Ransomware: to pay or not to pay
-
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
-
@RojoLoco the point is that if you do not have a backup paying is the most cost effective means of recovering your business.
Paying will have other consequences as you have pointed out. But that does not detract form the fact that paying could very much be a more cost effective way of recovering.
Assuming that someone paid, and changed nothing in their process to then prevent a recurrence, I would not feel sorry for that business if they fall victim to some other phishing attempts.
-
@JaredBusch said:
@RojoLoco the point is that if you do not have a backup paying is the most cost effective means of recovering your business.
I'm sorely tempted to say something about "survival of the fittest" - let them go away. A very poor business IT intelligence / fitness test? It seems so cruel but this is pretty basic stuff.
Grandma's computer? Different story.
-
@RojoLoco said:
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
That is a good point and not one I've seen brought up a lot. If you don't take steps to stop it happening again then you're just going to get bled dry.
-
@DustinB3403 said:
That's a pretty simple answer.
As much as it takes to get back to a running state. You're basically asking us "Do you pay the ransom or go out of business?"
Yes but how much would you pay versus going out of business? 50% of your net profit? 99% of it?
-
As much as it takes.
Going out of business isn't an option for a business, since businesses do what they must to make money.
That could easily be 10 Million.
-
@JaredBusch said:
@RojoLoco the point is that if you do not have a backup paying is the most cost effective means of recovering your business.
Paying will have other consequences as you have pointed out. But that does not detract form the fact that paying could very much be a more cost effective way of recovering.
Maybe, maybe not. We have discussed it internally, and even if we lost everything (data) we would never pay because management and the dev team would just redo all that proprietary code, and we would be back online in a few weeks, morals and principles intact. We have backups, maybe not the best and most current of everything, but the most important parts exist in triplicate in various offsite locations. I have no sympathy for a company with no backups... they likely laid off their IT person or staff, then outsourced it (at a minimal level), or just said "we don't need no stinking backups!".
-
@DustinB3403 said:
That's a pretty simple answer.
As much as it takes to get back to a running state. You're basically asking us "Do you pay the ransom or go out of business?"
Not really. 1) It doesn't necessarily mean going out of business and 2) it might be cheaper to go out of business than to pay.
-
@RojoLoco said:
Paying is terrible advice in nearly every case. I spoke with the local Spice Corps leader last month about this very topic... his stance was that in 3 different cases where a company had paid the ransom, the number of highly targeted spearphishing attacks went through the roof because that company is now marked with a big, red bullseye that says "WE ARE SUCKERS< WE CLICK EVERYTHING AND WE PAY THE RANSOM!"
Paying the ransom makes you a repeat target.... lists of companies that pay are probably easy to find on the dark webz...
Not to mention the fact that paying helps the proliferation of cryptoware.
Being hit and not having backups makes you a target too, I'm sure.
-
@DustinB3403 said:
Going out of business isn't an option for a business, since businesses do what they must to make money.
Going out of business is always an option. A very, very real one.
-
@scottalanmiller that's the point though.
Paying the ransom is definitely going to hurt, but not paying could put you out of business which would hurt more.
You'd literally lose your form of income.
Depending on the business size you could say "10M is the cost of business because our pencil-heads figured it's cheaper to risk it"
-
@DustinB3403 said:
@scottalanmiller that's the point though.
Paying the ransom is definitely going to hurt, but not paying could put you out of business which would hurt more.
Nope, the idea that going out of business would always hurt more is what is wrong. In many cases, going out of business is the far less painful options.
Many businesses just close all the time voluntarily. If going out of business was never an option, that would never happen.
-
@DustinB3403 said:
You'd literally lose your form of income.
That's less painful than going into more debt than your income could cover!
This "business at any cost" mentality is the same one that causes people to go to college against all logic. "College at any cost", even more than the value of the degree is what is going on today in America. In both cases, there is a number value to put on college or the ransom, you just have to determine what it is.
-
@scottalanmiller a profitable business never "wants" to go out of business.
That's like saying you want to cut off your left arm because you're tired of the occasional itch that it has.
-
@DustinB3403 said:
Depending on the business size you could say "10M is the cost of business because our pencil-heads figured it's cheaper to risk it"
Don't trivialize the people who understand the value of the business. Acting emotionally is what ransomware makers count on. Use math, not emotions, to determine the value of your business.
-
@DustinB3403 said:
@scottalanmiller a profitable business never "wants" to go out of business.
That's like saying you want to cut off your left arm because you're tired of the occasional itch that it has.
Sure they do, if the profit isn't enough to justify the investment of effort.
-
Let's take this to the personal level. Saying that giving up a business is never worth it is like saying that giving up a job is never worth it because "it makes money". Even that minimum wage job that sucks and costs you a fortune to commute to... it still makes "a little" money, so you can't give it up.
Of course you can. And by doing so maybe you will just enjoy your free time or maybe you will use your effort to do something more profitable.
All business comes at a cost of other opportunities.
-
Let's give an example....
UltraTech makes $100m per year in revenue. They get hit with ransomware. They are a publicly traded company. How much should they pay in ransom?
-
Of course I left out profit, the only number that really matters. Revenue means literally nothing. The profit might be $10K per year. $99,990,000 is what the operational costs are. Every year they fear that they are going to not make profit and might lose money. It is a huge risk for tiny profits.
Now they are being held for ransom. How much would you be willing to pay in ransom if you were the person who has to answer to the share holders?
-
Remember when a company goes out of business, yes the business ceases, but the people trying to make money off of it continue to exist. They can start a new company or just get normal jobs or they can retire. They have lots of options. Any business venture has to be more fun or more profitable or somehow more valuable than something else that they would be doing.
If you consider there to be unlimited value in paying ransomware, you would also see unlimited value in buying said business. But that's not how businesses are evaluated.
That's actually a good way to think of it.... if you had to buy the same business fresh, how much would an investor be willing to pay? You would never pay that same amount in ransomware because of the additional risks involved (they might not turn over your data, they might have sold it, you are now a target, etc.)
Because that is basically what is happening with ransomware - you are buying the business again.