To pay, or not to pay? When ransomware attacks

Ransomware attacks are on the rise. According to Verizon’s annual Data Breach Investigations report of April 2018, ransomware accounted for 39% of all malware infections. It also showed that attacks on individuals had dropped, but attacks on businesses had increased and, according to Dimension Data, ransomware attacks grew by 350% in 2017 as compared to 2016. The Telstra 2018 Security Report survey of Australian, Asian, European and UK businesses (Telstra Report) found that 31% of Australian respondents who reported their business had suffered a security breach said they experienced ransomware attacks on a weekly or monthly basis. Australian insurance companies have also seen an upward trend in notifications they receive under cyber security policies of ransomware and malware attacks.

So, when your organisation finds itself in the unfortunate position of being subject to a ransomware attack, will you pay to get your data back? Remember that a ransomware attack may also indicate there has been a notifiable data breach which also requires an assessment. The Australian Government, CERT Australia and law enforcement agencies around the world recommend that you do not pay ransom as doing so perpetuates further ransomware attacks and there is no guarantee that files will be recovered. Paying ransom also identifies an organisation as being one that is willing to pay ransom which could increase the risk that you will be targeted again. There is also no guarantee that the files will be returned (though this is a reputational issue for the hacker who wants to encourage organisations they have attacked to pay up because they believe their files will be released).

That said, many organisations do pay. Although there is no way of really knowing for sure how many companies pay ransom, according to the Telstra Report, 47% of Australian businesses that had suffered a ransomware attack paid the ransom, and of those, 86% got their files back.
As part of planning your organisation's response to cyber incident Response Plan, you should consider in advance what position your organisation will take when it comes to paying ransom. Some practical considerations are:

1. What data has been subjected to the attack? Is it only specific data files or devices that have been compromised or is it a whole of system attack?
2. What is the criticality of the data?
3. Is the data backed up? If it is, how long will it take to recover and what will it cost to restore your data?
4. What is the amount being demanded and in what currency are you being asked to pay (eg Bitcoin or a main currency)? What are the other likely financial costs of not paying the ransom?
5. What are the non-financial costs of paying or not? Does your organisation provide key services to the public that it is being prevented from providing?
6. Do you have cyber insurance and if so, does your policy cover you for ransom payments? If you have cyber insurance, are there any conditions placed on this?
7. What is your organisation's attitude to paying ransom? Will it refuse to pay on principle?
8. Is payment of the ransom legal? Do you know or suspect that the ransom payment is being made to a terrorist organisation or as part of money laundering operations? If so, you could be subject to criminal sanctions, for example under part 5.3 of the Criminal Code Act 1995 (Cth). Also, if your organisation provides ‘designated services’ within the meaning of the Anti-Money Laundering and Counter-Terrorism Financing Act 2006 (Cth) your organisation is required to report to AUSTRAC ‘suspicious transactions’ you encounter in the course of providing a designated service.

MinterEllison's cybersecurity and cyber insurance experts can assist you to navigate these considerations so that you can be prepared for a ransom attack.