Ransomware: To Pay or Not to Pay?

Aug  22 
Milan Patel, Chief Client Officer, BlueVoyant, and Nayan Patel, Vice President, Strategic Alliances, Fiserv    

Ransomware attacks continue to be a serious threat to financial institutions.

Cybercriminals have used ransomware to facilitate a commoditized business model by targeting all sizes of banks and credit unions, especially those that may lack the resources to adequately protect themselves.

While criminals may now make less per incident, they make up for it in volume. For instance, AV-TEST, an IT-security institute, estimated there were almost 137.5 million new malware samples in 2018.   

Additional proof of commoditization is the growth of ransomware-as-service (RaaS), which is delivered under an affiliate-like business model. Cybercriminals rent out their ransomware on the dark web, and the money generated from a successful incident is split between the ransomware authors and affiliated criminals.

With 1 million new malware variants introduced each day and a large network of affiliated attackers poised for rapid distribution, it's no longer a matter of if financial institutions will be targeted; it's a matter of when.

It's a lucrative business. The criminals behind GandCrab ransomware, which encrypts important files and asks for a ransom to decrypt them, claim to have generated more than $2 billion in ransom payments in 18 months.

With 1 million new malware variants introduced each day and a large network of affiliated attackers poised for rapid distribution, it's no longer a matter of if financial institutions will be targeted; it's a matter of when.

In response, organizations should proactively evaluate the effect ransomware can have on their businesses, assess their preparedness and predetermine their course of action – pay, don't pay or defend.

Pay or Don't Pay?

A recent study by Coveware found the average ransomware payment is now $6,733.

But there's a more important statistic in the Coveware report to consider when deciding whether to pay: The average ransomware incident results in 6.2 days of downtime.

The costs associated with that downtime can include:

  • Lost customer capture and retention when business systems are unavailable
  • Idle time when employees can't access the data and systems they need to do their jobs
  • Costs associated with damages or contractual violations, such as those tied to service level agreement
  • Outlays for rebuilding and remarketing corporate reputation

When it happens to you, what will you do? The best alternative to the pay-or-don't-pay dilemma is to have a business continuity plan in place and to proactively defend your financial institution against ransomware attacks.