Attacked by Ransomware, Many Companies Opt to Pay Up

By William C. Mayville, Jr., Aileen Alexander, Craig Stephenson, and Jamey Cummings, Korn Ferry for CFO.com

It’s like the plot of a James Bond movie: Hackers take control of a global organization’s computer systems and threaten to destroy its records, steal its intellectual property, and drain its bank accounts unless a hefty ransom is deposited into an untraceable offshore bank account by the end of the day.

Except instead of Agent 007 suavely tracking down the anonymous would-be thieves and saving the organization from ruin, its leaders give in — and pay the ransom.

To a little-noticed but alarming degree, so-called “ransomware” attacks on governments, businesses, and other entities jumped last year. In all, they rose 41% from 2018 to 2019 to more than 205,000 globally, according to newly published data.

Every organization is vulnerable, regardless of size, geography, or industry. Although not all firms pay, the security firm Coveware estimates the average payout for those that did was about $85,000 during last year’s fourth quarter, and more than $190,000 in December.

Organizations have more to lose financially from the inability to conduct business than they do from just paying the ransom. Hackers know they can make a quick buck with ransomware.

Ransomware is essentially a way to monetize a security breach. Unlike the cybersecurity breaches at Equifax, Capital One, Marriott, or others that have made headlines in recent years, in a ransomware attack the data isn’t released or leaked or sold. On the contrary, in most cases, data and infrastructure aren’t compromised at all; its owner just can’t access them.

While there is certainly the threat of disclosing or publishing the hacked data, more often than not the information is released back to the owner once the ransom is paid.

While the idea of paying never makes a company happy, the sums still represent a relatively inexpensive way of getting valuable data back uncompromised. While it seems unorthodox to pay the “attackers,” the ransom is likely a significantly smaller amount than what it may cost to address a threatening public issue or the time and money necessary to rebuild the confidence in a brand or company.

In fact, time — or the lack of it — is one of the key levers hackers use to their advantage in a ransomware attack. Hospitals, for instance, are frequent targets of these kinds of attacks, in part because people’s lives are on the line so they have to make quick decisions. Hackers go after those they believe are the most vulnerable.

Experts suspect that the actual number of ransomware attacks is much higher than the reported number, citing reasons ranging from fear of job loss, investor withdrawal, and reputational damage.

Moreover, while public companies are required to report cyberattacks to regulators, private organizations are under no such mandate. Reporting attacks to law enforcement often may cause lengthy investigations that, although necessary, may not always drive the desired outcomes or results.

Of course, there’s no guarantee that once a hacker is paid they won’t simply raise the ransom fee or keep hacking the organization. After all, if a ransomware attack worked on a company once, it will likely work again. A hacker can keep repeating a ransomware attack until the security flaw is fixed or they are caught or reported.

Organizations can undertake a few basic defensive actions to mitigate the impact of a ransomware attack. Frequently backing up data and storing it on different networks is one way, for example.

Other ways include reducing the number of outside apps the system uses, fixing software vulnerabilities immediately, and properly training and educating employees on what to look for and whom to alert if something appears suspicious.