If the cost of a ransomware attack was literally just the cost of paying the ransom to the criminal, then the significant costs to an organization to rebuild without a decryption key might just make you think about paying those criminals.
Building back better is inevitably expensive.
However, the real equation of paying a criminal ransom versus rebuilding your systems is far more complicated. In our experience as an NCSC-recognized incident response firm having worked in the public and private sector on significant cases, criminals are likely to run word searches for potentially sensitive files, images, notes, and spreadsheets during the attack, which they copy and take to increase the pressure on you to pay.
Then, as they seek to remove forensic evidence of their activities and make it harder to recover without paying them, they might have destroyed parts of your infrastructure, deleting virtual servers and immutable backups. All this before encrypting whatever takes their fancy across your network.
However, paying the criminals for the decryption key and the supposed destruction of the stolen copies of your sensitive data is only the start of rebuilding your organization.
Before then, you may have engaged a specialist digital forensics and incident response firm like ours. We will have brought technical and crisis management experts together to help you through the initial shock of the attack. That guidance continues as you seek to communicate internally and externally, manage your myriad of stakeholders (including the ICO, regulators, and law enforcement), and see that the technical response meets your business strategy.
You’re then faced with managing the destruction. Deleted virtual machines, servers completely reset to factory settings, and immutable backups wiped beyond recovery are commonplace in significant attacks. No amount of ransom payment for a decryption key (even if it works) is going deliver the restoration and rebuilding of a resilient new infrastructure.
Your internal teams are going to be working (potentially chargeable) overtime. You also might need external lawyers to maintain legal privilege and data protection advisers or eDiscovery specialists to help your executives and operational teams identify what data has been compromised and who you need to notify. And it is all going to cost.
Your focus on stakeholders, particularly individuals and partners you share data with, will see you having calls, meetings, writing emails, letters, blogs, and FAQs, all of which require quality assurance to check and approve them. Dealing with them can last months beyond the initial attack as you seek to reassure your partners and broader stakeholder groups that your network does not pose a threat to theirs, and they can allow reconnection and data sharing.
All the while, you will be trying to keep the organization going, rebuilding your self-hosted internal applications, and supporting your staff with employee assistance programs. There must be credit, dark web monitoring, regular staff meetings, and briefings to help them rebuild your IT estate and reputation. The effort will take focused resources and comes at additional cost.
But no one is going to rebuild on old servers and insecure applications. You are going to use the opportunity to reconsider what you can offload to partners, what you can put in the cloud, and how to jump to newer, more resilient ways of working.
This will accelerate the technology developments you might have already planned, thinking they would take a year or more, so you will bring forward those projects and programs to respond to the attack.
This move to new ways of working will need a cultural shift with your staff. They will need training and help to embrace the new culture in a positive way, right at a time when their confidence in your ability to protect their personal data is at a low.
It might also even require some fresh faces with fresh thoughts to help move you to the newer approach. Again, all at a cost.
Finally, ensuring the resilience of your new estate will require security assurance at the design, build, implementation, and operational stages. No one wants to see you attacked again; you will be looking at constant monitoring so that when the next attack arrives, you are resilient and able to survive and thrive.
Now you can see the real costs of responding appropriately to a major cyber attack; it’s not so much paying criminals for their work but paying to remove your technology and security debt and create a resilient organization that is more expensive. But like the advert says, “you’re worth it.” Aren’t you?