Second week of Cybersecurity Awareness Month is all about fighting the phish. Ransomware is often spread through phishing emails that contain malicious attachments.
If you fall victim to a ransomware attack, you are plagued with a difficult decision – do you pay or not pay the ransom? That’s why we have put together some considerations to help you determine if you should pay the ransom.
Paying the Ransom
In some cases, a business may be faced with a demand that makes them realize that they can’t afford not to pay it. This was the conundrum for law firm Campbell Conroy & O’Neil after they fell victim to a ransomware attack earlier this year. With a Rolodex of Fortune 500 companies under their belt, including Ford, Johnson & Johnson, FedEx, and Coca-Cola, just to name a few, the risk that the hackers would release the data about their clients was a concern. If they chose not to pay the ransom and the hackers decided to publicize their client’s data, they could face a slew of lawsuits.
When deciding to pay the ransom, you must also consider if the demand amount is feasible for your business. Recent research found that the average ransom paid by mid-sized organizations across the world is about $170,000.
It is also important to note that if you are in the education sector, where your financial details may be public record, hackers can do their homework before they choose to attack you. This was the case for Broward County Public Schools, which was victimized by a ransomware attack earlier this year. The hackers were aware of the district’s $4 billion budget and demanded $40 million in ransom. A negotiator representing the school told the hackers that they could not pay a fee of that magnitude, so the hackers lowered their demand to $10 million.
Not Paying the Ransom
One of the reasons to consider not paying the ransom is that paying the hackers does not always equate to getting all your data back. According to a report from Sophos, less than 10% of victims across the globe recovered all of their data after paying a ransom. Even if you do manage to get your data back, you run the risk that the hackers have already sold some of it on the dark web.
Another consideration is that the FBI (Federal Bureau of Investigation) provides guidance on responding to ransomware attacks and does not recommend that victims give in to ransomware demands. They assert that paying the hackers simply encourages them to target more victims.
When it comes to deciding between paying or not paying a ransom, the fact remains that the best-case scenario is to prevent the attack altogether. You can obtain a free ransomware evaluation to find gaps in your business set up that need addressing. You should also have a solid backup in place, so that in case you get hit with ransomware, you don’t need to pay ransom to get your data back.