Paying ransomware gangs could fund up to ten additional attacks

Ransomware victims that cave to extortion demands inadvertently fund anywhere between six to 10 new attacks, according to research from Trend Micro.

Analysis of ransomware attack methods and the tactics employed by cyber criminal gangs over the last year found that businesses that choose to pay ransoms end up providing vital finances for threat actors, enabling them to continue targeting organisations.

While Trend Micro’s research found that these businesses only constitute 10% of victims, the broader impact is felt acutely by other firms.

“This is an ethical decision to make for victimised organisations at the board level when considering whether to pay a ransom,” the report stated.

“By paying the ransom, a victim would be directly financing the ransomware group and enabling it to impose the same damage on other organisations.”

Additionally, the research found that those who pay ransoms end up paying more on average due to a common approach among businesses to refuse to negotiate, forcing gangs to increase demands to maintain profitability.

“Those who pay – and these are usually larger companies that can afford – are demonstrating a willingness to pay, and the ransomware threat actors are demonstrating willingness to accept,” the report noted.

“This will drive a natural tendency toward higher payments if these ransomware groups are to remain profitable. Thus, in today’s world, it is safe to assume that those who do pay are paying over the odds.”

Pay the price, then pay again

Trend Micro said there is also “increasing evidence” to suggest that paying ransoms only increases the overall cost of an incident, rather than reducing it.

Paying might result in an organisation regaining control of its data, but follow-up costs due to business disruption and customer hesitancy can place significant strain on finances.

“The business interruption costs during that period of restoration still take place, even after the victim has paid the ransom,” the report stated.

“The share price reduction will also still take place, just as the public relations costs, credit monitoring costs, and incident response costs will all still need to be paid. Ultimately, victims could still be liable under various jurisdictions for the effects of a data breach. All of these contribute to a world where paying the ransom only increases the cost of the incident.”

Ransom payment conundrum

In recent years, businesses have been advised not to engage with cyber criminal outfits or pay ransoms in the event of compromise.

Guidance issued by the National Cyber Security Centre (NCSC) states that “law enforcement does not encourage, endorse, nor condone the payment of ransom demands”.

The NCSC says that there is “no guarantee” that an organisation will successfully regain access to stolen data and that engaging with groups directly funds criminal activity.

Its long-held stance was evidenced in the recent attack on Royal Mail International which led to the LockBit ransomware group publishing the entire negotiation transcript.

The NCSC is believed to have played a role in the negotiations, confirming it was involved in the investigation of the incident from the outset.

Research has also shown that by paying demands, businesses are also more likely to be targeted in future.

In July last year, the UK's cyber authority warned businesses to avoid paying ransoms in a joint statement with the Information Commissioner’s Office (ICO).

The joint letter, addressed to the Law Society, asked the organisation to “remind its members” of their advice on ransomware payments.

The call-to-action followed analysis from both the ICO and NCSC which found that there had been an increase in ransomware payments.

“In some cases solicitors may have been advising clients to pay, in the belief that it will keep data safe or lead to a lower penalty from the ICO,” the NCSC said in a statement at the time.

In the United States, businesses are urged to follow similar guidance on negotiating with cyber criminals. The FBI and Department of Homeland Security strongly advise against paying ransoms.

Nonetheless, this has not deterred businesses. Earlier this month, UK software company ION Trading reportedly paid a ransom to recover seized files after it was successfully breached by the LockBit ransomware gang.