As if the idea of a cyberattack wasn’t bad enough, many nefarious actors are now taking advantage of victims with a wave of double extortion sweeping the internet. So what is it, and why should you be worried?
The basics
Whether you fall foul of ransomware, phishing, credential stuffing, or a good old-fashioned hack, the ultimate aim is for your attacker to gain entry to your systems, and to use that entry for exploitative purposes. That could be selling your data to the highest bidder, using your data to extort your customers, or as is most commonly happening, using the threat of doing something to extort money out of you. Ultimately, any cyberattack brings with it the threat of financial extortion, which is why you should do everything in your power to prevent it, or find yourself faced with the decision to pay or not to pay.
Double extortion
The new ‘craze’ sweeping its way across these criminals is being dubbed ‘double extortion’. As the name suggests, it sees victims being extorted for money, not once, but twice. So how does it happen? Well, the simple fact is that criminals are no longer keeping their word. It possibly comes as a surprise that they ever kept their word in the first place, but now, as well as extorting money from businesses and individuals by threatening to release data, they are in fact still releasing the data even after being paid, and extorting further money to remove the data from sale, lest they profit from it via other criminals. The question is, should you pay or not?
To pay, or not to pay?
While ultimately, you have to make the decision that you feel to be best for your business, we’d definitely recommend that you err on the side of not paying, and look at other means to regain control if you can. According to a survey by Kaperskey, last year:
- 46% of businesses affected by ransomware, paid ransoms to extortionists, and 11% of those that did, didn’t regain access to their files
- Only 18% of businesses were able to fully restore their systems after an attack, whether they paid the ransom or not
- 50% lost at least some files, 32% lost a significant amount, 18% lost a small number of files and 13% lost almost all their data.
The first point to make here is that paying the ransom comes with no guarantee of success. Even without the threat that cybercriminals will go back on their word, there’s still no guarantee that making payment will regain access to your files. Instead, you should be focussed on preventing a breach in the first place, and then planning strategies for regaining control should the worst happen. You should also ensure you have cyber liability insurance in place too, just in case! To put this in perspective, according to analysis of ransomware incidents last year:
- on average in 2019, ransom payments made by organisations were just over $115k, rising to more than $312k in 2020: a rise of 171%
- the highest ransom paid also doubled: $10 million in 2020 compared with $5 million in 2019
- cybercriminals upped their demands, with the highest request rising from $15 million in 2019 to $30 million in 2020.
Those figures are huge, and while of course it is dependent on the size of your breach and the type and value of the data obtained, it still reflects a general upward trend in costs. Add to this the moral argument that we shouldn’t fund organised crime, and there’s a strong case for avoiding payment. Internationally, the governments and cybersecurity specialists also advise against payment. As well as citing a lack of guarantees, other dire warnings include making yourself a target – highlighting that your business will pay if they are attacked.
Are there instances where you should pay? Ultimately, while paying feels wrong on so many levels, there are plenty of examples where the business case for paying outweighs the business case against. The cost of repatriation, lawsuits and fines for the breach may be significantly higher than the original ransom demand, and many businesses have decided they want the ‘certainty’ of the ransom demand, rather than the uncertainty of an unstoppable breach.
Our most important advice
Get help! If the worst should happen, don’t immediately try to handle it yourself – get expert advice. If you have a cyber liability insurance policy (like you should), they will be able to advise you what you should and shouldn’t do, and what you can and can’t do to remain covered under your policy. They may also have access to experts to advise you on the specifics of your situation and to help you assess the business case for the right thing to do. Finally, speak to your IT company and implement your contingency measures (in fact speak to them now to get the right contingency plan in place), to see what damage limitation can be done in the short-term, and what can be done to regain access to all your files.
Need help with planning and recovery? Speak to our team on 01453 700 800.
Other blogs you might find interesting…