September 11, 2019 by Jason Contant
If your client suffers a ransomware attack, should they pay the ransom to get their systems up and running again? And if they do pay, does that guarantee the cyber criminals who locked down the systems in the first place will restore them?
To pay or not pay has been a point of contention within the technology and insurance industries. In the experience of one specialist insurer, when a payment is made, data is almost always restored.
“When they do pay it, our experience is the vast majority of the time, people do get their data back,” Tom Bennett, cyber incident specialist with specialist insurer CFC Underwriting, told Canadian Underwriter in a recent interview. “There’s an interesting dynamic where the attackers have a vested interest in the encryption process working.”
In fact, not restoring the data can be a bit of a blow to the cyber criminal’s reputation. Imagine a situation where victims of a ransomware attack say on an online forum that they paid the ransomware, but didn’t get the data back. “[The victim is] going to say, ‘Well, I won’t bother paying,'” said Bennett.
“The only way [for cyber-criminals to get payment] is being true to their word. So, while they’re criminals, they have a vested interest in being helpful. It’s incredibly rare not to get your data back if you pay.”
Cyber criminals will even take it a step further by assisting less technical victims. “They have this bizarre dynamic where not only will they give you this encrypt software but also, if you’re having trouble deploying it and something goes wrong, you can go back to them and say, ‘Hey, I tried doing the decryptor and it won’t work. What can I do?’ And they’ll give you kind of tech support.”
From an insurance perspective, coverage can include ransom payments, if the client chooses to do so. If they choose not to, insurance can cover reconstitution of data. “If a business decides, ‘No, I don’t want to pay the ransom… we don’t force them to make a decision,” Bennett said. “It’s really up to them.”
But sometimes insurers pressure a company to pay the ransom, the chief technology officer for anti-malware provider Emsisoft, said last month. Fabian Wosar, CTO for Emsisoft, said he recently consulted for one U.S. corporation that was attacked by ransomware. After it was determined that restoring files from backups would take weeks, the company’s insurer, which went unnamed, allegedly pressured the company to pay the ransom. The insurer wanted to avoid having to reimburse the victim for revenues lost as a result of service interruptions during recovery of backup files, as its coverage required.
The company agreed to have the insurer pay the approximately $100,000 ransom. But the decryptor from the attacker didn’t work properly, something that is fairly common, Emsisoft told Canadian Underwriter last month.