No sector or organization is immune to ransomware - malicious software that holds data files hostage while hackers demand payment to restore access. These attacks are on the rise. According to the FBI, an average of 4,000 ransomware incidents occur daily at an annual cost of $1 billion.

This is a far cry from the first known ransomware. In 1989, an evolutionary biologist called Joseph Popp distributed 20,000 floppy disks to fellow AIDS researchers that supposedly contained a software application capable of gauging a person's risk of contracting AIDS. Once activated, malware displayed a ransom note on computer screens demanding up to $378.

Today, ransom demands range from nominal amounts to millions of dollars, and they often come with a deadline that leaves victims with little time to evaluate their options.

Business systems owners have to decide between paying the ransom or recovering their systems on their own - and under time pressure, businesses are often tempted to pay the ransom. Often the amount demanded costs less than the remedy, which can run into millions of dollars.

Today’s ransomware seeks out connected devices and encrypts them, often including backups. Even if viable backups exist, restoring systems from backups is not always an easy option for organizations whose IT departments are understaffed and underfunded. There’s no prohibition, but security experts and the FBI advise never paying so-called ‘datanappers’, because often they do not restore access to data as promised.

It’s ultimately a business risk decision. So - how should your business respond?

To pay or not to pay: three things to consider

When deciding how to respond to a ransomware attack, organizations must consider three factors:

Is the cure going to cost more than the disease?
Is the cure going to cost more than the disease?
Image: PwC

1) Determine the feasibility of recovery. Victims must determine if they have a viable backup - that is, one recent enough to make recovery worthwhile. A general backup best practice is to use the ‘3-2-1 rule’: Maintain at least three copies of all data, storing two on different storage media, one of which should be offsite. Insidious ransomware may also encrypt or corrupt backups, which makes systems recovery even more arduous.

2) Determine the effort required to recover the data.

a) Data volume and location: Large volumes of data will take longer and require more effort to recover. Disparate locations can complicate recovery efforts, especially if the attacker is still lurking somewhere on the network.

b) Setting up business systems: Sometimes, a fresh image of the infected operating system must be loaded onto computers before data can be recovered. Setting up new systems will increase the recovery time.

c) Shifting to manual processes: Business users may need to use pen-and-paper processes during a lockdown, and will need to reconcile manual transactions once the systems are restored. For example, last year a hospital paid ransom after realizing that while recovery was feasible, the costs, amount of effort, downtime and reputational damage involved in doing so would be too high. While in lockdown, the hospital instituted manual pen and paper processes. From start to finish, the ordeal lasted four days.

d) Human resources: Technical personnel will need to help with recovery efforts. Shifting to manual processes may require additional resources. Recovery is a cross-functional effort, including lawyers and communication specialists who need to be in place for the duration of the event.

3) Determine the impact of recovery. What are the effects of lost services on the business’s customers and employees? These may include effort costs, lost revenue and reputational damage. If recovery efforts are prolonged, costs can skyrocket. This year, following a ransomware attack, the US city of Baltimore estimated its impact at more than $18 million - a much higher cost than the approximately $70,000 ransom, which the city refused to pay.

Even when indicators point to paying the ransom, an organization’s ethos plays a key role in deciding whether to pay. For an example, if the victim is a law enforcement organization, the choice can pose a real conundrum - as paying the ransom might send the wrong message to the public but not paying may impact first responders.

Paying the ransom: key considerations

A victim that has decided to pay the ransom should note these practical considerations:

Validate full recovery. Don’t send funds until you’ve received proof that the attacker has the keys and the sample decrypted data is authentic. And then validate that files are being safely recovered, encrypted files are being deleted, and information systems being brought back on line. Some victims have paid their ransom and then did not recover all their data. It’s also important to examine the decryption scripts to assess if the attacker hid additional malicious code in the key.

Ask law enforcement to help with a safe transfer of the ransom payment. Law enforcement can provide recommendations on brokers and best ways to safeguard the transaction. Involve law enforcement in investigations and payment tracking as it can give them insight into the criminal organization responsible for the attack.

Investigate whether the ransomware stole sensitive information. During the system lockdown, the ransomware may have exfiltrated sensitive information. The loss of the confidentiality and integrity of sensitive data has serious regulatory implications which can lead to costly fines under local and global data protection regulations.

Consider getting help from recovery intermediaries. These service providers possess the tools and technical expertise to recover your data. Involving law enforcement in this decision is prudent; it has been suggested recently that some recovery intermediaries have simply paid the ransom themselves.

Protecting against ransomware

Consider ransomware insurance. Assess if the organization’s cyber insurance covers ransomware attacks, including ransom payment, and inform the insurance company as soon as an attack occurs. Insurance providers may also involve law enforcement where appropriate.

Practicing good cyber hygiene is the best way to prevent an attack. Hackers are not necessarily sophisticated; those lacking expertise can hire ransomware-as-a-service for much less than the amount your organization must pay to protect its assets. The price tag on your data may be incalculable, however: data is the modern currency in the information age and the lifeblood of many organizations.

In truth, there is no one-size-fits-all procedure for dealing with a ransomware attack. There are as many situations and scenarios as there are organizations. Each will need to choose the right response for them - one that weighs costs, reputation and organizational ethos against giving into the hackers’ demands.

What is the World Economic Forum doing on cybersecurity

The World Economic Forum Platform for Shaping the Future of Cybersecurity and Digital Trust aims to spearhead global cooperation and collective responses to growing cyber challenges, ultimately to harness and safeguard the full benefits of the Fourth Industrial Revolution. The platform seeks to deliver impact through facilitating the creation of security-by-design and security-by-default solutions across industry sectors, developing policy frameworks where needed; encouraging broader cooperative arrangements and shaping global governance; building communities to successfully tackle cyber challenges across the public and private sectors; and impacting agenda setting, to elevate some of the most pressing issues.

Platform activities focus on three main challenges:

Strengthening Global Cooperation for Digital Trust and Security - to increase global cooperation between the public and private sectors in addressing key challenges to security and trust posed by a digital landscape currently lacking effective cooperation at legal and policy levels, effective market incentives, and cooperation between stakeholders at the operational level across the ecosystem.Securing Future Digital Networks and Technology - to identify cybersecurity challenges and opportunities posed by new technologies and accelerate solutions and incentives to ensure digital trust in the Fourth Industrial Revolution.Building Skills and Capabilities for the Digital Future - to coordinate and promote initiatives to address the global deficit in professional skills, effective leadership and adequate capabilities in the cyber domain.

The platform is working on a number of ongoing activities to meet these challenges. Current initiatives include our successful work with a range of public- and private-sector partners to develop a clear and coherent cybersecurity vision for the electricity industry in the form of Board Principles for managing cyber risk in the electricity ecosystem and a complete framework, created in collaboration with the Forum’s investment community, enabling investors to assess the security preparedness of target companies, contributing to raising internal cybersecurity awareness.

For more information, please contact info@c4c-weforum.org.

This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.