. A culture of cybersecurity, robust technological defenses, and active collaboration with authorities are the most effective tools to counter this evolving threat.

SOD (Secure Online Desktop) can provide various useful services to prevent the problem of ransomware attacks:

  • Backup and disaster recovery: SOD can offer managed data backup services, both on-premise and cloud-based, to guarantee system restoration in case of a ransomware attack.
  • Virtualized servers: The use of virtualized servers hosted by SOD makes it harder for ransomware to encrypt data, thanks to isolation between virtual machines.
  • Threat monitoring and detection: SOD can monitor client company networks and detect suspicious activity to identify potential ongoing ransomware attacks.
  • Sandboxing: Suspicious files can be analyzed in an isolated environment to detect ransomware payloads before they reach production systems.
  • Security awareness training: SOD can provide cybersecurity training courses to make employees more aware of ransomware risks.
  • Vulnerability assessment: Penetration testing and vulnerability assessment to identify and correct vulnerabilities in systems exploited by ransomware.
  • Advanced endpoint protection: Endpoint detection and response solutions suitable for preventing and detecting ransomware attacks on company computers and devices.

By collaborating with SOD, companies can improve their defenses against the growing ransomware threat.

Useful links:

Share


RSS

More Articles…

Categories …

Tags

RSS darkreading

RSS Full Disclosure

  • SEC Consult SA-20241204-0 :: Multiple Critical Vulnerabilities in Image Access Scan2Net (14 CVE) December 5, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Dec 04SEC Consult Vulnerability Lab Security Advisory < 20241204-0 > ======================================================================= title: Multiple Critical Vulnerabilities product: Image Access Scan2Net vulnerable version: Firmware
  • Microsoft Warbird and PMP security research - technical doc December 3, 2024
    Posted by Security Explorations on Dec 03Hello All, We have released a technical document pertaining to our Warbird / PMP security research. It is available for download from this location: https://security-explorations.com/materials/wbpmp_doc.md.txt The document provides a more in-depth technical explanation, illustration and verification of discovered attacks affecting PlayReady on Windows 10 / 11 x64 and pertaining […]
  • Access Control in Paxton Net2 software December 3, 2024
    Posted by Jeroen Hermans via Fulldisclosure on Dec 02CloudAware Security Advisory [CVE pending]: Potential PII leak and incorrect access control in Paxton Net2 software ======================================================================== Summary ======================================================================== Insecure backend database in the Paxton Net2 software. Possible leaking of PII incorrect access control. No physical access to computer running Paxton Net2 is required....
  • SEC Consult SA-20241127-0 :: Stored Cross-Site Scripting in Omada Identity (CVE-2024-52951) November 27, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 27SEC Consult Vulnerability Lab Security Advisory < 20241127-0 > ======================================================================= title: Stored Cross-Site Scripting product: Omada Identity vulnerable version:
  • SEC Consult SA-20241125-0 :: Unlocked JTAG interface and buffer overflow in Siemens SM-2558 Protocol Element, Siemens CP-2016 & CP-2019 November 27, 2024
    Posted by SEC Consult Vulnerability Lab via Fulldisclosure on Nov 27SEC Consult Vulnerability Lab Security Advisory < 20241125-0 > ======================================================================= title: Unlocked JTAG interface and buffer overflow product: Siemens SM-2558 Protocol Element (extension module for Siemens SICAM AK3/TM/BC), Siemens CP-2016 & CP-2019 vulnerable version: JTAG: Unknown HW revision, Zynq Firmware...
  • Re: Local Privilege Escalations in needrestart November 27, 2024
    Posted by Mark Esler on Nov 27The security fix for CVE-2024-48991, 6ce6136 (“core: prevent race condition on /proc/$PID/exec evaluation”) [0], introduced a regression which was subsequently fixed 42af5d3 ("core: fix regression of false positives for processes running in chroot or mountns (#317)") [1]. Many thanks to Ivan Kurnosov and Salvatore Bonaccorso for their review. [0] […]
  • APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1 macOS Sequoia 15.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121753. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: macOS Sequoia Impact: Processing maliciously crafted […]
  • Local Privilege Escalations in needrestart November 21, 2024
    Posted by Qualys Security Advisory via Fulldisclosure on Nov 21Qualys Security Advisory LPEs in needrestart (CVE-2024-48990, CVE-2024-48991, CVE-2024-48992, CVE-2024-10224, and CVE-2024-11003) ======================================================================== Contents ======================================================================== Summary Background CVE-2024-48990 (and CVE-2024-48992) CVE-2024-48991 CVE-2024-10224 (and CVE-2024-11003) Mitigation Acknowledgments Timeline I got bugs...
  • APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2 iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues. Information about the security content is also available at https://support.apple.com/121754. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: iPhone XS […]
  • APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 November 21, 2024
    Posted by Apple Product Security via Fulldisclosure on Nov 21APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1 iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues. Information about the security content is also available at https://support.apple.com/121752. Apple maintains a Security Releases page at https://support.apple.com/100100 which lists recent software updates with security advisories. JavaScriptCore Available for: iPhone XS […]

Customers

Newsletter

{subscription_form_1}