To Pay or not to pay…that is not the Question

The cost to a ransomware-hit business is far more than the price of the ransom - business continuity is what is really at stake.

The digital race is on. More and more companies are driving digital transformation in their organisations to become or remain competitive. Since the year 2000, 52% of the companies in the Fortune 500 aren’t on the list anymore, they either gone bankrupt, were acquired or dropped off the list (Source: Digital Transformation by Mark Baker). Upon deeper investigation the involvement of digital technologies seem to be a common thread. Recent history is abound with examples of where companies have closed their doors due to technological evolution having passed them by.

Contrary to common understanding, digitalization goes beyond simply digitizing existing or traditional business processes to become more efficient. Digitalization is about creating new revenue streams through leveraging current and emerging digital technologies. Gartner termed this phenomenon as Digital Business. Amazon is a great example of spinning up new digital revenue streams, they are world leaders in doing digital business.

Digitalization is also about transforming traditional revenue streams into becoming digitally enabled to remain competitive. The automotive industry has done this to great effect, where cars have become increasingly digitally enabled over the past 10 years. Other great examples of this are that of Uber and AirBnb.

There is no argument - Digital technologies have become ubiquitous in our daily life and will become even more pervasive into the future.

Current major technology trends behind all of this are IoT, Machine Learning, Mobility, Cloud, Social Media, Big Data, Wearables and Blockchain. Gartner talks about the nexus of forces, where these technologies converge and create an exponential disruptive effect. Almost like a perfect storm. When a commercial organization is able to align their initiatives to take hold of this nexus, significant value can be realized. As such, many companies are feverishly working to launch or fast track their digital transformation initiatives. Research published by Accenture corroborates this, it was found that 82% of the respondents agreed that digital strategies are key to remaining competitive. (Source: Accenture Technology Vision 2016). Further supported by the IDC stating, by the end of 2017, revenue growth from information-based products will be double that of the rest of the product/service portfolio for one third of all Fortune 500 companies.(Source: IDC FutureScape 2017)

Notably, Cyber security is often overlooked in the push for the digital edge. Establishing new digitalized revenue streams and digitally improved products and services at a rapid pace often means that cyber security requirements are neglected. Speed to market is what it’s all about, consequently cyber security becomes an after-thought. Gartner is of the opinion that by 2020, 60% of businesses will suffer major failures due to the inability of IT Security teams to manage digital risk (Source: Gartner Newsroom 06/06/2016)

Interestingly and somewhat in contrast to digitalization initiatives, many large organisations consider the risks around cyber security to be in the top ten that face them. So, on the one hand there is this strategic drive to digitally transform the business and on the other hand there are the ever increasing cyber security risks. Both being an executive level concern.

The key point is this, the more reliant a business becomes on digital technologies for revenue the more significant their cyber risk exposure. Therefore, cyber resilience ought to be considered part of digital transformation strategies and not an afterthought.

Who is winning the race?

The cold hard truth is that the rapidly evolving technologies are also available to cyber criminals.

The UK National Crime Agency asserts in their Cyber Crime Assessment of 2016 that cyber criminals are adopting new tools, techniques and technologies faster than the companies they target. In other words, cyber criminals are currently winning the “cyber arms race”.

One manifestation of this is the recent proliferation off ransomware attacks. Modern day ransomware variants are highly sophisticated and encrypts all files on the computer it infects. To the point where the computer will stop any processing and be on complete lockdown. The perpetrators then ask for a ransom payment of a certain amount. At this point the victims are urgently trying to pay the ransom to the attackers to release their digital asset, though this is not always practical or feasible. Often the payment channel used by the criminals may be blocked by authorities or the attackers simply don’t honour their part in providing the keys to unlock the ransomware.

Either way, once a computer is locked down by ransomware, it’s already too late…

Digital Reliant Revenue Streams and Ransomware

For an organisation that has established, or in the process of establishing, revenue streams reliant on digital technologies the question is then…What is more damaging to a business? Paying the actual ransom amount…or the loss of revenue due to a digitally enabled revenue stream being down?

To illustrate the point. In a recent incident an Austrian hotel was hit by ransomware. The reservation system was compromised and as a result, new guests could not access their rooms. The actual ransom amount requested (~ $1700), pales into insignificance when compared against loss of revenue and reputational damage.

Similarly, law firms have been targeted by ransomware attacks. Law practitioners bill for their time by the minute. Again, consider the true cost to business, beyond the actual ransom amount, if a large group of individuals in a law firm are not able to work for a certain amount of time. One case comes to mind where the perpetrators asked for a mere 2 Bitcoin ransom, yet the law firm was incapacitated for 4 days.

Hypothetically, consider an organisation with revenue streams reliant on an e-commerce site which is integrated with back-end financial systems. If this is compromised due to a ransomware attack, the entire revenue stream could potentially be down for some time. What’s the actual cost to business then?

The bottom line – the cost to a business not being able to operate is way more than the price of the ransom. Ransomware is not so much about the ransom as it is about business continuity.

What is the Appropriate Countermeasure?

Traditional anti-virus and perimeter security technology largely fail to detect ransomware, as the mechanisms employed rely on known ransomware variants. The inconvenient truth is that perpetrators write new ransomware variants on a daily basis, none of which have a known signatures.

As such, the most successful technological methods to detect and prevent ransomware has to rely on behaviour analysis and machine learning to identify anomalous behaviour and stop it in its tracks before the ransomware can run, whilst allowing normal day-to-day activity to continue.

Therefore, to defend digital revenue streams, an appropriate mitigation strategy against ransomware type attacks ought to include two aspects. Firstly, apt technology that detects and prevents ransomware from executing and secondly, immediate response (human intervention) to contain any further spread of the malicious package.

For more information about MWR’s solution to the scourge of ransomware attacks, please contact us.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.