Getty Images

Gartner analysts debate ransomware payments

During Gartner's IT Symposium, analysts discussed the complex factors companies face when deciding whether or not to give into ransom demands.

Getting hit with ransomware may be inevitable, according to Gartner analysts, but whether to give into the extortion demands is a decision.

During 2021 Gartner IT Symposium on Tuesday, Gartner analysts Paul Proctor and Sam Olyaei discussed the gravity of the ransomware landscape in a session titled, 'Crossroads: Should You Pay the Ransom?' While the analysts generally argued against making ransomware payments, they also recognized the influx of considerations for enterprises, including attack scope, ransom demand amounts, cyber insurance coverage and the state of backups.

Another component that makes the decision difficult is a disconnect between the security team and executives, the analysts said. However, the real pressure on organizations has come from ransomware's transition into a full-fledged business model.

Part of the new business model involves threat actors chasing companies relentlessly, said Proctor. Operators behind ransomware gangs are now acting as professionals, with customer service and negotiators.

According to Proctor, threat actors analyze everything about a company and base their demand on the amount of revenue the organization makes, or its annual budget. Most of the attackers, he said, even know what a companies' cyber insurance policy looks like.

Proctor highlighted a recent example from Gartner where a threat actor had access to the policy and found out exactly how much the carrier would pay in the case of a ransom. Even cyber insurance companies themselves are not safe. In March, CNA Financial, one of the biggest U.S. insurers, suffered a ransomware attack; according to a Bloomberg report, the insurance company paid a whopping $40 million ransom.

As companies grow more vulnerable to ransomware attacks, Proctor suggested changing from worrying about threats to worrying about readiness.

"Most importantly, when it comes to ransomware, how are you going to respond?" Proctor said during the session. "You need to start looking at this cyber attack more like an inevitability."

Olyaei agreed that ransomware is not a potential risk but a threat, and one that companies do not control. "You're going to get hit with it. The question is: What's the business impact?" Olyaei said during the session.

While the majority of the session focused on factors to consider when hit by ransomware, the question of whether to pay was posed by author and event moderator Mark Jeffries. Jeffries mentioned a conversation he had with a former leader of the CIA who was in favor of paying ransoms. Proctor disagreed with that stance.

"I would largely say Gartner sits on the opposite side of that. It's illegal in many jurisdictions and there's new laws arising that make it illegal," Proctor said.

The debate over paying ransoms has caused much controversy as ransomware attacks have ramped up. Though the White House issued a strong stance against paying ransoms, many businesses have paid over the past year, including JBS USA, ExaGrid and Colonial Pipeline Company

Still, barriers to deter paying have been made, including recent sanctions that may jeopardize companies who facilitate ransomware payments. For example, last month the Office of Foreign Assets Control issued sanctions against Suex, a cryptocurrency exchange accused of laundering the illicit proceeds of cybercriminals, some of which derived from ransomware. Now, paying ransoms could lead to a violation of those sanctions.

In addition to new laws, Proctor argued that people who pay often get hacked again. According to Gartner data, 80% of such organizations suffer another ransomware attack.

"Basically, by paying you're inviting them to come back in. For people that have a made a decision, 'Oh, I'll get cyber insurance and that'll pay for it,' or set aside some money that will pay the ransom and then we can get on with running a business. This is not how this works," Proctor said. "You are going to have to pay the piper."

While Proctor recognized the repercussions of paying, there is one instance where he would recommend giving into demands: if a company "absolutely cannot bring the data back."

"If you don't have backups and you don't want to just build all your data from scratch, starting on day one, you're going to have to pay. You don't have a choice," Proctor said.

Olyaei, on the other hand, did not take a clear position for either side of the debate. Instead, he addressed what paying or not paying could mean for an organization. "We're not recommending or suggesting in any part of this conversation whether an organization should pay," Olyaei said.

As for the data backup argument, Olyaei said Gartner has research that shows people who pay only receive up to 8% of their data back. To make matters worse, he said some of the more recent ransomware variants stay in a system for months, to the point where they've encrypted backups.

"You're never going to be able to recover up to 100% of your data again," he said.

Impact of ransomware extends beyond encryption

The impact from most cybersecurity attacks, Olyaei said, comes from companies' failure to respond, from a technical and public relations perspective to a customer and reputational standpoint. However, fallout from attacks particularly on critical infrastructure can pose different problems, regardless of response.

According to Proctor, it was the gas panic on the East Coast that damaged the U.S. Colonial Pipeline more than its response to the ransomware attack, which included paying a $4.4 million demand.

One aspect both analysts agreed on was the disconnect between executives and their understanding of security incidents, which Proctor has observed over the last 35 years. "We've literally treated security like magic and security people like wizards. And that means we give the wizards some money and they cast some spells and that protects the organization. And then, if something goes wrong, we just blame the wizards," Proctor said. "Well, that's led to some really bad investment decisions."

That disconnect extends to levels of preparedness. A Gartner statistic shows that 80% of security leaders believe they're ready to respond to a ransomware attack, while the number from executives was 13%. "We know there's a cultural disconnect," Olyaei said.

Another factor both analysts agreed on was that ransomware attacks are preventable but security protocols like basic hygiene are lacking.

"We're essentially leaving our doors open, our doors wide open, our windows open. We don't brush our teeth; we don't go to sleep at a proper time at night. Those are the basic reasons why we get hit with ransomware," Olyaei said.

Olyaei quoted the number of preventable attacks at 90%, and Proctor said investment in proper cybersecurity controls can prevent even having to make the decision on whether to pay.

 "If you're facing this decision, you've already lost," Proctor said.

Dig Deeper on Security operations and management