The next big piece in understanding the costs of incident response can sometimes be the most controversial: ransom payments. Do you pay or not pay? Is the ransom demand proportionate to the severity of the recovery or the data that’s compromised? Will paying really make recovery any easier? Attackers have become increasingly sophisticated, targeting backups and wiping them clean, leaving organizations with limited options.
Adding to the difficulty answering these questions is the fact that ransom demands have risen significantly over the past couple of years – ransoms that were $50k jumped to $500k and we often see ransoms going into the millions, making this one of the costs that can be the most difficult to plan for.
So, what happens after a victim decides they are willing to pay the ransom? The first step is to engage professional investigators and negotiators. These experts, dedicated full-time to such negotiations, possess invaluable knowledge and a wealth of data to maximize positive outcomes. They employ a structured framework and strategic approach, leveraging personas and understanding different attacker groups to minimize the ransom amount.
Another crucial action these negotiators take is establishing real “proof of life.” It is essential to verify that the attacker can indeed decrypt your data after payment. After all, paying a ransom without assurance of decrypting your systems and recovering your data is a nightmare scenario. Negotiators also strive to minimize the initial demand, especially when facing more sophisticated groups that may demand a significant percentage of your annual revenue. By leveraging their expertise, negotiators can often achieve substantial reductions in the ransom amount.
It's also worth noting that some ransomware actors actively target specific information within their victim's environment to support their initial ransom demand. Attackers are not oblivious; they are adept at maximizing their profits. This underscores the importance of having seasoned professionals lead these negotiations to helpguide the conversation and find the best strategy to minimize the ransom amount.
While paying the ransom may be the only way forward in some cases, we want to dispel the misconception that paying it is like hitting the “easy” button and quickly solves the problem. You may get a decryptor, but there’s no guarantee that it’s going to work well. Keep in mind, a decryptor is software written by criminals who don’t have your best interests in mind – it’s not going to be fast; it’s going to be buggy and there’s no support or documentation. There’s still going to be significant effort and costs put into recovery, which will be the topic of our next post.
<< Previous Post Next Post: Recovery Costs >>
Need help now? Contact us at ask@moxfive.com or on our website and talk to one of our technical advisors.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.
Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.
