To Pay or Not to Pay: Why Paying Ransomware Can Be The Best Option
A recent report shows that 83% of ransomware attack victims paid the ransom. The survey respondents - 192 US-based IT 'decision-makers' - wasn't a large participant pool, but the figure is high nonetheless. Even if more participants were used and this percentage dropped by e.g. 10%, the number would still be around the 75% mark; quite a sizeable total.
When it comes to the $$ being paid to hackers, we're not talking small amounts, either, with payouts regularly reaching well into the millions. Two of the biggest recent 'reported' payouts include GPS and fitness wearable giant, Garmin, which purportedly paid a $10 million ransom following a cyber attack in July 2020, while CNA Financial is believed to have paid $40 million in March this year, after hackers initially demanded $60 million.
Other million-dollar ransoms in recent years that are known to have been paid include $2.3 million, by foreign currency exchange Travelex (January 2021), $4.4 million by the North American division of chemical distributor Brenntag (May 2021), and $4.5 million by US travel services company CWT (July 2020).
With cyber attacks, including ransomware, rising year after year, you'd think cyber insurers might balk at the constant payouts. However, this doesn't appear to be the case.
In fact, paying a ransom is often the cheaper alternative, as the US city of Baltimore found out when it suffered a ransomware attack in 2019. City officials refused to give in to hackers and pay a $76,000 ransom. The alternative - prolonged delays and outages - saw the city total nearly $20 million in losses.
When another US city - Lake City, Florida - suffered a ransomware attack ($460,000 demanded), a city official said: "Our insurance company made the decision for us to pay. At the end of the day, it really boils down to a business decision on the insurance side of things: them looking at how much is it going to cost to fix it ourselves and how much is it going to cost to pay the ransom."
With each payout there are those who say that insurance companies are funding cyber crime and perpetuating the cycle of ransom attacks. However, when a victim looks at the alternative i.e. pay up and get it over and done with as quickly as possible, rather than negotiate and lose business / revenue, as well as data that may end up stolen and sold on the dark web, the choice is obvious. Not to mention the likelihood that dragging out proceeding may lead to coverage that will cause damage to their company's / organisation's reputation.
When one of the most publicised ransomware attacks of this year - the Colonial pipeline - took place, the $5 million ransom was paid within hours.
The CEO of Colonial, Joseph Blount Jr, didn't consult with the FBI or any other federal agency when making his decision to pay: "I know how critical our pipeline is to the country and I put the interests of the country first ... considering the consequences of potentially not bringing the pipeline back on as quickly as I possibly could, I chose the option to make the ransom payment."
Speaking after the Colonial attack, Christian Mumenthaler, the CEO of one of the world's largest reinsurers, Swiss Re (Swiss Reinsurance Company), said that the private insurance market wasn't big enough to offer full cyber protection to vulnerable organisations:
"The cyber insurance market is currently worth around $5.5 billion in premium, as compared to gigantic yearly losses that extend into the hundreds of billions of dollars ... I would actually argue that overall the problem is so big it’s not insurable."