Ransomware: Victims who refuse to pay the ransom may end up paying much more

The Baltimore Public School System paid more than $ 8.1 million following the ransomware attack it suffered in November 2020. This is further proof that ignoring the ransom demanded by cybercriminals also costs expensive, or even more expensive, than to pay for it.

Ransomware prices are skyrocketing and whatever decisions the victim makes, they will have to pay. If the ever-increasing amounts of ransoms paid by victims regularly leak, those of sums paid by victims who refuse to negotiate with the ransomers remain much more vague.

This is why the example of the Baltimore, United States public school system is so interesting. The Register noticed that the district communicated on June 16 on the expenses generated by the ransomware attack it suffered in late November 2020. At the time, all classes were still online because of the covid. As a result, more than 115,000 children were without school for a week, while the district urgently restores its system.

Paying cybercriminals can cost less than not paying them. // Source: La Rançon (1996)

The school network has apparently refused to pay the ransom. 7 months later, he estimates the cost of the post-attack at more than $ 8.1 million, according to a document relayed by Fox News reporter Amy Simpson.

In detail, the victim spent $ 2 million in the immediate response to the incident. These fees cover the investigation of the origin of the attack, negotiation with cybercriminals, the purchase of cybersecurity software or even crisis communication. The school network notes that these expenses will be “ surely covered by insurance “.

On the other hand, the 5 million dollars allocated to ” wider catering costs Will not be supported. There are several services related to the restoration of various tools, including $ 2 million for the restoration of the integrated management software package (or ERP in English). This software contains tools for human resources management or for accounting and financial management.

Two choices: pay or pay

When a business finds out that its computer system has been affected by ransomware, it has two options:

Pay cybercriminals

Option number 1: pay the ransom demanded by the thugs so that they repair the damage they have just caused. The amount ranges from a few hundred thousand dollars to several tens of millions of dollars, and it can be negotiated.

In theory, this solution is almost unanimously discouraged by the authorities and experts, since it consists in trusting cybercriminals. Some provide a data decryption tool that does not work properly, others attack the victim again a few months later. Above all, paying the ransom amounts to paying the hackers, and indirectly financing their future attacks. And that’s not all: even if all goes well, the company will have to pay services to verify and strengthen its network.

In practice, most research agrees that more than 50% of victims pay. They hope that their system will restart as soon as possible in order to avoid increasing the costs of the production slowdown. They also want to prevent the attack from making a lot of noise, which could damage their reputation and therefore their order book. For example, the two most publicized attacks of recent times, those suffered by Colonial Pipeline and by JBS, resulted in payments of $ 5 million and $ 11 million. Companies were thus able to resume their activity just a few days after the outbreak of the attack.

Pay for System Restore

Option number 2: restore your network from backups. For starters, not all victims have this option, as some ransomware manages to infect backups. Then, cybercriminals use a whole host of additional threats – from blackmail to data breaches to harassment campaigns – in addition to the ransomware itself. If, despite this pressure, the company still chooses to ignore the payment, it will have to pull out the checkbook, as the Baltimore public school system did. Depending on the system architecture and the quality of the backup system, the restore process can take from several days to several months.

While Baltimore schools estimate the costs of remedying the incident to be more than $ 8 million, they do not count the cost of the business interruption related to the attack, which can skyrocket the bill. For example, the French digital services company (ESN) Sopra Steria, which suffered an attack in October 2021, included the costs of the shutdown in its estimate. Result: she would have lost between 40 and 50 million dollars in the attack.

The amount of these bills is part of the reason why so many victims give in to the pressure of cybercriminals, even though they are aware that paying the ransom is not the most ethical solution. To complicate the equation, the role of insurers is regularly discussed; some cover the ransom payment, but do not cover the full restoration costs.

Related Articles