We are facing an unprecedented increase in ransomware attacks. News about victims come daily and show no business area is left immune. Reactions to ransomware abound, driven not only by software vendors but also by insurance companies, government bodies, trade associations, etc.

For instance, some of the most publicized ransomware attacks over the last few months include the Red Cross, Nvidia, Toyota, Costa Rican government services and Shoprite, a supermarket chain in Africa. At the same time in France, the M6 group, Rouen University Hospital Centre and Fleury Michon, among many others, fell victims of ransomware attacks.

According to Egress Software Technologies, a UK-based developer of cybersecurity products, in 2020, 304 million ransomware attacks occurred worldwide. They also establish that Russia-based cybercrime group Conti and Ransomware-as-a-Service (RaaS) group Lockbit 2.0 were the two most active ransomware gangs in Q1/2022. They also establish that over 90% of ransomware attacks are delivered via email phishing and companies experience an average downtime of 21 days after a ransomware attack.

Of course, one of the major questions that come to one’s mind is “should we pay the ransom?” Answers vary according to different experts, but also depending on the size of the business, the criticity of the attack, preventive measures that may have been taken before the attack, etc. The average ransom amount has increased from US$ 5,000 (EUR 5,070) in 2018 to US$ 170,400 (EUR 172,800) in 2021, according to Egress.

The French ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information - French National Agency for the Security of Information Systems) recently published a guide presenting solutions to prevent ransomware for corporations. Recommendations include setting efficient backup policies, keeping software up to date, using anti-virus software, controlling internet access, … And in the event of an attack, the ANSSI provides cybercrisis recommendations, including setting up appropriate responses, management processes, legal action, and communication. The ANSSI has a clear position: “do not pay the ransom!” considering that paying ransoms maintains this criminal activity and offers no guarantee of recovering the victim’s data. In addition, paying a ransom increases risks as victims who have paid ransoms are often targeted again as hackers share information about successful attacks.

However, the evolution of ransomware is that over time smaller organizations are targeted. And many of the SME victims consider paying a ransom is more business-efficient than rebuilding their information systems from often uncomplete backups. In addition, ransomware groups are becoming more “professional,” set up the supply of deciphering keys as mandatory and even organize technical support to victims once they have paid.

Insurance policies are fast evolving in the field of cybersecurity under a combined pressure of regulation and market demand. Already, many insurance policies follow business practices and cover ransom payments. Notably, the French Ministry of Interior is proposing a law that would make it legal to reimburse ransoms by insurance companies if the victims file a formal complaint and accept the support of police and justice authorities. One of the goals of the project is to develop the coverage of cyberrisk by insurance, a field which is still underdeveloped in France. Both government authorities and insurance companies would benefit from a better quantitative knowledge of the actual extension of ransomware. The CESIN (Club des Experts de la Sécurité de l’Information et du Numérique – Information Technology and Digital Security Experts Club) expressed its opposition to the project considering there could be pressure to pay ransoms by the insurance companies if paying is cheaper than rebuilding information systems and that indelicate intermediaries would develop. This would, as a result, make ransomware even more profitable, and fuel its development, they say.

So to pay or not to pay, that is the question… In all cases, better prevention policies are always beneficial!