Ransomware: Ransom demands — and payments — continue to grow

As you’ve likely read in this spot and others many times, ransomware continues to be the top cyberthreat affecting organizations of all kinds, all around the world. And the amounts of money being demanded by ransomware gangs have been swelling dramatically. In one recent, eye-popping case, the demand was for two BILLION dollars.

Despite the fact that security agencies and firms universally recommend that ransomware victims not pay the ransom, many organizations do pay, although in some cases they are able to negotiate a lower sum than originally demanded.

Here are just a few of the biggest ransom demands and payouts of 2021 and 2022:

• Acer Computer was hit with a ransomware attack by REvil, who demanded a $50 million ransom. Acer offered to pay $10 million, but REvil rejected the offer.
• DarkSide attacked the large chemical distribution company Brenntag and demanded a $7.5 million ransom. Brenntag offered to pay $4.4 million, which was accepted.
• Ireland’s Health Services, attacked by Conti ransomware, refused to pay the $20 million ransom that was demanded.
• JBS Foods paid $11 million to REvil after receiving a demand for $22.5 million.
• Insurance giant CNA paid Evil Corp $40 million of the $60 million ransom demanded of them and were able to fully restore all affected systems.
• Schreiber Foods faced a demand for $2.5 million after an attack that closed multiple plants. They have not disclosed whether or not they paid.
• Colonial Pipeline paid nearly all of the $5 million ransom demanded by the DarkSide gang one day after the attack.
• Delaware County officials paid a $25,000 deductible to their cyber-insurers, who then paid an undisclosed ransom amount to DoppelPaymer ransomware gang.
• British trash collection firm Amey PLC has not disclosed how they responded to a breathtaking ransom demand of $2 billion.

Why not pay?

As you can see from just this short list, it’s not unusual for organizations to pay at least part of the ransom demanded by criminal ransomware gangs. And yet, as mentioned above, security and law enforcement organizations are unanimous in advising against paying anything to these crooks.

Why? First of all, there is no guarantee that the criminals will hold up their end of the deal and unlock or decrypt your affected data. Furthermore, even if they do choose to release your data, once you’ve paid, you’re known as an organization that pays ransoms. This is sure to attract further attacks, both from the original gang and from others who learn about your willingness to pay.

The bottom line is that a successful ransomware attack is going to cost you, one way or the other. And it’s better in the long run to bite the bullet and do what it takes to recover rather than to perpetuate the profitability of engaging in ransomware crime. If no one paid, the attacks would stop.

So why do organizations pay ransoms?

Every situation is unique, but there are a few common reasons why organizations hit by ransomware choose to pay the ransom:

• Lack of planning — Organizations that have undertaken comprehensive planning for how to respond to an attack are extremely unlikely to pay a ransom. They follow their plan instead. But if you don’t have a plan, the sudden realization that you’ve been hit with ransomware comes as a big shock. You might feel panicked and think that you have no choice but to pay up, fast, since that looks like the best way to make the problem go away.
• Overreliance on cyber insurance — Some organizations buy cyber insurance and subsequently believe that they have nothing more to worry about because their insurers will pay the ransom for them. But insurance isn’t free. And after paying your deductible, following an incident your premiums are very likely to rise. Or your coverage might be discontinued. Or, in the worst case, insurers will investigate the incident and conclude that your security infrastructure did not comply with their requirements, so that they refuse to pay out.
• Inadequate backup — There is one very simple way to ensure you’ll never have to pay a ransomware demand: By using a high-quality data backup solution. To be honest, I shake my head in disbelief whenever I hear about a local government or a big corporation being forced either to pay a ransom or to undertake a long, difficult, costly recovery effort. All it takes to avoid that situation is a good, modern backup solution.

How to never pay

As I just mentioned, the best way to ensure that ransomware is at worst a minor inconvenience is with an advanced backup solution. Need I add that I strongly recommend Barracuda Backup and Barracuda Cloud-to-Cloud Backup? Perhaps not, but it’s important to understand why older backup solutions may not be adequate.

Ransomware crooks know that backup is their Achilles’ heel, so they’ve designed ransomware that starts off by seeking out your backup and encrypting or destroying those files. So, a good modern backup solution has to be able to effectively conceal itself and its data from that kind of malware.

In addition, it has to enable fast, granular recovery. If you administer a tape-based backup system, I think you’ll agree that the prospect of having to find and recover several servers’ worth of encrypted data makes you want to call in sick for a couple of weeks. It’s a task that will take up all your team’s time for quite a while, and it will be dreary and frustrating. Whereas, with a modern solution like Barracuda’s, the process is easy and fast, letting you get back to normal operations within a day or two at most — or in some cases within a couple of hours.

Prevention

Of course, it’s even better to never suffer a ransomware attack in the first place. And while there’s no magic bullet to get 100% prevention, there are well-established best practices to minimize your risk:

• A comprehensive, modern email protection platform such as Barracuda Email Protection combines advanced user training with AI-powered detection of internal and external phishing attempts, which are responsible for initiating the majority of ransomware attacks. Spot phishing attempts and delete them promptly from everyone’s inbox, and you’ll eliminate a lot of ransomware risk.
• Because ransomware attacks are increasingly being initiated by application-layer attacks, a good Web Application and API Protection (WaaP) solution has become an important part of your anti-ransomware infrastructure. I recommend you have a look at the incredibly strong, reliable, and multi-capable Barracuda Application Protection platform. It combines capabilities to defeat API attacks, advanced bots, client-side threats, DDoS attacks, and much more.
• Zero Trust Access controls set a new standard for security in today’s climate where traditional network access credentials are increasingly exposed to theft and are bought and sold in bulk by threat actors. Barracuda Zero Trust Access is available as a standalone solution or as part of Barracuda SecureEdge.

The ultimate takeaway here is that ransomware criminals are getting bolder and demanding ever-higher ransom payments — and that that will continue as long as people and organizations keep paying. So don’t pay.

The best way not to pay is not to get hit by ransomware, or failing that, to ensure your backup is ready for the worst. So, get yourself protected, implement a strong backup solution, and make and rehearse a plan for how you’ll react when and if a ransomware attack gets in.