Is Paying Ransom in a Ransomware Attack the Right Approach? Correct Response and Prevention Strategies
Amidst the escalating cyberattacks both domestically and internationally, ransomware attacks are causing significant damage, especially to businesses. Ransomware attacks not only result in direct financial losses but also disrupt operations and tarnish brand reputation, making them one of the most critical attack methods to avoid.
It is often said that recovery is possible by paying the ransom in a ransomware attack, but how effective is this solution?
This article discusses what happens when you pay the ransom in a ransomware attack and explains the correct response and prevention strategies.
Table of Contents
- Ransomware Attack Overview
- What Happens When You Pay the Ransom in a Ransomware Attack?
- High Likelihood of Being Attacked Again Even After Paying the Ransom
- What to Do When Faced with a Ransomware Attack
- Ransomware Infection Routes
- Remote Desktop
- VPN Devices
- Prevention Strategies to Avoid Ransomware Damage
- Summary
1. Ransomware Attack Overview
A ransomware attack is a method where attackers infect a target with malware, making it impossible to use the system or access data. The name ransomware became popular because attackers extort the target by saying, “Pay money to restore the system to its normal state.”
Depending on the quality of the attack and the security situation of the targeted company, recovery from a ransomware attack on your own is extremely difficult. Therefore, some organizations give up on self-recovery and try to resolve the issue smoothly and quickly by paying the ransom.
2. What Happens When You Pay the Ransom in a Ransomware Attack?
In many ransomware attacks, the purpose is ransom, so if payment of the ransom is confirmed, the encryption is often released, and the system returns to its normal state.
However, unfortunately, even if the ransom is paid, in many cases, data and system damage are observed, and the reality is that only about 8% of all victims completely recover to the state before the attack.
Reference: https://atmarkit.itmedia.co.jp/ait/articles/2112/10/news012.html
In addition, paying the ransom contributes to promoting the attacker’s criminal activity, so it is not recommended as a ransomware attack response. It may seem like a quick solution at first glance, but basically, it is necessary to consider countermeasures in a direction that does not involve paying the ransom.
3. High Likelihood of Being Attacked Again Even After Paying the Ransom
There are also survey results that show that once you pay the ransom in a ransomware attack, there is an extremely high possibility of being attacked again.
Cyberreason, a major US security company, announced a survey result that 80% of companies that suffered a ransomware attack and paid the ransom were attacked again. Many of the attackers are the same as the first time, so unless fundamental countermeasures are implemented, the damage from ransomware will continue.
Reference: https://www.nikkei.com/article/DGXZQOUC105OG0Q2A610C2000000/
In addition, the amount demanded at the time of the second attack is often higher than the first time, so it can be said that financial damage tends to increase as attacks continue.
As can be seen from these survey results, it is necessary to prepare solutions other than paying the ransom for ransomware attacks in advance.
4. What to Do When Faced with a Ransomware Attack
When faced with a ransomware attack, start by understanding the extent of the damage. Collect damage reports from within the organization, check for system malfunctions, and understand where the attack is affecting.
Then, evaluate the damage and identify the cause, and consider what to do next. If you know the intrusion route, block all areas around it that have not been attacked by the system, and prevent the damage from spreading first. Isolate the affected system and thoroughly eliminate threats using security software. If there is an alternative system, replace it with that system, and if you can continue operations to the extent possible, you can minimize losses.
In addition, when a ransomware attack is confirmed, it is important to contact the police’s cybercrime countermeasures department immediately. By contacting them as soon as you are damaged, you can reliably receive the necessary advice.
In any case, if you are thinking about how to deal with it after being attacked by ransomware, it is almost impossible to expect a complete recovery. Companies are required to thoroughly implement security measures in advance and make efforts to avoid being targeted for attack.
5. Ransomware Infection Routes
There are multiple ransomware infection routes, so understanding how infections progress is essential when considering countermeasures. Here, we will explain the main infection routes.
5-1. Email
As a classic approach to ransomware attacks, malware infection via email can be mentioned. This is a method of sending emails to targets disguised as related parties or internal staff to encourage the installation of malware.
In recent years, the accuracy of emails has increased to the point where it is difficult to notice just by reading the document lightly, and an increasing number of companies are abolishing email communication.
5-2. Remote Desktop
Remote desktops that allow you to operate company PCs remotely have more opportunities to play a role with the spread of remote work, but at the same time, they are also exposed to the risk of cyberattacks.
If the company’s ID and password are leaked to the outside, a third party can easily access the internal system using the remote desktop function. Then, they are infected with malware and suffer ransomware damage.
5-3. VPN Devices
Ransomware damage via VPN devices has been increasing in recent years. VPN devices, which allow you to set up your own line within the company, are considered to be safer than using the Internet normally, but if the VPN device itself is attacked, countermeasures are difficult.
If authentication information is leaked to the outside, unauthorized access to the VPN will occur, and malware infection will spread within the company. Therefore, it is difficult to avoid attacks unless you are careful to strengthen the security measures of VPN devices.
6. Prevention Strategies to Avoid Ransomware Damage
In order to avoid such damage, it is important to develop thorough preventive measures in advance, rather than dealing with ransomware after an attack.
For example, basic security software should be installed company-wide. VPN devices and various software should also be updated from time to time to prevent security holes from being created.
It is also effective to minimize email exchanges and basically use in-house SNS and chat tools to develop a system to prevent suspicious emails from being opened. Even if an attack occurs, prepare an independent backup system so that damage can be minimized, and prepare to be able to perform recovery and normal operations in parallel.
Summary
Once attacked by ransomware, it is difficult to completely eliminate the threat, and financial and business losses cannot be avoided. Even if you pay the ransom, you will not only be unable to eliminate the damage, but there is also a very high possibility of being attacked again, so it is necessary to create a mechanism to prevent attacks in advance.
We recommend that you check your company’s security status and consult with experts to improve whether there are any vulnerabilities or whether correct countermeasures manuals are in place.
For further assistance, please contact globalsupport@jiran.com
