Whether or not to pay a ransom should never be the first question executives answer.
When confronted with a ransomware attack, the first thing companies need to understand is their situational awareness; what does cyber insurance look like or what does recovery entail, said Paul Proctor, distinguished VP analyst at Gartner, speaking during the virtual Gartner IT Symposium/Xpo Tuesday. "Because the next thing that you need to think about, which is arguably more important, is: What is the current business impact?"
Sophisticated ransomware actors will have done their homework — they know how much to ask for based on a company's annual revenue. But if the ransom demand is greater than the actual temporary loss of business, companies have time to really think about their response.
"This is a time where leadership qualities show," said Sam Olyaei, director analyst at Gartner, during the virtual discussion. Recently, a Gartner client had a cybersecurity incident (not ransomware) and upon receiving the alert, the executive went to a yoga class. "She had to relax and figure out in a clear mind what these next steps are going to be," as cyberattacks usually create a chaotic atmosphere.
Because relevant stakeholders, including the CISO, will likely be notified of the attack at the same time, companies need to already know how key executives will work together. The CEO will be the primary source to relay overall business impact to the CIO and CISO. "The business needs to make a decision on behalf of the business," Olyaei said.
Bad actors do their homework and try to make ransom demands based on individual targets. But executives are better equipped with knowing what they're willing to lose — time, money, customers — to make the best long-term decisions.
No shame in a breach
As relevant stakeholders work through response efforts, "there's no shame in a breach or any type of cybersecurity," said Olyaei. "We're starting to see a lot of people start to advertise this as sort of a badge of honor that they've been able to respond to a cybersecurity attack and take the organization to the right processes to get back up to speed."
The technical response is not necessarily where companies feel the brunt of the impact, but it's where some companies can stumble.
"The impact of cybersecurity attacks isn't necessarily from the tactical domain," said Olyaei. Instead, companies fail to adequately respond in public relations, the customer perspective, or reputational. These are the business areas companies feel the most scrutiny following a cyberattack.
Colonial Pipeline's ransomware attack led to an emergency pipeline shut down and the company collaborated with relevant parties. The company failed, however, in communicating the consumer impact.
"It was the gas panic on the East Coast that damaged Colonial a lot more than their response to the cyberattack," said Proctor.
Though about half of the funds were eventually recovered by the FBI, Colonial paid its attackers. For Proctor, paying is essentially "inviting them to come back again."
Gartner estimates about 80% of ransomware victims who paid, are targeted again. "You know why? Because you just said, 'I'm a great customer,'" he said.
Understanding the full impact
When companies fully process the scope of an attack and ransom demand, they will be able to calculate true business impact — and if paying the ransom makes sense. For example, if attackers are asking for $40 million, "and you're currently losing $1 million a week, you have a little more flexibility in negotiating" and recovering, Proctor said.
The only time Proctor would approve paying a ransom is "if you absolutely, positively cannot bring the data back, if you don't have any backups, which by the way, everybody backs up. If you're not everybody, wow, you are so far behind the curve," he said.
Responding to cyberattacks is becoming a skill, and if a company is able to determine how much it will cost to recoup data without paying the ransom, "you should jump on that," said Proctor. "Your consideration today is if you looked at that and said 'I can't do it,' you should make the investment to make sure that you could do it."
As part of that evaluation, companies should try researching available decryptor tools. No More Ransom is a website housing decryptor tools for popular ransomware strains, Olyaei said. Otherwise, the decryptor tool ransomware actors provide may be too slow to offset rising costs, or may not work.
If a company does decide to do business with its attackers, keep in mind "there is no refund policy in a ransomware attack with a ransomware group," he said. Gartner found companies that paid a ransom were returned with only 8% of their data. Ransom negotiators tend to find that ransomware groups uphold their customer service depending on how reputable the group is.