Ransomware: to pay or not to pay
-
@RojoLoco said:
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
Being hit and not having backups makes you a target too, I'm sure.
-
@DustinB3403 said:
Going out of business isn't an option for a business, since businesses do what they must to make money.
Going out of business is always an option. A very, very real one.
-
@scottalanmiller that's the point though.
Paying the ransom is definitely going to hurt, but not paying could put you out of business which would hurt more.
You'd literally lose your form of income.
Depending on the business size you could say "10M is the cost of business because our pencil-heads figured it's cheaper to risk it"
-
@DustinB3403 said:
@scottalanmiller that's the point though.
Paying the ransom is definitely going to hurt, but not paying could put you out of business which would hurt more.
Nope, the idea that going out of business would always hurt more is what is wrong. In many cases, going out of business is the far less painful options.
Many businesses just close all the time voluntarily. If going out of business was never an option, that would never happen.
-
@DustinB3403 said:
You'd literally lose your form of income.
That's less painful than going into more debt than your income could cover!
This "business at any cost" mentality is the same one that causes people to go to college against all logic. "College at any cost", even more than the value of the degree is what is going on today in America. In both cases, there is a number value to put on college or the ransom, you just have to determine what it is.
-
@scottalanmiller a profitable business never "wants" to go out of business.
That's like saying you want to cut off your left arm because you're tired of the occasional itch that it has.
-
@DustinB3403 said:
Depending on the business size you could say "10M is the cost of business because our pencil-heads figured it's cheaper to risk it"
Don't trivialize the people who understand the value of the business. Acting emotionally is what ransomware makers count on. Use math, not emotions, to determine the value of your business.
-
@DustinB3403 said:
@scottalanmiller a profitable business never "wants" to go out of business.
That's like saying you want to cut off your left arm because you're tired of the occasional itch that it has.
Sure they do, if the profit isn't enough to justify the investment of effort.
-
Let's take this to the personal level. Saying that giving up a business is never worth it is like saying that giving up a job is never worth it because "it makes money". Even that minimum wage job that sucks and costs you a fortune to commute to... it still makes "a little" money, so you can't give it up.
Of course you can. And by doing so maybe you will just enjoy your free time or maybe you will use your effort to do something more profitable.
All business comes at a cost of other opportunities.
-
Let's give an example....
UltraTech makes $100m per year in revenue. They get hit with ransomware. They are a publicly traded company. How much should they pay in ransom?
-
Of course I left out profit, the only number that really matters. Revenue means literally nothing. The profit might be $10K per year. $99,990,000 is what the operational costs are. Every year they fear that they are going to not make profit and might lose money. It is a huge risk for tiny profits.
Now they are being held for ransom. How much would you be willing to pay in ransom if you were the person who has to answer to the share holders?
-
Remember when a company goes out of business, yes the business ceases, but the people trying to make money off of it continue to exist. They can start a new company or just get normal jobs or they can retire. They have lots of options. Any business venture has to be more fun or more profitable or somehow more valuable than something else that they would be doing.
If you consider there to be unlimited value in paying ransomware, you would also see unlimited value in buying said business. But that's not how businesses are evaluated.
That's actually a good way to think of it.... if you had to buy the same business fresh, how much would an investor be willing to pay? You would never pay that same amount in ransomware because of the additional risks involved (they might not turn over your data, they might have sold it, you are now a target, etc.)
Because that is basically what is happening with ransomware - you are buying the business again.