Ransomware

Do ransomware attackers keep their word?

Unit 42 report shows paying up not necessarily an end to hostilities
Pro

26 February 2024

It is one of the most important assessments a duped organisation must make when its systems are hacked via ransomware: if a ransom is paid can the hackers be trusted to restore a system or not dump stolen data online? According to a report by Unit 42, the research arm of cyber security firm Palo Alto, it’s not always a good idea to rely on bad people to do with ‘right’ thing.

Unit 42’s survey of more than 1,200 cyber incidents over the last 2.5 years found that in at least two thirds of cases, paying the ransom did at least end the cyber attack, and in another 3.9% of payments, the hackers partially kept the deal. Put another way, there is therefore a 70% chance that everything is more or less over once the hackers have received their ransom.

However, just over a fifth (20.6%) did not keep their word after a ransom was paid.

 

advertisement



 

“In general, it is better not to pay a ransom. Cyber criminals only get richer that way and get a free pass to create even more victims,” the report said. “But in some exceptional circumstances, organisations have little choice but to pay.”

So what is the going rate for a cyber ransom? According to Unit 42, a typical ransomware attack demands $695,000, but only $237,500 is typically paid, so there is margin for negotiation.

Unit 42 researchers also saw a correlation between the length of negotiations and haggling over the amount demanded: the longer an organisation can wait to pay, the better deal it gets. “We’ve seen organisations that decided to pay ransom on the first day of negotiations and we’ve seen organisations that didn’t pay until after 35 days.”

The negotiation time, of course, depends on how much the ransomware affects day-to-day operations. Organisations without usable backups have their backs against the wall. Other organisations have more levers in the negotiation talks. The report said: “threat actors may originally set a 72-hour deadline to pay before making their extortion threat, but these negotiations take as long as 11 days in most cases.”

News Wires

Read More:


Back to Top ↑

TechCentral.ie