What Should I Do If My Company Gets Hit With a Ransomware Demand?

By: | February 28, 2019

Jeremy Gittler is the Practice Leader and Head of Cyber Americas at AXA XL. He and his team coordinate and implement data breach response and crisis management services for AXA XL insureds that have suffered a cyber-attack. Jeremy and his team also evaluate coverage and draft detailed analyses pursuant to cyber, technology, media, and miscellaneous professional liability policies. He advises senior management, underwriters, brokers and insureds on coverage, litigation / dispute resolution strategies, and the business impact of lawsuits. Jeremy joined AXA XL in 2012 after working six years in the Cyber / Technology / Media Liability claims group at AIG, where he rose to the position of Senior Complex Claim Director. He can be reached at [email protected]

Your company has just been the victim of a network security breach. Cyber criminals have locked you out of your company’s system and are now demanding a ransom to allow you to continue with your business. Do you pay?

It’s a question far too many companies are facing each and every day. Ransomware attacks are forever increasing, as are the dollar amounts hackers are demanding. Cybersecurity Ventures statistics predict that the global annual total of ransomware attacks will top $11.5 billion in 2019, up from a 2018 estimate of $8 billion.

Moreover, the targets of these attacks: every company. A ransomware attack is the one crime that can strike at any company of any size or from any industry. The most vulnerable companies, however, are those that are smaller entities — businesses that typically don’t have the large budgets to combat cyber crime or the IT departments to monitor cyber security measures regularly.

Plus, many businesses do not have the financial means by which they can pay a ransom if it’s large enough. In some instances, cyber criminals demand lower ransoms — hundreds of dollars instead of tens of thousands — and businesses are more inclined to simply pay the ransom and hope they can get back up and running. But now, ransoms are increasing exponentially — hundreds of thousands of dollars is more and more common.

Should Your Company Pay the Ransom?

That depends. Typically, when a ransom attack occurs, companies that have network system backups may not need to pay. If the threat stems from your company being unable to conduct business because you can’t access your files, paying a ransom makes little sense since your company’s files are still accessible through the backup system.

However, many ransomware attackers will lock both the main systems and the backup systems.

In that case, ransom may be the only option. Yet your company should not go it alone. Victims can negotiate both on ransom amounts and time constraints, such as when an office is closed or when the demand occurs on a holiday.

It’s Not Just Ransom

Whether or not your company pays a ransom, regaining control of your company’s system is not the full extent of the attack. Unless you know your systems are no longer infected, you can’t be certain the attackers won’t return in the future demanding more ransom.

Also, a compromise of your systems equals a compromise of your data. Information on employees, customers, vendors, along with financial records, could have been exposed or worse, stolen. Paying a ransom is not the end in many cases.

For example, a client company, a municipality, received a ransom demand when thieves locked their systems. The ransom demand was for $300. The municipality paid the demand, regained control of their systems and assumed all was well. Problem solved.

Except the problem wasn’t solved. In this case, the client’s systems were still infected. A forensics investigation determined that there were many instances of data compromise that impacted most of the residents in the community. The municipality was then required to contact those people who were affected by the breach and inform them of the event.

Even if your company is able to pay the ransom and get back up and running, you still have an obligation to ensure the affected parties are notified in a timely manner and that systems are actually secure and data is no longer vulnerable.

Responding to a Ransom Demand

So when a ransom demand is made, the first call should be to your insurance carrier. Have a conversation to determine the level of risk your company faces and gain a complete understanding of your insurance coverage. A top insurance carrier will be able to help you navigate this extremely stressful situation in a professional and cost-effective manner, beginning with putting you in contact with a capable attorney to understand legal ramifications, your obligations and next steps.

Your attorney will contract a forensics firm to complete a thorough investigation of your systems. They will determine the extent of the compromise, what data was exposed, and whether an encryption key promised by the attackers will work. In the event you do have to pay a ransom, forensics firms often provide bitcoin payment capabilities.

Dealing with ransom demands alone is not an option. Few companies have the mechanisms in place or the experience to handle negotiating with attackers, make bitcoin payments or even how to communicate with the thieves. It is always advised that risk management bring in ransomware experts and legal counsel, no matter how small the ransom may be.

Preventing Future Attacks

Before a ransom attack, there is much that risk managers can do. A must-have item: cyber insurance. Cyber insurance products offer two benefits: monetary relief and a team of crisis response experts. The real value in a ransomware policy is in the services provided. Navigating the situation effectively while reducing the damage takes expertise.

Also, risk managers should work with IT to build a strong overall prevention solution that includes educating employees on phishing scams and other social engineering ploys.

Risk management can serve as the catalyst for creating a company-wide focus on ransomware prevention. By working with everyone along the chain of command, risk managers can involve every employee in ensuring that the potential for ransomware attacks is reduced and that a clear response plan is in place.

More from Risk & Insurance

More from Risk & Insurance