Adopting a “No Ransom” Policy – The Question Is Not If, But How Often Your Company Will Be Targeted

November 1, 2023

Ransomware attacks have surged in recent years, targeting businesses, government institutions, healthcare facilities, and even individuals, often with devastating consequences. These attacks not only disrupt operations but also pose significant financial, reputational, and legal risks for victims. As organizations grapple with the ever-evolving landscape of cybercrime, understanding the nature of ransomware attacks, their impact, and effective countermeasures becomes paramount. In 2023, the question is no longer whether your organization will be the target of a cyberattack, but how often. This article explores the “Do Not Pay” or “No Ransom” policy, an approach that encourages organizations to focus on preventive measures, incident response, and recovery strategies.

Ransomware Payment Does Not Ensure Data Recovery

One in seven companies will see almost all (>80%) of their data affected as a result of a ransomware attack, indicating a significant shortfall in protecting it, according to Veeam’s Ransomware Trends Report 2023. Attackers almost always target (93%+) data backup storage media during cyberattacks and manage to weaken their victims’ ability to recover data in 75% of these events, specialists believe.

The report also shows that 80% of the organizations surveyed paid ransom demands to stop an attack and recover data. This was despite the fact that 41% of organizations have a “Do Not Pay” policy regarding ransomware. However, while 59% paid the ransom and were able to recover their data, 21% paid without getting their data back from cybercriminals. In addition, only 16% of organizations avoided paying the ransom after they were able to recover data from the backup. Unfortunately, this percentage of organizations able to recover data on their own without paying ransom is down from 19% in the previous year’s report.

What Is “Do Not Pay” or “No Ransom” Policy

The “Do Not Pay” policy, also known as the “No Ransom” policy, is an approach that discourages or prohibits organizations from paying ransoms to cybercriminals in the event of a cyberattack, particularly ransomware attacks. It is an alternative strategy aimed at reducing incentives for cybercriminals and mitigating the overall impact of ransomware attacks.

The rationale behind the “Do Not Pay” policy is based on several factors:

No guarantee of decryption

There is no guarantee that paying the ransom will result in the successful recovery of encrypted data. Cybercriminals may not provide the decryption key or may provide a faulty decryption tool, leaving organizations at a loss even after paying.

Financing criminal activities

Paying ransoms fuels the profitability of cybercriminal operations, enabling them to invest in more sophisticated attacks and infrastructure. It perpetuates a cycle of criminality and encourages the further targeting of organizations.

Supporting illicit activities

Ransom payments often end up funding various illicit activities, including terrorism, drug trafficking, human trafficking, and other criminal activities. By refusing to pay ransoms, organizations can avoid inadvertently supporting such activities.

Compliance and legal implications

Depending on the industry and jurisdiction, paying ransoms may violate legal and regulatory obligations, including anti-money laundering (AML) and know-your-customer (KYC) regulations. Organizations could face legal consequences or regulatory scrutiny for making ransom payments. Although paying ransoms isn’t illegal in the U.S., the Federal Bureau of Investigation (FBI) does not support paying ransoms for a ransomware attack. The FBI also doesn’t support a proposed ransom payment ban, arguing that the solution could lead to more potential for extortion.

What to Do If Your Business Is Under Attack

The “No Ransom” policy encourages organizations to focus on preventive measures, incident response, and recovery strategies. This includes maintaining robust backup systems, implementing strong cybersecurity measures, educating employees about best security practices, conducting regular vulnerability assessments, and having incident response plans in place. In cases where data is compromised and backups are not available or reliable, organizations can explore other options, like working with cybersecurity professionals to attempt decryption, leveraging publicly available decryption tools, or seeking assistance from law enforcement agencies. In the event of a ransomware attack, companies have several options to consider. Here are some common steps and strategies they can resort to:

Isolate and contain the infection

As soon as a ransomware attack is detected, it is crucial to isolate the affected systems from the network to prevent further spread. Disconnecting affected machines from the network can help contain the damage and protect other systems.

Assess the situation

Evaluate the extent of the attack, identify the type of ransomware involved, and determine the affected systems or data. This assessment will help guide subsequent actions.

Report the incident

Notify the appropriate internal stakeholders, such as IT teams, management, and legal departments, about the attack. Depending on the nature of the attack and applicable regulations, it may also be necessary to report the incident to law enforcement agencies and data protection authorities.

Engage with IT and cybersecurity experts

Work with experienced cybersecurity professionals to analyze the attack, identify vulnerabilities, and assist with remediation efforts. They can guide containment, recovery, and prevention of future incidents.

Restore data from backups

If regular data backups were maintained and were not compromised during the attack, restoring data from secure and unaffected backups may be an option. This allows the company to recover its systems and data without paying the ransom.

Enhance security measures

Strengthen the company’s security posture by implementing additional security measures, such as network segmentation, multifactor authentication, encryption, regular patching, employee training, and incident response plans. Taking proactive steps to improve cybersecurity can help prevent future attacks.

Learn from the incident

Conduct a thorough post-incident analysis to understand how the attack occurred, identify areas for improvement, and update security protocols accordingly. This analysis can help prevent similar incidents in the future.

Conclusion

Implementing a “Do Not Pay” policy requires careful consideration and planning. Organizations should talk to legal counsel and cybersecurity experts to assess the potential risks and implications associated with this approach and develop comprehensive incident response strategies accordingly.

Subscribe to our weekly news digest.

Join now and become a part of our fast-growing community.

Invalid Email Address
Thanks for Subscribing!
We'll be sending you our best soon!
Something went wrong, please try again later